[Federal Register Volume 75, Number 186 (Monday, September 27, 2010)]
[Notices]
[Pages 59332-59410]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-23456]
[[Page 59331]]
-----------------------------------------------------------------------
Part II
Securities and Exchange Commission
-----------------------------------------------------------------------
Public Company Accounting Oversight Board; Notice of Filing of Proposed
Rules on Auditing Standards Related to the Auditor's Assessment of and
Response to Risk and Related Amendments to PCAOB Standards; Notice
Federal Register / Vol. 75 , No. 186 / Monday, September 27, 2010 /
Notices
[[Page 59332]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-62919; File No. PCAOB-2010-01]
Public Company Accounting Oversight Board; Notice of Filing of
Proposed Rules on Auditing Standards Related to the Auditor's
Assessment of and Response to Risk and Related Amendments to PCAOB
Standards
September 15, 2010.
Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 (the
``Act''), notice is hereby given that on September 15, 2010, the Public
Company Accounting Oversight Board (the ``Board'' or the ``PCAOB'')
filed with the Securities and Exchange Commission (the ``Commission'')
the proposed rules described in Items I and II below, which items have
been prepared by the Board. The Commission is publishing this notice to
solicit comments on the proposed rules from interested persons.
I. Board's Statement of the Terms of Substance of the Proposed Rules
On August 5, 2010, the Board adopted the following eight auditing
standards:
Auditing Standard No. 8, Audit Risk
Auditing Standard No. 9, Audit Planning
Auditing Standard No. 10, Supervision of the Audit Engagement
Auditing Standard No. 11, Consideration of Materiality in
Planning and Performing an Audit
Auditing Standard No. 12, Identifying and Assessing Risks of
Material Misstatement
Auditing Standard No. 13, The Auditor's Responses to the Risks
of Material Misstatement
Auditing Standard No. 14, Evaluating Audit Results
Auditing Standard No. 15, Audit Evidence
(collectively referred to as the ``Risk Assessment Standards''); and
amendment to the Board's interim auditing standards (collectively,
``the proposed rules ''). The text of the Risk Assessment Standards and
amendments to the Board's interim auditing standards are set out below.
Auditing Standard No. 8
Audit Risk
Introduction
1. This standard discusses the auditor's consideration of audit
risk in an audit of financial statements as part of an integrated audit
\1\ or an audit of financial statements only.
---------------------------------------------------------------------------
\1\ When the auditor is performing an integrated audit of
financial statements and internal control over financial reporting,
the requirements in Auditing Standard No. 5, An Audit of Internal
Control Over Financial Reporting That Is Integrated with An Audit of
Financial Statements, also apply. However, the risks of material
misstatement of the financial statements are the same for both the
audit of financial statements and the audit of internal control over
financial reporting.
---------------------------------------------------------------------------
Objective
2. The objective of the auditor is to conduct the audit of
financial statements in a manner that reduces audit risk to an
appropriately low level.
Audit Risk
3. To form an appropriate basis for expressing an opinion on the
financial statements, the auditor must plan and perform the audit to
obtain reasonable assurance about whether the financial statements are
free of material misstatement \2\ due to error or fraud. Reasonable
assurance \3\ is obtained by reducing audit risk to an appropriately
low level through applying due professional care, including obtaining
sufficient appropriate audit evidence.
---------------------------------------------------------------------------
\2\ Misstatement is defined in Appendix A of Auditing Standard
No. 14, Evaluating Audit Results.
\3\ See AU sec. 110, Responsibilities and Functions of the
Independent Auditor, and paragraph .10 of AU sec. 230, Due
Professional Care in the Performance of Work, for a further
discussion of reasonable assurance.
---------------------------------------------------------------------------
4. In an audit of financial statements, audit risk is the risk that
the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated, i.e., the financial statements are
not presented fairly in conformity with the applicable financial
reporting framework. Audit risk is a function of the risk of material
misstatement and detection risk.
Note: The auditor should look to the requirements of the Securities
and Exchange Commission for the company under audit with respect to the
accounting principles applicable to that company.
Risk of Material Misstatement
5. The risk of material misstatement refers to the risk that the
financial statements are materially misstated. Auditing Standard No.
12, Identifying and Assessing Risks of Material Misstatement, indicates
that the auditor should assess the risks of material misstatement at
two levels: (1) At the financial statement level and (2) at the
assertion \4\ level.\5\
---------------------------------------------------------------------------
\4\ See Auditing Standard No. 15, Audit Evidence, for a
description of financial statement assertions.
\5\ Paragraph 59 of Auditing Standard No. 12.
---------------------------------------------------------------------------
6. Risks of material misstatement at the financial statement level
relate pervasively to the financial statements as a whole and
potentially affect many assertions. Risks of material misstatement at
the financial statement level may be especially relevant to the
auditor's consideration of the risk of material misstatement due to
fraud. For example, an ineffective control environment, a lack of
sufficient capital to continue operations, and declining conditions
affecting the company's industry might create pressures or
opportunities for management to manipulate the financial statements,
leading to higher risk of material misstatement.
7. Risk of material misstatement at the assertion level consists of
the following components:
a. Inherent risk, which refers to the susceptibility of an
assertion to a misstatement, due to error or fraud, that could be
material, individually or in combination with other misstatements,
before consideration of any related controls.
b. Control risk, which is the risk that a misstatement due to error
or fraud that could occur in an assertion and that could be material,
individually or in combination with other misstatements, will not be
prevented or detected on a timely basis by the company's internal
control. Control risk is a function of the effectiveness of the design
and operation of internal control.
8. Inherent risk and control risk are related to the company, its
environment, and its internal control, and the auditor assesses those
risks based on evidence he or she obtains. The auditor assesses
inherent risk using information obtained from performing risk
assessment procedures and considering the characteristics of the
accounts and disclosures in the financial statements.\6\ The auditor
assesses control risk using evidence obtained from tests of controls
(if the auditor plans to rely on those controls to assess control risk
at less than maximum) and from other sources.\7\
---------------------------------------------------------------------------
\6\ Paragraph 59.a. of Auditing Standard No. 12.
\7\ Paragraphs 32-34 of Auditing Standard No. 13, The Auditor's
Responses to the Risks of Material Misstatement.
---------------------------------------------------------------------------
Detection Risk
9. In an audit of financial statements, detection risk is the risk
that the procedures performed by the auditor will not detect a
misstatement that exists and that could be material, individually or in
combination with other misstatements. Detection risk is affected by (1)
the effectiveness of the
[[Page 59333]]
substantive procedures and (2) their application by the auditor, i.e.,
whether the procedures were performed with due professional care.
10. The auditor uses the assessed risk of material misstatement to
determine the appropriate level of detection risk for a financial
statement assertion. The higher the risk of material misstatement, the
lower the level of detection risk needs to be in order to reduce audit
risk to an appropriately low level.
11. The auditor reduces the level of detection risk through the
nature, timing, and extent of the substantive procedures performed. As
the appropriate level of detection risk decreases, the evidence from
substantive procedures that the auditor should obtain increases.\8\
---------------------------------------------------------------------------
\8\ Paragraph 37 of Auditing Standard No. 13.
---------------------------------------------------------------------------
Auditing Standard No. 9
Audit Planning
Introduction
1. This standard establishes requirements regarding planning an
audit.
Objective
2. The objective of the auditor is to plan the audit so that the
audit is conducted effectively.
Responsibility of the Engagement Partner for Planning
3. The engagement partner \9\ is responsible for the engagement and
its performance. Accordingly, the engagement partner is responsible for
planning the audit and may seek assistance from appropriate engagement
team members in fulfilling this responsibility. Engagement team members
who assist the engagement partner with audit planning also should
comply with the relevant requirements in this standard.
---------------------------------------------------------------------------
\9\ Terms defined in Appendix A, Definitions, are set in
boldface type the first time they appear.
---------------------------------------------------------------------------
Planning an Audit
4. The auditor should properly plan the audit. This standard
describes the auditor's responsibilities for properly planning the
audit.\10\
---------------------------------------------------------------------------
\10\ The term, ``auditor,'' as used in this standard,
encompasses both the engagement partner and the engagement team
members who assist the engagement partner in planning the audit.
---------------------------------------------------------------------------
5. Planning the audit includes establishing the overall audit
strategy for the engagement and developing an audit plan, which
includes, in particular, planned risk assessment procedures and planned
responses to the risks of material misstatement. Planning is not a
discrete phase of an audit but, rather, a continual and iterative
process that might begin shortly after (or in connection with) the
completion of the previous audit and continues until the completion of
the current audit.
Preliminary Engagement Activities
6. The auditor should perform the following activities at the
beginning of the audit:
a. Perform procedures regarding the continuance of the client
relationship and the specific audit engagement,\11\
---------------------------------------------------------------------------
\11\ Paragraphs .14-.16 of QC sec. 20, System of Quality Control
for a CPA Firm's Accounting and Auditing Practice. AU sec. 161, The
Relationship of Generally Accepted Auditing Standards to Quality
Control Standards, explains how the quality control standards relate
to the conduct of audits.
---------------------------------------------------------------------------
b. Determine compliance with independence and ethics requirements,
and
Note: The determination of compliance with independence and ethics
requirements is not limited to preliminary engagement activities and
should be reevaluated with changes in circumstances.
c. Establish an understanding with the client regarding the
services to be performed on the engagement.\12\
---------------------------------------------------------------------------
\12\ AU sec. 310, Appointment of the Independent Auditor.
---------------------------------------------------------------------------
Planning Activities
7. The nature and extent of planning activities that are necessary
depend on the size and complexity of the company, the auditor's
previous experience with the company, and changes in circumstances that
occur during the audit. When developing the audit strategy and audit
plan, as discussed in paragraphs 8-10, the auditor should evaluate
whether the following matters are important to the company's financial
statements and internal control over financial reporting and, if so,
how they will affect the auditor's procedures:
Knowledge of the company's internal control over financial
reporting obtained during other engagements performed by the auditor;
Matters affecting the industry in which the company
operates, such as financial reporting practices, economic conditions,
laws and regulations, and technological changes;
Matters relating to the company's business, including its
organization, operating characteristics, and capital structure;
The extent of recent changes, if any, in the company, its
operations, or its internal control over financial reporting;
The auditor's preliminary judgments about materiality,\13\
risk, and, in integrated audits, other factors relating to the
determination of material weaknesses;
---------------------------------------------------------------------------
\13\ Auditing Standard No. 11, Consideration of Materiality in
Planning and Performing an Audit.
---------------------------------------------------------------------------
Control deficiencies previously communicated to the audit
committee \14\ or management;
---------------------------------------------------------------------------
\14\ If no audit committee exists, all references to the audit
committee in this standard apply to the entire board of directors of
the company. See 15 U.S.C. Sec. Sec. 78c(a)58 and 7201(a)(3).
---------------------------------------------------------------------------
Legal or regulatory matters of which the company is aware;
The type and extent of available evidence related to the
effectiveness of the company's internal control over financial
reporting;
Preliminary judgments about the effectiveness of internal
control over financial reporting;
Public information about the company relevant to the
evaluation of the likelihood of material financial statement
misstatements and the effectiveness of the company's internal control
over financial reporting;
Knowledge about risks related to the company evaluated as
part of the auditor's client acceptance and retention evaluation; and
The relative complexity of the company's operations.
Note: Many smaller companies have less complex operations.
Additionally, some larger, complex companies may have less complex
units or processes. Factors that might indicate less complex operations
include: fewer business lines; less complex business processes and
financial reporting systems; more centralized accounting functions;
extensive involvement by senior management in the day-to-day activities
of the business; and fewer levels of management, each with a wide span
of control.
Audit Strategy
8. The auditor should establish an overall audit strategy that sets
the scope, timing, and direction of the audit and guides the
development of the audit plan.
9. In establishing the overall audit strategy, the auditor should
take into account:
a. The reporting objectives of the engagement and the nature of the
communications required by PCAOB standards,\15\
---------------------------------------------------------------------------
\15\ See, e.g., AU sec. 310 and AU sec. 380, Communication With
Audit Committees. Also, various laws or regulations require other
matters to be communicated. (See, e.g., Rule 2-07 of Regulation S-X,
17 CFR 210.2-07; and Rule 10A-3 under the Securities Exchange Act of
1934, 17 CFR 240.10A-3.) The requirements of this standard do not
modify communications required by those other laws or regulations.
---------------------------------------------------------------------------
[[Page 59334]]
b. The factors that are significant in directing the activities of
the engagement team,\16\
---------------------------------------------------------------------------
\16\ See, e.g., paragraph 6 of Auditing Standard No. 10,
Supervision of the Audit Engagement.
---------------------------------------------------------------------------
c. The results of preliminary engagement activities \17\ and the
auditor's evaluation of the important matters in accordance with
paragraph 7 of this standard, and
---------------------------------------------------------------------------
\17\ Paragraph 6 of this standard.
---------------------------------------------------------------------------
d. The nature, timing, and extent of resources necessary to perform
the engagement.\18\
---------------------------------------------------------------------------
\18\ See, e.g., paragraph .06 of AU sec. 230, Due Professional
Care in the Performance of Work, paragraph 16 of this standard, and
paragraph 5.a. of Auditing Standard No. 13, The Auditor's Responses
to the Risks of Material Misstatement.
---------------------------------------------------------------------------
Audit Plan
10. The auditor should develop and document an audit plan that
includes a description of:
a. The planned nature, timing, and extent of the risk assessment
procedures; \19\
---------------------------------------------------------------------------
\19\ Auditing Standard No. 12, Identifying and Assessing Risks
of Material Misstatement.
---------------------------------------------------------------------------
b. The planned nature, timing, and extent of tests of controls and
substantive procedures; \20\ and
---------------------------------------------------------------------------
\20\ Auditing Standard No. 13 and Auditing Standard No. 5, An
Audit of Internal Control Over Financial Reporting That Is
Integrated with An Audit of Financial Statements.
---------------------------------------------------------------------------
c. Other planned audit procedures required to be performed so that
the engagement complies with PCAOB standards.
Multi-Location Engagements
11. In an audit of the financial statements of a company with
operations in multiple locations or business units,\21\ the auditor
should determine the extent to which audit procedures should be
performed at selected locations or business units to obtain sufficient
appropriate evidence to obtain reasonable assurance about whether the
consolidated financial statements are free of material misstatement.
This includes determining the locations or business units at which to
perform audit procedures, as well as the nature, timing, and extent of
the procedures to be performed at those individual locations or
business units. The auditor should assess the risks of material
misstatement to the consolidated financial statements associated with
the location or business unit and correlate the amount of audit
attention devoted to the location or business unit with the degree of
risk of material misstatement associated with that location or business
unit.
---------------------------------------------------------------------------
\21\ The term ``business units'' includes subsidiaries,
divisions, branches, components, or investments.
---------------------------------------------------------------------------
12. Factors that are relevant to the assessment of the risks of
material misstatement associated with a particular location or business
unit and the determination of the necessary audit procedures include:
a. The nature and amount of assets, liabilities, and transactions
executed at the location or business unit, including, e.g., significant
transactions executed at the location or business unit that are outside
the normal course of business for the company, or that otherwise appear
to be unusual given the auditor's understanding of the company and its
environment; \22\
---------------------------------------------------------------------------
\22\ Paragraph .66 of AU sec. 316, Consideration of Fraud in a
Financial Statement Audit.
---------------------------------------------------------------------------
b. The materiality of the location or business unit; \23\
---------------------------------------------------------------------------
\23\ Paragraph 10 of Auditing Standard No. 11 describes the
consideration of materiality in planning and performing audit
procedures at an individual location or business unit.
---------------------------------------------------------------------------
c. The specific risks associated with the location or business unit
that present a reasonable possibility\24\ of material misstatement to
the company's consolidated financial statements;
---------------------------------------------------------------------------
\24\ There is a reasonable possibility of an event, as used in
this standard, when the likelihood of the event is either
``reasonably possible'' or ``probable,'' as those terms are used in
the FASB Accounting Standards Codification, Contingencies Topic,
paragraph 450-20-25-1.
---------------------------------------------------------------------------
d. Whether the risks of material misstatement associated with the
location or business unit apply to other locations or business units
such that, in combination, they present a reasonable possibility of
material misstatement to the company's consolidated financial
statements;
e. The degree of centralization of records or information
processing;
f. The effectiveness of the control environment, particularly with
respect to management's control over the exercise of authority
delegated to others and its ability to effectively supervise activities
at the location or business unit; and
g. The frequency, timing, and scope of monitoring activities by the
company or others at the location or business unit.
Note: When performing an audit of internal control over financial
reporting, refer to Appendix B, Special Topics, of Auditing Standard
No. 5\25\ for considerations when a company has multiple locations or
business units.
---------------------------------------------------------------------------
\25\ Paragraphs B10-B16 of Auditing Standard No. 5.
---------------------------------------------------------------------------
13. In determining the locations or business units at which to
perform audit procedures, the auditor may take into account relevant
activities performed by internal audit, as described in AU sec. 322,
The Auditor's Consideration of the Internal Audit Function in an Audit
of Financial Statements, or others, as described in Auditing Standard
No. 5. AU sec. 322 and Auditing Standard No. 5 establish requirements
regarding using the work of internal audit and others, respectively.
14. AU sec. 543, Part of Audit Performed by Other Independent
Auditors, describes the auditor's responsibilities regarding using the
work and reports of other independent auditors who audit the financial
statements of one or more of the locations or business units that are
included in the consolidated financial statements.\26\ In those
situations, the auditor should perform the procedures in paragraphs 11-
13 of this standard to determine the locations or business units at
which audit procedures should be performed.
---------------------------------------------------------------------------
\26\ For integrated audits, see also paragraphs C8-C11 of
Auditing Standard No. 5.
---------------------------------------------------------------------------
Changes During the Course of the Audit
15. The auditor should modify the overall audit strategy and the
audit plan as necessary if circumstances change significantly during
the course of the audit, including changes due to a revised assessment
of the risks of material misstatement or the discovery of a previously
unidentified risk of material misstatement.
Persons With Specialized Skill or Knowledge
16. The auditor should determine whether specialized skill or
knowledge is needed to perform appropriate risk assessments, plan or
perform audit procedures, or evaluate audit results.
17. If a person with specialized skill or knowledge employed or
engaged by the auditor participates in the audit, the auditor should
have sufficient knowledge of the subject matter to be addressed by such
a person to enable the auditor to:
a. Communicate the objectives of that person's work;
b. Determine whether that person's procedures meet the auditor's
objectives; and
c. Evaluate the results of that person's procedures as they relate
to the nature, timing, and extent of other planned audit procedures and
the effects on the auditor's report.
Additional Considerations in Initial Audits
18. The auditor should undertake the following activities before
starting an initial audit:
[[Page 59335]]
a. Perform procedures regarding the acceptance of the client
relationship and the specific audit engagement; and
b. Communicate with the predecessor auditor in situations in which
there has been a change of auditors in accordance with AU sec. 315,
Communications Between Predecessor and Successor Auditors.
19. The purpose and objective of planning the audit are the same
for an initial audit or a recurring audit engagement. However, for an
initial audit, the auditor should determine the additional planning
activities necessary to establish an appropriate audit strategy and
audit plan, including determining the audit procedures necessary to
obtain sufficient appropriate audit evidence regarding the opening
balances.\27\
---------------------------------------------------------------------------
\27\ See also paragraph 3 of Auditing Standard No. 6, Evaluating
Consistency of Financial Statements.
---------------------------------------------------------------------------
Appendix A--Definition
A1. For purposes of this standard, the term listed below is defined
as follows:
A2. Engagement partner--The member of the engagement team with
primary responsibility for the audit.
Auditing Standard No. 10
Supervision of the Audit Engagement
Introduction
1. This standard establishes requirements regarding supervision of
the audit engagement, including supervising the work of engagement team
members.
Objective
2. The objective of the auditor is to supervise the audit
engagement, including supervising the work of engagement team members
so that the work is performed as directed and supports the conclusions
reached.
Responsibility of the Engagement Partner for Supervision
3. The engagement partner \28\ is responsible for the engagement
and its performance. Accordingly, the engagement partner is responsible
for proper supervision of the work of engagement team members and for
compliance with PCAOB standards, including standards regarding using
the work of specialists,\29\ other auditors,\30\ internal auditors,\31\
and others who are involved in testing controls.\32\ Paragraphs 5-6 of
this standard describe the nature and extent of supervisory activities
necessary for proper supervision of engagement team members.\33\
---------------------------------------------------------------------------
\28\ Terms defined in Appendix A, Definitions, are set in
boldface type the first time they appear.
\29\ AU sec. 336, Using the Work of a Specialist.
\30\ AU sec. 543, Part of Audit Performed by Other Independent
Auditors.
\31\ AU sec. 322, The Auditor's Consideration of the Internal
Audit Function in an Audit of Financial Statements.
\32\ Paragraphs 16-19 of Auditing Standard No. 5, An Audit of
Internal Control Over Financial Reporting That Is Integrated with An
Audit of Financial Statements.
\33\ See also paragraph .06 of AU sec. 230, Due Professional
Care in the Performance of Work.
---------------------------------------------------------------------------
4. The engagement partner may seek assistance from appropriate
engagement team members in fulfilling his or her responsibilities
pursuant to this standard. Engagement team members who assist the
engagement partner with supervision of the work of other engagement
team members also should comply with the requirements in this standard
with respect to the supervisory responsibilities assigned to them.
Supervision of Engagement Team Members
5. The engagement partner and, as applicable, other engagement team
members performing supervisory activities, should:
a. Inform engagement team members of their responsibilities,\34\
including:
---------------------------------------------------------------------------
\34\ AU sec. 230.06 and paragraph 5 of Auditing Standard No. 13,
The Auditor's Responses to the Risks of Material Misstatement,
establish requirements regarding the appropriate assignment of
engagement team members.
---------------------------------------------------------------------------
(1) The objectives of the procedures that they are to perform;
(2) The nature, timing, and extent of procedures they are to
perform; and
(3) Matters that could affect the procedures to be performed or the
evaluation of the results of those procedures, including relevant
aspects of the company, its environment, and its internal control over
financial reporting,\35\ and possible accounting and auditing issues;
---------------------------------------------------------------------------
\35\ Auditing Standard No. 12, Identifying and Assessing Risks
of Material Misstatement, describes the auditor's responsibilities
for obtaining an understanding of the company, its environment, and
its internal control over financial reporting.
---------------------------------------------------------------------------
b. Direct engagement team members to bring significant accounting
and auditing issues arising during the audit to the attention of the
engagement partner or other engagement team members performing
supervisory activities so they can evaluate those issues and determine
that appropriate actions are taken in accordance with PCAOB standards;
\36\
---------------------------------------------------------------------------
\36\ See, e.g., paragraph 15 of Auditing Standard No. 9, Audit
Planning, paragraph 74 of Auditing Standard No. 12, and paragraphs
20-23 and 35-36 of Auditing Standard No. 14, Evaluating Audit
Results.
---------------------------------------------------------------------------
Note: In applying due professional care in accordance with AU sec.
230, each engagement team member has a responsibility to bring to the
attention of appropriate persons, disagreements or concerns the
engagement team member might have with respect to accounting and
auditing issues that he or she believes are of significance to the
financial statements or the auditor's report regardless of how those
disagreements or concerns may have arisen.
c. Review the work of engagement team members to evaluate whether:
(1) The work was performed and documented;
(2) The objectives of the procedures were achieved; and
(3) The results of the work support the conclusions reached.\37\
---------------------------------------------------------------------------
\37\ Auditing Standard No. 14 describes the auditor's
responsibilities for evaluating the results of the audit, and
Auditing Standard No. 3, Audit Documentation, establishes
requirements regarding audit documentation.
---------------------------------------------------------------------------
6. To determine the extent of supervision necessary for engagement
team members to perform their work as directed and form appropriate
conclusions, the engagement partner and other engagement team members
performing supervisory activities should take into account:
a. The nature of the company, including its size and complexity;
\38\
---------------------------------------------------------------------------
\38\ Paragraph 10 of Auditing Standard No. 12.
---------------------------------------------------------------------------
b. The nature of the assigned work for each engagement team member,
including:
(1) The procedures to be performed, and
(2) The controls or accounts and disclosures to be tested;
c. The risks of material misstatement; and
d. The knowledge, skill, and ability of each engagement team
member.\39\
---------------------------------------------------------------------------
\39\ See also paragraph 5.a. of Auditing Standard No. 13 and AU
sec. 230.06.
---------------------------------------------------------------------------
Note: In accordance with the requirements of paragraph 5 of
Auditing Standard No. 13, The Auditor's Responses to the Risks of
Material Misstatement, the extent of supervision of engagement team
members should be commensurate with the risks of material
misstatement.\40\
---------------------------------------------------------------------------
\40\ Paragraph 5.b. of Auditing Standard No. 13 indicates that
the extent of supervision of engagement team members is part of the
auditor's overall responses to the risks of material misstatement.
---------------------------------------------------------------------------
Appendix A--Definition
A1. For purposes of this standard, the term listed below is defined
as follows:
A2. Engagement partner--The member of the engagement team with
primary responsibility for the audit.
[[Page 59336]]
Auditing Standard No. 11
Consideration of Materiality in Planning and Performing an Audit
Introduction
1. This standard establishes requirements regarding the auditor's
consideration of materiality in planning and performing an audit.\41\
---------------------------------------------------------------------------
\41\ Auditing Standard No. 14 establishes requirements regarding
the auditor's consideration of materiality in evaluating audit
results.
---------------------------------------------------------------------------
Materiality in the Context of an Audit
2. In interpreting the federal securities laws, the Supreme Court
of the United States has held that a fact is material if there is ``a
substantial likelihood that the * * * fact would have been viewed by
the reasonable investor as having significantly altered the `total mix'
of information made available.'' \42\ As the Supreme Court has noted,
determinations of materiality require ``delicate assessments of the
inferences a `reasonable shareholder' would draw from a given set of
facts and the significance of those inferences to him * * *.'' \43\
---------------------------------------------------------------------------
\42\ TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976).
See also Basic, Inc. v. Levinson, 485 U.S. 224 (1988).
\43\ TSC Industries, 426 U.S. at 450.
---------------------------------------------------------------------------
3. To obtain reasonable assurance about whether the financial
statements are free of material misstatement, the auditor should plan
and perform audit procedures to detect misstatements that, individually
or in combination with other misstatements, would result in material
misstatement of the financial statements. This includes being alert
while planning and performing audit procedures for misstatements that
could be material due to quantitative or qualitative factors. Also, the
evaluation of uncorrected misstatements in accordance with Auditing
Standard No. 14, Evaluating Audit Results, requires consideration of
both qualitative and quantitative factors.\44\ However, it ordinarily
is not practical to design audit procedures to detect misstatements
that are material based solely on qualitative factors.
---------------------------------------------------------------------------
\44\ Appendix B of Auditing Standard No. 14.
---------------------------------------------------------------------------
4. For integrated audits, Auditing Standard No. 5, An Audit of
Internal Control Over Financial Reporting That Is Integrated with An
Audit of Financial Statements, states, ``In planning the audit of
internal control over financial reporting, the auditor should use the
same materiality considerations he or she would use in planning the
audit of the company's annual financial statements.'' \45\
---------------------------------------------------------------------------
\45\ Paragraph 20 of Auditing Standard No. 5.
---------------------------------------------------------------------------
Objective
5. The objective of the auditor is to apply the concept of
materiality appropriately in planning and performing audit procedures.
Considering Materiality in Planning and Performing an Audit
Establishing a Materiality Level for the Financial Statements as a
Whole
6. To plan the nature, timing, and extent of audit procedures, the
auditor should establish a materiality level for the financial
statements as a whole that is appropriate in light of the particular
circumstances. This includes consideration of the company's earnings
and other relevant factors. To determine the nature, timing, and extent
of audit procedures, the materiality level for the financial statements
as a whole needs to be expressed as a specified amount.
Note: If financial statements for the audit period are not
available, the auditor may establish an initial materiality level based
on estimated or preliminary financial statement amounts. In those
situations, the auditor should take into account the effects of known
or expected changes in the company's financial statements, including
significant transactions or adjustments that are expected to be
reflected in the financial statements at the end of the period.
Establishing Materiality Levels for Particular Accounts or Disclosures
7. The auditor should evaluate whether, in light of the particular
circumstances, there are certain accounts or disclosures for which
there is a substantial likelihood that misstatements of lesser amounts
than the materiality level established for the financial statements as
a whole would influence the judgment of a reasonable investor. If so,
the auditor should establish separate materiality levels for those
accounts or disclosures to plan the nature, timing, and extent of audit
procedures for those accounts or disclosures.
Note: Lesser amounts of misstatements could influence the judgment
of a reasonable investor because of qualitative factors, e.g., because
of the sensitivity of circumstances surrounding misstatements, such as
conflicts of interest in related party transactions.
Determining Tolerable Misstatement
8. The auditor should determine the amount or amounts of tolerable
misstatement for purposes of assessing risks of material misstatement
and planning and performing audit procedures at the account or
disclosure level. The auditor should determine tolerable misstatement
at an amount or amounts that reduce to an appropriately low level the
probability that the total of uncorrected and undetected misstatements
would result in material misstatement of the financial statements.
Accordingly, tolerable misstatement should be less than the materiality
level for the financial statements as a whole and, if applicable, the
materiality level or levels for particular accounts or disclosures.
9. In determining tolerable misstatement and planning and
performing audit procedures, the auditor should take into account the
nature, cause (if known), and amount of misstatements that were
accumulated in audits of the financial statements of prior periods.
Considerations for Multi-Location Engagements
10. For purposes of the audit of the consolidated financial
statements of a company with multiple locations or business units, the
auditor should determine tolerable misstatement for the individual
locations or business units at an amount that reduces to an
appropriately low level the probability that the total of uncorrected
and undetected misstatements would result in material misstatement of
the consolidated financial statements. Accordingly, tolerable
misstatement at an individual location should be less than the
materiality level for the financial statements as a whole.
Considerations as the Audit Progresses
11. The auditor should reevaluate the established materiality level
or levels and tolerable misstatement when, because of changes in the
particular circumstances or additional information that comes to the
auditor's attention, there is a substantial likelihood that
misstatements of amounts that differ significantly from the materiality
level or levels that were established initially would influence the
judgment of a reasonable investor. Situations in which changes in
circumstances or additional information that comes to the auditor's
attention would require such reevaluation include:
a. The materiality level or levels and tolerable misstatement were
established initially based on estimated or preliminary financial
statement amounts that differ significantly from actual amounts.
b. Events or changes in conditions occurring after the materiality
level or levels and tolerable misstatement were established initially
are likely to affect
[[Page 59337]]
investors' perceptions about the company's financial position, results
of operations, or cash flows.
Note: Examples of such events or changes in conditions include (1)
changes in laws, regulations, or the applicable financial reporting
framework that affect investors' expectations about the measurement or
disclosure of certain items and (2) significant new contractual
arrangements that draw attention to a particular aspect of a company's
business that is separately disclosed in the financial statements.
12. If the auditor's reevaluation results in a lower amount for the
materiality level or levels or tolerable misstatement than initially
established by the auditor, the auditor should (1) evaluate the effect,
if any, of the lower amount or amounts on his or her risk assessments
and audit procedures and (2) modify the nature, timing, and extent of
audit procedures as necessary to obtain sufficient appropriate audit
evidence.
Note: The reevaluation of the materiality level or levels and
tolerable misstatement is also relevant to the auditor's evaluation of
uncorrected misstatements in accordance with Auditing Standard No.
14.\46\
---------------------------------------------------------------------------
\46\ Paragraph 17 of Auditing Standard No. 14.
---------------------------------------------------------------------------
Auditing Standard No. 12
Identifying and Assessing Risks of Material Misstatement
Introduction
1. This standard establishes requirements regarding the process of
identifying and assessing risks of material misstatement \47\ of the
financial statements.
---------------------------------------------------------------------------
\47\ Paragraphs 5-8 of Auditing Standard No. 8, Audit Risk.
---------------------------------------------------------------------------
2. Paragraphs 4-58 of this standard discuss the auditor's
responsibilities for performing risk assessment procedures.\48\
Paragraphs 59-73 of this standard discuss identifying and assessing the
risks of material misstatement using information obtained from
performing risk assessment procedures.
---------------------------------------------------------------------------
\48\ Terms defined in Appendix A, Definitions, are set in
boldface type the first time they appear.
---------------------------------------------------------------------------
Objective
3. The objective of the auditor is to identify and appropriately
assess the risks of material misstatement, thereby providing a basis
for designing and implementing responses to the risks of material
misstatement.
Performing Risk Assessment Procedures
4. The auditor should perform risk assessment procedures that are
sufficient to provide a reasonable basis for identifying and assessing
the risks of material misstatement, whether due to error or fraud,\49\
and designing further audit procedures.\50\
---------------------------------------------------------------------------
\49\ AU sec. 316, Consideration of Fraud in a Financial
Statement Audit, discusses fraud, its characteristics, and the types
of misstatements due to fraud that are relevant to the audit, i.e.,
misstatements arising from fraudulent financial reporting and
misstatements arising from asset misappropriation.
\50\ Auditing Standard No. 15, Audit Evidence, describes further
audit procedures as consisting of tests of controls and substantive
procedures.
---------------------------------------------------------------------------
5. Risks of material misstatement can arise from a variety of
sources, including external factors, such as conditions in the
company's industry and environment, and company-specific factors, such
as the nature of the company, its activities, and internal control over
financial reporting. For example, external or company-specific factors
can affect the judgments involved in determining accounting estimates
or create pressures to manipulate the financial statements to achieve
certain financial targets. Also, risks of material misstatement may
relate to, e.g., personnel who lack the necessary financial reporting
competencies, information systems that fail to accurately capture
business transactions, or financial reporting processes that are not
adequately aligned with the requirements in the applicable financial
reporting framework. Thus, the audit procedures that are necessary to
identify and appropriately assess the risks of material misstatement
include consideration of both external factors and company-specific
factors. This standard discusses the following risk assessment
procedures:
a. Obtaining an understanding of the company and its environment
(paragraphs 7-17);
b. Obtaining an understanding of internal control over financial
reporting (paragraphs 18-40);
c. Considering information from the client acceptance and retention
evaluation, audit planning activities, past audits, and other
engagements performed for the company (paragraphs 41-45);
d. Performing analytical procedures (paragraphs 46-48);
e. Conducting a discussion among engagement team members regarding
the risks of material misstatement (paragraphs 49-53); and
f. Inquiring of the audit committee, management, and others within
the company about the risks of material misstatement (paragraphs 54-
58).
Note: This standard describes an approach to identifying and
assessing risks of material misstatement that begins at the financial
statement level and with the auditor's overall understanding of the
company and its environment and works down to the significant accounts
and disclosures and their relevant assertions.\51\
---------------------------------------------------------------------------
\51\ Paragraph 11 of Auditing Standard No. 15 discusses
financial statement assertions.
---------------------------------------------------------------------------
6. In an integrated audit, the risks of material misstatement of
the financial statements are the same for both the audit of internal
control over financial reporting and the audit of financial statements.
The auditor's risk assessment procedures should apply to both the audit
of internal control over financial reporting and the audit of financial
statements.
Obtaining an Understanding of the Company and Its Environment
7. The auditor should obtain an understanding of the company and
its environment (``understanding of the company'') to understand the
events, conditions, and company activities that might reasonably be
expected to have a significant effect on the risks of material
misstatement. Obtaining an understanding of the company includes
understanding:
a. Relevant industry, regulatory, and other external factors;
b. The nature of the company;
c. The company's selection and application of accounting
principles, including related disclosures;
d. The company's objectives and strategies and those related
business risks that might reasonably be expected to result in risks of
material misstatement; and
e. The company's measurement and analysis of its financial
performance.
8. In obtaining an understanding of the company, the auditor should
evaluate whether significant changes in the company from prior periods,
including changes in its internal control over financial reporting,
affect the risks of material misstatement.
Industry, Regulatory, and Other External Factors
9. Obtaining an understanding of relevant industry, regulatory, and
other external factors encompasses industry factors, including the
competitive environment and technological developments; the regulatory
environment, including the applicable
[[Page 59338]]
financial reporting framework \52\ and the legal and political
environment; \53\ and external factors, including general economic
conditions.
---------------------------------------------------------------------------
\52\ The auditor should look to the requirements of the
Securities and Exchange Commission for the company under audit with
respect to the accounting principles applicable to that company.
\53\ AU sec. 317, Illegal Acts by Clients, discusses the
auditor's consideration of laws and regulations relevant to the
audit.
---------------------------------------------------------------------------
Nature of the Company
10. Obtaining an understanding of the nature of the company
includes understanding:
The company's organizational structure and management
personnel;
The sources of funding of the company's operations and
investment activities, including the company's capital structure,
noncapital funding (e.g., subordinated debt or dependencies on supplier
financing), and other debt instruments;
The company's significant investments, including equity
method investments, joint ventures, and variable interest entities;
The company's operating characteristics, including its
size and complexity;
Note: The size and complexity of a company might affect the risks
of misstatement and how the company addresses those risks.
The sources of the company's earnings, including the
relative profitability of key products and services; and
Key supplier and customer relationships.
Note: The auditor should take into account the information gathered
while obtaining an understanding of the nature of the company when
determining the existence of related parties in accordance with AU sec.
334, Related Parties.
11. As part of obtaining an understanding of the company as
required by paragraph 7, the auditor should consider performing the
following procedures and the extent to which the procedures should be
performed:
Reading public information about the company relevant to
the evaluation of the likelihood of material financial statement
misstatements and, in an integrated audit, the effectiveness of the
company's internal control over financial reporting, e.g., company-
issued press releases, company-prepared presentation materials for
analysts or investor groups, and analyst reports;
Observing or reading transcripts of earnings calls and, to
the extent publicly available, other meetings with investors or rating
agencies;
Obtaining an understanding of compensation arrangements
with senior management, including incentive compensation arrangements,
changes or adjustments to those arrangements, and special bonuses; and
Obtaining information about trading activity in the
company's securities and holdings in the company's securities by
significant holders to identify potentially significant unusual
developments (e.g., from Forms 3, 4, 5, 13D, and 13G).
Selection and Application of Accounting Principles, Including Related
Disclosures
12. As part of obtaining an understanding of the company's
selection and application of accounting principles, including related
disclosures, the auditor should evaluate whether the company's
selection and application of accounting principles are appropriate for
its business and consistent with the applicable financial reporting
framework and accounting principles used in the relevant industry.
Also, to identify and assess risks of material misstatement related to
omitted, incomplete, or inaccurate disclosures, the auditor should
develop expectations about the disclosures that are necessary for the
company's financial statements to be presented fairly in conformity
with the applicable financial reporting framework.
13. The following matters, if present, are relevant to the
necessary understanding of the company's selection and application of
accounting principles, including related disclosures:
Significant changes in the company's accounting
principles, financial reporting policies, or disclosures and the
reasons for such changes;
The financial reporting competencies of personnel involved
in selecting and applying significant new or complex accounting
principles;
The accounts or disclosures for which judgment is used in
the application of significant accounting principles, especially in
determining management's estimates and assumptions;
The effect of significant accounting principles in
controversial or emerging areas for which there is a lack of
authoritative guidance or consensus;
The methods the company uses to account for significant
and unusual transactions; and
Financial reporting standards and laws and regulations
that are new to the company, including when and how the company will
adopt such requirements.
Company Objectives, Strategies, and Related Business Risks
14. The purpose of obtaining an understanding of the company's
objectives, strategies, and related business risks is to identify
business risks that could reasonably be expected to result in material
misstatement of the financial statements.
Note: Some relevant business risks might be identified through
other risk assessment procedures, such as obtaining an understanding of
the nature of the company and understanding industry, regulatory, and
other external factors.
15. The following are examples of situations in which business
risks might result in material misstatement of the financial
statements:
Industry developments (a potential related business risk
might be, e.g., that the company does not have the personnel or
expertise to deal with the changes in the industry.)
New products and services (a potential related business
risk might be, e.g., that the new product or service will not be
successful.)
Use of information technology (``IT'') (a potential
related business risk might be, e.g., that systems and processes are
incompatible.)
New accounting requirements (a potential related business
risk might be, e.g., incomplete or improper implementation of a new
accounting requirement.)
Expansion of the business (a potential related business
risk might be, e.g., that the demand for the company's products or
services has not been accurately estimated.)
The effects of implementing a strategy, particularly any
effects that will lead to new accounting requirements (a potential
related business risk might be, e.g., incomplete or improper
implementation of the strategy.)
Current and prospective financing requirements (a
potential related business risk might be, e.g., the loss of financing
due to the company's inability to meet financing requirements.)
Regulatory requirements (a potential related business risk
might be, e.g., that there is increased legal exposure.)
Note: Business risks could affect risks of material misstatement at
the financial statement level, which would affect many accounts and
disclosures in the financial statements. For example, a company's loss
of financing or declining conditions affecting the company's
[[Page 59339]]
industry could affect its ability to settle its obligations when due.
This, in turn, could affect the risks of material misstatement related
to, e.g., the classification of long-term liabilities or valuation of
long-term assets, or it could result in substantial doubt about the
company's ability to continue as a going concern. Other business risks
could affect the risks of material misstatement for particular
accounts, disclosures, or assertions. For example, an unsuccessful new
product or service or failed business expansion might affect the risks
of material misstatement related to the valuation of inventory and
other related assets.
Company Performance Measures
16. The purpose of obtaining an understanding of the company's
performance measures is to identify performance measures, whether
external or internal, that affect the risks of material misstatement.
17. The following are examples of performance measures that might
affect the risks of material misstatement:
Measures that form the basis for contractual commitments
or incentive compensation arrangements;
Measures used by external parties, such as analysts and
rating agencies, to review the company's performance; and
Measures the company uses to monitor its operations that
highlight unexpected results or trends that prompt management to
investigate their cause and take corrective action, including
correction of misstatements.
Note: The first two examples represent performance measures that
can affect the risks of material misstatement by creating incentives or
pressures for management of the company to manipulate certain accounts
or disclosures to achieve certain performance targets (or conceal a
failure to achieve those targets). The third example represents
performance measures that management might use to monitor risks
affecting the financial statements.
Note: Smaller companies might have less formal processes to measure
and review financial performance. In such cases, the auditor might
identify relevant performance measures by considering the information
that the company uses to manage the business.
Obtaining an Understanding of Internal Control Over Financial Reporting
18. The auditor should obtain a sufficient understanding of each
component \54\ of internal control over financial reporting
(``understanding of internal control'') to (a) identify the types of
potential misstatements, (b) assess the factors that affect the risks
of material misstatement, and (c) design further audit procedures.
---------------------------------------------------------------------------
\54\ Paragraphs 21-22 of this standard discuss components of
internal control over financial reporting.
---------------------------------------------------------------------------
19. The nature, timing, and extent of procedures that are necessary
to obtain an understanding of internal control depend on the size and
complexity of the company; \55\ the auditor's existing knowledge of the
company's internal control over financial reporting; the nature of the
company's controls, including the company's use of IT; the nature and
extent of changes in systems and operations; and the nature of the
company's documentation of its internal control over financial
reporting.
---------------------------------------------------------------------------
\55\ Paragraph 13 of Auditing Standard No. 5, An Audit of
Internal Control Over Financial Reporting That is Integrated with An
Audit of Financial Statements, states, ``The size and complexity of
the company, its business processes, and business units, may affect
the way in which the company achieves many of its control
objectives. The size and complexity of the company also might affect
the risks of misstatement and the controls necessary to address
those risks.''
---------------------------------------------------------------------------
Note: The auditor also might obtain an understanding of certain
controls that are not part of internal control over financial
reporting, e.g., controls over the completeness and accuracy of
operating or other nonfinancial information used as audit evidence.\56\
---------------------------------------------------------------------------
\56\ Paragraph 10 of Auditing Standard No. 15.
---------------------------------------------------------------------------
20. Obtaining an understanding of internal control includes
evaluating the design of controls that are relevant to the audit and
determining whether the controls have been implemented.
Note: Procedures the auditor performs to obtain evidence about
design effectiveness include inquiry of appropriate personnel,
observation of the company's operations, and inspection of relevant
documentation. Walkthroughs, as described in paragraphs 37-38, that
include these procedures ordinarily are sufficient to evaluate design
effectiveness.
Note: Determining whether a control has been implemented means
determining whether the control exists and whether the company is using
it. The procedures to determine whether a control has been implemented
may be performed in connection with the evaluation of its design.
Procedures performed to determine whether a control has been
implemented include inquiry of appropriate personnel, in combination
with observation of the application of controls or inspection of
documentation. Walkthroughs, as described in paragraphs 37-38, that
include these procedures ordinarily are sufficient to determine whether
a control has been implemented.
21. Internal control over financial reporting can be described as
consisting of the following components: \57\
---------------------------------------------------------------------------
\57\ Different internal control frameworks use different terms
and approaches to describe the components of internal control over
financial reporting.
---------------------------------------------------------------------------
The control environment,
The company's risk assessment process,
Information and communication,
Control activities, and
Monitoring of controls.
22. Management might use an internal control framework with
components that differ from the components identified in the preceding
paragraph when establishing and maintaining the company's internal
control over financial reporting. In evaluating the design of controls
and determining whether they have been implemented in an audit of
financial statements only, the auditor may use the framework used by
management or another suitable, recognized framework.\58\ For
integrated audits, Auditing Standard No. 5, states, ``The auditor
should use the same suitable, recognized control framework to perform
his or her audit of internal control over financial reporting as
management uses for its annual evaluation of the effectiveness of the
company's internal control over financial reporting.'' \59\ If the
auditor uses a suitable, recognized internal control framework with
components that differ from those listed in the preceding paragraph,
the auditor should adapt the requirements in paragraphs 23-36 of this
standard to conform to the components in the framework used.
---------------------------------------------------------------------------
\58\ See Securities Exchange Act Release No. 34-47986 (June 5,
2003) for a description of the characteristics of a suitable,
recognized framework.
\59\ Paragraph 5 of Auditing Standard No. 5.
---------------------------------------------------------------------------
Control Environment
23. The auditor should obtain an understanding of the company's
control environment, including the policies and actions of management,
the board, and the audit committee concerning the company's control
environment.
24. Obtaining an understanding of the control environment includes
assessing:
Whether management's philosophy and operating style
promote effective internal control over financial reporting;
Whether sound integrity and ethical values, particularly
of top management, are developed and understood; and
Whether the board or audit committee understands and
exercises oversight responsibility over financial reporting and
internal control.
Note: In an audit of financial statements only, this assessment may
be based on the evidence obtained in
[[Page 59340]]
understanding the control environment, in accordance with paragraph 23,
and the other relevant knowledge possessed by the auditor. In an
integrated audit of financial statements and internal control over
financial reporting, Auditing Standard No. 5 \60\ describes the
auditor's responsibility for evaluating the control environment.
---------------------------------------------------------------------------
\60\ Paragraph 25 of Auditing Standard No. 5.
---------------------------------------------------------------------------
25. If the auditor identifies a control deficiency \61\ in the
company's control environment, the auditor should evaluate the extent
to which this control deficiency is indicative of a fraud risk factor,
as discussed in paragraphs 65-66 of this standard.
---------------------------------------------------------------------------
\61\ Paragraph A3 of Auditing Standard No. 5.
---------------------------------------------------------------------------
The Company's Risk Assessment Process
26. The auditor should obtain an understanding of management's
process for:
a. Identifying risks relevant to financial reporting objectives,
including risks of material misstatement due to fraud (``fraud
risks'');
b. Assessing the likelihood and significance of misstatements
resulting from those risks; and
c. Deciding about actions to address those risks.
27. Obtaining an understanding of the company's risk assessment
process includes obtaining an understanding of the risks of material
misstatement identified and assessed by management and the actions
taken to address those risks.
Information and Communication
28. Information System Relevant to Financial Reporting. The auditor
should obtain an understanding of the information system, including the
related business processes, relevant to financial reporting, including:
a. The classes of transactions in the company's operations that are
significant to the financial statements;
b. The procedures, within both automated and manual systems, by
which those transactions are initiated, authorized, processed,
recorded, and reported;
c. The related accounting records, supporting information, and
specific accounts in the financial statements that are used to
initiate, authorize, process, and record transactions;
d. How the information system captures events and conditions, other
than transactions,\62\ that are significant to the financial
statements; and
---------------------------------------------------------------------------
\62\ Examples of such events and conditions include depreciation
and amortization and conditions affecting the recoverability of
assets.
---------------------------------------------------------------------------
e. The period-end financial reporting process.
Note: Appendix B discusses additional considerations regarding
manual and automated systems and controls.
29. The auditor also should obtain an understanding of how IT
affects the company's flow of transactions. (See Appendix B.)
Note: The identification of risks and controls within IT is not a
separate evaluation. Instead, it is an integral part of the approach
used to identify significant accounts and disclosures and their
relevant assertions and, when applicable, to select the controls to
test, as well as to assess risk and allocate audit effort.
30. A company's business processes are the activities designed to:
a. Develop, purchase, produce, sell and distribute a company's
products or services;
b. Record information, including accounting and financial reporting
information; and
c. Ensure compliance with laws and regulations relevant to the
financial statements.
31. Obtaining an understanding of the company's business processes
assists the auditor in obtaining an understanding of how transactions
are initiated, authorized, processed, and recorded.
32. A company's period-end financial reporting process, as referred
to in paragraph 28.e., includes the following:
Procedures used to enter transaction totals into the
general ledger;
Procedures related to the selection and application of
accounting principles; \63\
---------------------------------------------------------------------------
\63\ Paragraphs 12-13 of this standard.
---------------------------------------------------------------------------
Procedures used to initiate, authorize, record, and
process journal entries in the general ledger;
Procedures used to record recurring and nonrecurring
adjustments to the annual financial statements (and quarterly financial
statements, if applicable); and
Procedures for preparing annual financial statements and
related disclosures (and quarterly financial statements, if
applicable).
33. Communication. The auditor should obtain an understanding of
how the company communicates financial reporting roles and
responsibilities and significant matters relating to financial
reporting to relevant company personnel and others, including:
Communications between management, the audit committee,
and the board of directors; and
Communications to external parties, including regulatory
authorities and shareholders.
Control Activities
34. The auditor should obtain an understanding of control
activities that is sufficient to assess the factors that affect the
risks of material misstatement and to design further audit procedures,
as described in paragraph 18 of this standard.\64\ As the auditor
obtains an understanding of the other components of internal control
over financial reporting, he or she is also likely to obtain knowledge
about some control activities. The auditor should use his or her
knowledge about the presence or absence of control activities obtained
from the understanding of the other components of internal control over
financial reporting in determining the extent to which it is necessary
to devote additional attention to obtaining an understanding of control
activities to assess the factors that affect the risks of material
misstatement and to design further audit procedures.
---------------------------------------------------------------------------
\64\ Also see paragraph B5 of Appendix B of this standard.
---------------------------------------------------------------------------
Note: A broader understanding of control activities is needed for
relevant assertions for which the auditor plans to rely on controls.
Also, in the audit of internal control over financial reporting, the
auditor's understanding of control activities encompasses a broader
range of accounts and disclosures than what is normally obtained in a
financial statement audit.
Monitoring of Controls
35. The auditor should obtain an understanding of the major types
of activities that the company uses to monitor the effectiveness of its
internal control over financial reporting and how the company initiates
corrective actions related to its controls.\65\
---------------------------------------------------------------------------
\65\ In some companies, internal auditors or others performing
an equivalent function contribute to the monitoring of controls. AU
sec. 322, The Auditor's Consideration of the Internal Audit Function
in an Audit of Financial Statements, establishes requirements
regarding the auditor's consideration and use of the work of the
internal audit function.
---------------------------------------------------------------------------
36. An understanding of the company's monitoring activities
includes understanding the source of the information used in the
monitoring activities.
Performing Walkthroughs
37. As discussed in paragraph 20, the auditor may perform
walkthroughs as part of obtaining an understanding of internal control
over financial reporting. For example, the auditor may perform
walkthroughs in connection with understanding the flow of transactions
[[Page 59341]]
in the information system relevant to financial reporting, evaluating
the design of controls relevant to the audit, and determining whether
those controls have been implemented. In performing a walkthrough, the
auditor follows a transaction from origination through the company's
processes, including information systems, until it is reflected in the
company's financial records, using the same documents and IT that
company personnel use. Walkthrough procedures usually include a
combination of inquiry, observation, inspection of relevant
documentation, and re-performance of controls.
Note: For integrated audits, Auditing Standard No. 5 establishes
certain objectives that the auditor should achieve to further
understand likely sources of potential misstatements and as part of
selecting the controls to test. Auditing Standard No. 5 states that
performing walkthroughs will frequently be the most effective way of
achieving those objectives.\66\
---------------------------------------------------------------------------
\66\ See paragraphs 34-38 of Auditing Standard No. 5.
---------------------------------------------------------------------------
38. In performing a walkthrough, at the points at which important
processing procedures occur, the auditor questions the company's
personnel about their understanding of what is required by the
company's prescribed procedures and controls. These probing questions,
combined with the other walkthrough procedures, allow the auditor to
gain a sufficient understanding of the process and to be able to
identify important points at which a necessary control is missing or
not designed effectively. Additionally, probing questions that go
beyond a narrow focus on the single transaction used as the basis for
the walkthrough allow the auditor to gain an understanding of the
different types of significant transactions handled by the process.
Relationship of Understanding of Internal Control to Tests of Controls
39. The objective of obtaining an understanding of internal
control, as discussed in paragraph 18 of this standard, is different
from testing controls for the purpose of assessing control risk \67\ or
for the purpose of expressing an opinion on internal control over
financial reporting in the audit of internal control over financial
reporting.\68\ The auditor may obtain an understanding of internal
control concurrently with performing tests of controls if he or she
obtains sufficient appropriate evidence to achieve the objectives of
both procedures. Also, the auditor should take into account the
evidence obtained from understanding internal control when assessing
control risk and, in the audit of internal control over financial
reporting, forming an opinion about the effectiveness of internal
control over financial reporting.
---------------------------------------------------------------------------
\67\ Paragraphs 16-35 of Auditing Standard No. 13, The Auditor's
Responses to the Risks of Material Misstatement.
\68\ Paragraph B1 of Auditing Standard No. 5.
---------------------------------------------------------------------------
40. Relationship of Understanding of Internal Control to Evaluating
Entity-Level Controls in an Audit of Internal Control Over Financial
Reporting. Auditing Standard No. 5 states, ``The auditor must test
those entity-level controls that are important to the auditor's
conclusion about whether the company has effective internal control
over financial reporting.'' \69\ The procedures performed to obtain an
understanding of certain components of internal control in accordance
with this standard, e.g., the control environment, the company's risk
assessment process, information and communication, and monitoring of
controls, might provide evidence that is relevant to the auditor's
evaluation of entity-level controls.\70\ The auditor should take into
account the evidence obtained from understanding internal control when
determining the nature, timing, and extent of procedures necessary to
support the auditor's conclusions about the effectiveness of entity-
level controls in the audit of internal control over financial
reporting.
---------------------------------------------------------------------------
\69\ Paragraph 22 of Auditing Standard No. 5.
\70\ The entity-level controls included in paragraph 24 of
Auditing Standard No. 5 include controls related to the control
environment; the company's risk assessment process; centralized
processing and controls; controls over the period-end financial
reporting process; and controls to monitor other controls.
---------------------------------------------------------------------------
Considering Information From the Client Acceptance and Retention
Evaluation, Audit Planning Activities, Past Audits, and Other
Engagements
41. Client Acceptance and Retention and Audit Planning Activities.
The auditor should evaluate whether information obtained from the
client acceptance and retention evaluation process or audit planning
activities is relevant to identifying risks of material misstatement.
Risks of material misstatement identified during those activities
should be assessed as discussed beginning in paragraph 59 of this
standard.
42. Past Audits. In subsequent years, the auditor should
incorporate knowledge obtained during past audits into the auditor's
process for identifying risks of material misstatement, including when
identifying significant ongoing matters that affect the risks of
material misstatement or determining how changes in the company or its
environment affect the risks of material misstatement, as discussed in
paragraph 8 of this standard.
43. If the auditor plans to limit the nature, timing, or extent of
his or her risk assessment procedures by relying on information from
past audits, the auditor should evaluate whether the prior years'
information remains relevant and reliable.
44. Other Engagements. When the auditor has performed a review of
interim financial information in accordance with AU sec. 722, Interim
Financial Information, the auditor should evaluate whether information
obtained during the review is relevant to identifying risks of material
misstatement in the year-end audit.
45. The auditor should obtain an understanding of the nature of the
services that have been performed for the company by the auditor or
affiliates of the firm \71\ and should take into account relevant
information obtained from those engagements in identifying risks of
material misstatement.\72\
---------------------------------------------------------------------------
\71\ See PCAOB Rule 3501(a)(i), which defines ``affiliate of the
accounting firm.''
\72\ Paragraph 7 of Auditing Standard No. 9, Audit Planning.
---------------------------------------------------------------------------
Performing Analytical Procedures
46. The auditor should perform analytical procedures that are
designed to:
a. Enhance the auditor's understanding of the client's business and
the significant transactions and events that have occurred since the
prior year end; and
b. Identify areas that might represent specific risks relevant to
the audit, including the existence of unusual transactions and events,
and amounts, ratios, and trends that warrant investigation.
47. In applying analytical procedures as risk assessment
procedures, the auditor should perform analytical procedures relating
to revenue with the objective of identifying unusual or unexpected
relationships involving revenue accounts that might indicate a material
misstatement, including material misstatement due to fraud. Also, when
the auditor has performed a review of interim financial information in
accordance with AU sec. 722, he or she should take into account the
analytical procedures applied in that review when designing and
applying analytical procedures as risk assessment procedures.
48. When performing an analytical procedure, the auditor should use
his or
[[Page 59342]]
her understanding of the company to develop expectations about
plausible relationships among the data to be used in the procedure.\73\
When comparison of those expectations with relationships derived from
recorded amounts yields unusual or unexpected results, the auditor
should take into account those results in identifying the risks of
material misstatement.
---------------------------------------------------------------------------
\73\ Analytical procedures consist of evaluations of financial
information made by a study of plausible relationships among both
financial and nonfinancial data.
---------------------------------------------------------------------------
Note: Analytical procedures performed as risk assessment procedures
often use data that is preliminary or data that is aggregated at a high
level, and, in those instances, such analytical procedures are not
designed with the level of precision necessary for substantive
analytical procedures.
Conducting a Discussion Among Engagement Team Members Regarding Risks
of Material Misstatement
49. The key engagement team members should discuss (1) the
company's selection and application of accounting principles, including
related disclosure requirements, and (2) the susceptibility of the
company's financial statements to material misstatement due to error or
fraud.
Note: The key engagement team members should discuss the potential
for material misstatement due to fraud either as part of the discussion
regarding risks of material misstatement or in a separate
discussion.\74\
---------------------------------------------------------------------------
\74\ Paragraphs 52-53 of this standard.
---------------------------------------------------------------------------
Note: As discussed in paragraph 67, the financial statements might
be susceptible to misstatement through omission of required disclosures
or presentation of inaccurate or incomplete disclosures.
50. Key engagement team members include all engagement team members
who have significant engagement responsibilities, including the
engagement partner. The manner in which the discussion is conducted
depends on the individuals involved and the circumstances of the
engagement. For example, if the audit involves more than one location,
there could be multiple discussions with team members in differing
locations. The engagement partner or other key engagement team members
should communicate the important matters from the discussion to
engagement team members who are not involved in the discussion.
Note: If the audit is performed entirely by the engagement partner,
that engagement partner, having personally conducted the planning of
the audit, is responsible for evaluating the susceptibility of the
company's financial statements to material misstatement.
51. Communication among the engagement team members about
significant matters affecting the risks of material misstatement should
continue throughout the audit, including when conditions change.\75\
---------------------------------------------------------------------------
\75\ See also paragraph 29 of Auditing Standard No. 14,
Evaluating Audit Results.
---------------------------------------------------------------------------
Discussion of the Potential for Material Misstatement Due to Fraud
52. The discussion among the key engagement team members about the
potential for material misstatement due to fraud should occur with an
attitude that includes a questioning mind, and the key engagement team
members should set aside any prior beliefs they might have that
management is honest and has integrity. The discussion among the key
engagement team members should include:
An exchange of ideas, or ``brainstorming,'' among the key
engagement team members, including the engagement partner, about how
and where they believe the company's financial statements might be
susceptible to material misstatement due to fraud, how management could
perpetrate and conceal fraudulent financial reporting, and how assets
of the company could be misappropriated, including (a) the
susceptibility of the financial statements to material misstatement
through related party transactions and (b) how fraud might be
perpetrated or concealed by omitting or presenting incomplete or
inaccurate disclosures;
A consideration of the known external and internal factors
affecting the company that might (a) create incentives or pressures for
management and others to commit fraud, (b) provide the opportunity for
fraud to be perpetrated, and (c) indicate a culture or environment that
enables management to rationalize committing fraud;
A consideration of the risk of management override; and
A consideration of the potential audit responses to the
susceptibility of the company's financial statements to material
misstatement due to fraud.
53. The auditor should emphasize the following matters to all
engagement team members:
The need to maintain a questioning mind throughout the
audit and to exercise professional skepticism in gathering and
evaluating evidence, as described in AU sec. 316; \76\
---------------------------------------------------------------------------
\76\ AU sec. 316.13.
---------------------------------------------------------------------------
The need to be alert for information or other conditions
(such as those matters presented in Appendix C of Auditing Standard No.
14) that might affect the assessment of fraud risks; and
If information or other conditions indicate that a
material misstatement due to fraud might have occurred, the need to
probe the issues, acquire additional evidence as necessary, and consult
with other team members and, if appropriate, others in the firm
including specialists.\77\
---------------------------------------------------------------------------
\77\ Paragraphs 20-23 of Auditing Standard No. 14 establish
further requirements for evaluating whether misstatements might be
indicative of fraud and determining the necessary procedures to be
performed in those situations.
---------------------------------------------------------------------------
Inquiring of the Audit Committee, Management, and Others Within the
Company About the Risks of Material Misstatement
54. The auditor should inquire of the audit committee, or
equivalent (or its chair), management, the internal audit function, and
others within the company who might reasonably be expected to have
information that is important to the identification and assessment of
risks of material misstatement.
Note: The auditor's inquiries about risks of material misstatement
should include inquiries regarding fraud risks.
55. The auditor should use his or her knowledge of the company and
its environment, as well as information from other risk assessment
procedures, to determine the nature of the inquiries about risks of
material misstatement.
Inquiries Regarding Fraud Risks
56. The auditor's inquiries regarding fraud risks should include
the following:
a. Inquiries of management regarding:
(1) Whether management has knowledge of fraud, alleged fraud, or
suspected fraud affecting the company;
(2) Management's process for identifying and responding to fraud
risks in the company, including any specific fraud risks the company
has identified or account balances or disclosures for which a fraud
risk is likely to exist, and the nature, extent, and frequency of
management's fraud risk assessment process;
(3) Controls that the company has established to address fraud
risks the company has identified, or that otherwise help to prevent and
detect fraud, including how management monitors those controls;
(4) For a company with multiple locations (a) the nature and extent
of monitoring of operating locations or business segments and (b)
whether there
[[Page 59343]]
are particular operating locations or business segments for which a
fraud risk might be more likely to exist;
(5) Whether and how management communicates to employees its views
on business practices and ethical behavior;
(6) Whether management has received tips or complaints regarding
the company's financial reporting (including those received through the
audit committee's internal whistleblower program, if such program
exists) and, if so, management's responses to such tips and complaints;
and
(7) Whether management has reported to the audit committee on how
the company's internal control serves to prevent and detect material
misstatements due to fraud.
b. Inquiries of the audit committee, or equivalent, or its chair
regarding:
(1) The audit committee's views about fraud risks in the company;
(2) Whether the audit committee has knowledge of fraud, alleged
fraud, or suspected fraud affecting the company;
(3) Whether the audit committee is aware of tips or complaints
regarding the company's financial reporting (including those received
through the audit committee's internal whistleblower program, if such
program exists) and, if so, the audit committee's responses to such
tips and complaints; and
(4) How the audit committee exercises oversight of the company's
assessment of fraud risks and the establishment of controls to address
fraud risks.
c. If the company has an internal audit function, inquiries of
appropriate internal audit personnel regarding:
(1) The internal auditors' views about fraud risks in the company;
(2) Whether the internal auditors have knowledge of fraud, alleged
fraud, or suspected fraud affecting the company;
(3) Whether internal auditors have performed procedures to identify
or detect fraud during the year, and whether management has
satisfactorily responded to the findings resulting from those
procedures; and
(4) Whether internal auditors are aware of instances of management
override of controls and the nature and circumstances of such
overrides.
57. In addition to the inquiries outlined in the preceding
paragraph, the auditor should inquire of others within the company
about their views regarding fraud risks, including, in particular,
whether they have knowledge of fraud, alleged fraud, or suspected
fraud. The auditor should identify other individuals within the company
to whom inquiries should be directed and determine the extent of such
inquiries by considering whether others in the company might have
additional knowledge about fraud, alleged fraud, or suspected fraud or
might be able to corroborate fraud risks identified in discussions with
management or the audit committee. Examples of other individuals within
the company to whom inquiries might be directed include:
Employees with varying levels of authority within the
company, including, e.g., company personnel with whom the auditor comes
into contact during the course of the audit (a) in obtaining an
understanding of internal control, (b) in observing inventory or
performing cutoff procedures, or (c) in obtaining explanations for
significant differences identified when performing analytical
procedures;
Operating personnel not directly involved in the financial
reporting process;
Employees involved in initiating, recording, or processing
complex or unusual transactions, e.g., a sales transaction with
multiple elements or a significant related party transaction; and
In-house legal counsel.
58. When evaluating management's responses to inquiries about fraud
risks and determining when it is necessary to corroborate management's
responses, the auditor should take into account the fact that
management is often in the best position to commit fraud. Also, the
auditor should obtain evidence to address inconsistencies in responses
to the inquiries.
Identifying and Assessing the Risks of Material Misstatement
59. The auditor should identify and assess the risks of material
misstatement at the financial statement level and the assertion level.
In identifying and assessing risks of material misstatement, the
auditor should:
a. Identify risks of misstatement using information obtained from
performing risk assessment procedures (as discussed in paragraphs 4-58)
and considering the characteristics of the accounts and disclosures in
the financial statements.
Note: Factors relevant to identifying fraud risks are discussed in
paragraphs 65-69 of this standard.
b. Evaluate whether the identified risks relate pervasively to the
financial statements as a whole and potentially affect many assertions.
c. Evaluate the types of potential misstatements that could result
from the identified risks and the accounts, disclosures, and assertions
that could be affected.
Note: In identifying and assessing risks at the assertion level,
the auditor should evaluate how risks at the financial statement level
could affect risks of misstatement at the assertion level.
d. Assess the likelihood of misstatement, including the possibility
of multiple misstatements, and the magnitude of potential misstatement
to assess the possibility that the risk could result in material
misstatement of the financial statements.
Note: In assessing the likelihood and magnitude of potential
misstatement, the auditor may take into account the planned degree of
reliance on controls selected to test.\78\
---------------------------------------------------------------------------
\78\ Paragraphs 16-35 of Auditing Standard No. 13.
---------------------------------------------------------------------------
e. Identify significant accounts and disclosures \79\ and their
relevant assertions \80\ (paragraphs 60-64 of this standard).
---------------------------------------------------------------------------
\79\ Paragraph A10 of Auditing Standard No. 5 states:
An account or disclosure is a significant account or disclosure
if there is a reasonable possibility that the account or disclosure
could contain a misstatement that, individually or when aggregated
with others, has a material effect on the financial statements,
considering the risks of both overstatement and understatement. The
determination of whether an account or disclosure is significant is
based on inherent risk, without regard to the effect of controls.
\80\ Paragraph A9 of Auditing Standard No. 5 states:
A relevant assertion is a financial statement assertion that has
a reasonable possibility of containing a misstatement or
misstatements that would cause the financial statements to be
materially misstated. The determination of whether an assertion is a
relevant assertion is based on inherent risk, without regard to the
effect of controls.
---------------------------------------------------------------------------
Note: The determination of whether an account or disclosure is
significant or whether an assertion is a relevant assertion is based on
inherent risk, without regard to the effect of controls.
f. Determine whether any of the identified and assessed risks of
material misstatement are significant risks (paragraphs 70-71 of this
standard).
Identifying Significant Accounts and Disclosures and Their Relevant
Assertions
60. To identify significant accounts and disclosures and their
relevant assertions in accordance with paragraph 59.e., the auditor
should evaluate the qualitative and quantitative risk factors related
to the financial statement line items and disclosures. Risk factors
relevant to the identification of significant accounts and disclosures
and their relevant assertions include:
Size and composition of the account;
Susceptibility to misstatement due to error or fraud;
[[Page 59344]]
Volume of activity, complexity, and homogeneity of the
individual transactions processed through the account or reflected in
the disclosure;
Nature of the account or disclosure;
Accounting and reporting complexities associated with the
account or disclosure;
Exposure to losses in the account;
Possibility of significant contingent liabilities arising
from the activities reflected in the account or disclosure;
Existence of related party transactions in the account;
and
Changes from the prior period in account and disclosure
characteristics.
61. As part of identifying significant accounts and disclosures and
their relevant assertions, the auditor also should determine the likely
sources of potential misstatements that would cause the financial
statements to be materially misstated. The auditor might determine the
likely sources of potential misstatements by asking himself or herself
``what could go wrong?'' within a given significant account or
disclosure.
62. The risk factors that the auditor should evaluate in the
identification of significant accounts and disclosures and their
relevant assertions are the same in the audit of internal control over
financial reporting as in the audit of the financial statements;
accordingly, significant accounts and disclosures and their relevant
assertions are the same for both audits.
Note: In the financial statement audit, the auditor might perform
substantive auditing procedures on financial statement accounts,
disclosures, and assertions that are not determined to be significant
accounts and disclosures and relevant assertions.\81\\\
---------------------------------------------------------------------------
\81\ \\ The auditor might perform substantive auditing
procedures because his or her assessment of the risk that undetected
misstatement would cause the financial statements to be materially
misstated is unacceptably high or as a means of introducing
unpredictability in the procedures performed. See paragraphs 11, 14,
and 25 of Auditing Standard No. 14, for further discussion about
undetected misstatement. See paragraph 61 of Auditing Standard No. 5
and paragraph 5.c. of Auditing Standard No. 13, for further
discussion about the unpredictability of auditing procedures.
---------------------------------------------------------------------------
63. The components of a potential significant account or disclosure
might be subject to significantly differing risks.
64. When a company has multiple locations or business units, the
auditor should identify significant accounts and disclosures and their
relevant assertions based on the consolidated financial statements.
Factors Relevant to Identifying Fraud Risks
65. The auditor should evaluate whether the information gathered
from the risk assessment procedures indicates that one or more fraud
risk factors are present and should be taken into account in
identifying and assessing fraud risks. Fraud risk factors are events or
conditions that indicate (1) an incentive or pressure to perpetrate
fraud, (2) an opportunity to carry out the fraud, or (3) an attitude or
rationalization that justifies the fraudulent action. Fraud risk
factors do not necessarily indicate the existence of fraud; however,
they often are present in circumstances in which fraud exists. Examples
of fraud risk factors related to fraudulent financial reporting and
misappropriation of assets are listed in AU sec. 316.85. These
illustrative risk factors are classified based on the three conditions
discussed in this paragraph, which generally are present when fraud
exists.
Note: The factors listed in AU sec. 316.85 cover a broad range of
situations and are only examples. Accordingly, the auditor might
identify additional or different fraud risk factors.
66. All three conditions discussed in the preceding paragraph are
not required to be observed or evident to conclude that a fraud risk
exists. The auditor might conclude that a fraud risk exists even when
only one of these three conditions is present.
67. Consideration of the Risk of Omitted, Incomplete, or Inaccurate
Disclosures. The auditor's evaluation of fraud risk factors in
accordance with paragraph 65 should include evaluation of how fraud
could be perpetrated or concealed by presenting incomplete or
inaccurate disclosures or by omitting disclosures that are necessary
for the financial statements to be presented fairly in conformity with
the applicable financial reporting framework.
68. Presumption of Fraud Risk Involving Improper Revenue
Recognition. The auditor should presume that there is a fraud risk
involving improper revenue recognition and evaluate which types of
revenue, revenue transactions, or assertions may give rise to such
risks.
69. Consideration of the Risk of Management Override of Controls.
The auditor's identification of fraud risks should include the risk of
management override of controls.
Note: Controls over management override are important to effective
internal control over financial reporting for all companies, and may be
particularly important at smaller companies because of the increased
involvement of senior management in performing controls and in the
period-end financial reporting process. For smaller companies, the
controls that address the risk of management override might be
different from those at a larger company. For example, a smaller
company might rely on more detailed oversight by the audit committee
that focuses on the risk of management override.
Factors Relevant To Identifying Significant Risks
70. To determine whether an identified and assessed risk is a
significant risk, the auditor should evaluate whether the risk requires
special audit consideration because of the nature of the risk or the
likelihood and potential magnitude of misstatement related to the risk.
Note: The determination of whether a risk of material misstatement
is a significant risk is based on inherent risk, without regard to the
effect of controls.
71. Factors that should be evaluated in determining which risks are
significant risks include:
a. The effect of the quantitative and qualitative risk factors
discussed in paragraph 60 on the likelihood and potential magnitude of
misstatements;
b. Whether the risk is a fraud risk;
Note: A fraud risk is a significant risk.
c. Whether the risk is related to recent significant economic,
accounting, or other developments;
d. The complexity of transactions;
e. Whether the risk involves significant transactions with related
parties;
f. The degree of complexity or judgment in the recognition or
measurement of financial information related to the risk, especially
those measurements involving a wide range of measurement uncertainty;
and
g. Whether the risk involves significant transactions that are
outside the normal course of business for the company or that otherwise
appear to be unusual due to their timing, size, or nature.
Further Consideration of Controls
72. When the auditor has determined that a significant risk,
including a fraud risk, exists, the auditor should evaluate the design
of the company's controls that are intended to address fraud risks and
other significant risks and determine whether those controls have been
implemented, if the auditor has not already done so when obtaining an
understanding of internal control, as described in paragraphs 18-40 of
this standard.\82\
---------------------------------------------------------------------------
\82\ Auditing Standard No. 13 discusses the auditor's response
to fraud risks and other significant risks.
---------------------------------------------------------------------------
73. Controls that address fraud risks include (a) specific controls
designed to
[[Page 59345]]
mitigate specific risks of fraud, e.g., controls to address risks of
intentional misstatement of specific accounts and (b) controls designed
to prevent, deter, and detect fraud, e.g., controls to promote a
culture of honesty and ethical behavior.\83\\\ Such controls also
include those that address the risk of management override of other
controls.
---------------------------------------------------------------------------
\83\ \\ AU sec. 316.88 and paragraph 14 of Auditing Standard No.
5 present examples of controls that address fraud risks.
---------------------------------------------------------------------------
Revision of Risk Assessment
74. The auditor's assessment of the risks of material misstatement,
including fraud risks, should continue throughout the audit. When the
auditor obtains audit evidence during the course of the audit that
contradicts the audit evidence on which the auditor originally based
his or her risk assessment, the auditor should revise the risk
assessment and modify planned audit procedures or perform additional
procedures in response to the revised risk assessments.\84\
---------------------------------------------------------------------------
\84\ See also paragraph 46 of Auditing Standard No. 13.
---------------------------------------------------------------------------
APPENDIX A--Definitions
A1. For purposes of this standard, the terms listed below are defined
as follows:
A2. Business risks--Risks that result from significant conditions,
events, circumstances, actions, or inactions that could adversely
affect a company's ability to achieve its objectives and execute its
strategies. Business risks also might result from setting inappropriate
objectives and strategies or from changes or complexity in the
company's operations or management.
A3. Company's objectives and strategies--The overall plans for the
company as established by management or the board of directors.
Strategies are the approaches by which management intends to achieve
its objectives.
A4. Risk assessment procedures--The procedures performed by the auditor
to obtain information for identifying and assessing the risks of
material misstatement in the financial statements whether due to error
or fraud.
Note: Risk assessment procedures by themselves do not provide
sufficient appropriate evidence on which to base an audit opinion.
A5. Significant risk--A risk of material misstatement that requires
special audit consideration.
APPENDIX B--Consideration of Manual and Automated Systems and Controls
B1. While obtaining an understanding of the company's information
system related to financial reporting, the auditor should obtain an
understanding of how the company uses information technology (``IT'')
and how IT affects the financial statements.\85\ The auditor also
should obtain an understanding of the extent of manual controls and
automated controls used by the company, including the IT general
controls that are important to the effective operation of the automated
controls. That information should be taken into account in assessing
the risks of material misstatement.\86\
---------------------------------------------------------------------------
\85\ See also AU sec. 324, Service Organizations, if the company
uses a service organization for services that are part of the
company's internal control over financial reporting.
\86\ See also paragraphs 16-17 of Auditing Standard No. 9, Audit
Planning.
---------------------------------------------------------------------------
B2. Controls in a manual system might include procedures such as
approvals and reviews of transactions, and reconciliations and follow-
up of reconciling items.
B3. Alternatively, a company might use automated procedures to
initiate, record, process, and report transactions, in which case
records in electronic format would replace paper documents. When IT is
used to initiate, record, process, and report transactions, the IT
systems and programs may include controls related to the relevant
assertions of significant accounts and disclosures or may be critical
to the effective functioning of manual controls that depend on IT.
B4. The auditor should obtain an understanding of specific risks to a
company's internal control over financial reporting resulting from IT.
Examples of such risks include:
Reliance on systems or programs that are inaccurately
processing data, processing inaccurate data, or both;
Unauthorized access to data that might result in
destruction of data or improper changes to data, including the
recording of unauthorized or non-existent transactions or inaccurate
recording of transactions (particular risks might arise when multiple
users access a common database);
The possibility of IT personnel gaining access privileges
beyond those necessary to perform their assigned duties, thereby
breaking down segregation of duties;
Unauthorized changes to data in master files;
Unauthorized changes to systems or programs;
Failure to make necessary changes to systems or programs;
Inappropriate manual intervention; and
Potential loss of data or inability to access data as
required.
B5. In obtaining an understanding of the company's control activities,
the auditor should obtain an understanding of how the company has
responded to risks arising from IT.
B6. When a company uses manual elements in internal control systems and
the auditor plans to rely on, and therefore test, those manual
controls, the auditor should design procedures to test the consistency
in the application of those manual controls.
Auditing Standard No. 13
The Auditor's Responses to the Risks of Material Misstatement
Introduction
1. This standard establishes requirements regarding designing and
implementing appropriate responses to the risks of material
misstatement.
Objective
2. The objective of the auditor is to address the risks of material
misstatement through appropriate overall audit responses and audit
procedures.
Responding to the Risks of Material Misstatement
3. To meet the objective in the preceding paragraph, the auditor
must design and implement audit responses that address the risks of
material misstatement that are identified and assessed in accordance
with Auditing Standard No. 12, Identifying and Assessing Risks of
Material Misstatement.
4. This standard discusses the following types of audit responses:
a. Responses that have an overall effect on how the audit is
conducted (``overall responses''), as described in paragraphs 5-7; and
b. Responses involving the nature, timing, and extent of the audit
procedures to be performed, as described in paragraphs 8-46.
Overall Responses
5. The auditor should design and implement overall responses to
address the assessed risks of material misstatement as follows:
[[Page 59346]]
a. Making appropriate assignments of significant engagement
responsibilities. The knowledge, skill, and ability of engagement team
members with significant engagement responsibilities should be
commensurate with the assessed risks of material misstatement.\87\
---------------------------------------------------------------------------
\87\ See also paragraph .06 of AU sec. 230, Due Professional
Care in the Performance of Work.
---------------------------------------------------------------------------
b. Providing the extent of supervision that is appropriate for the
circumstances, including, in particular, the assessed risks of material
misstatement. (See paragraphs 5-6 of Auditing Standard No. 10,
Supervision of the Audit Engagement.)
c. Incorporating elements of unpredictability in the selection of
audit procedures to be performed. As part of the auditor's response to
the assessed risks of material misstatement, including the assessed
risks of material misstatement due to fraud (``fraud risks''), the
auditor should incorporate an element of unpredictability in the
selection of auditing procedures to be performed from year to year.
Examples of ways to incorporate an element of unpredictability include:
(1) Performing audit procedures related to accounts, disclosures,
and assertions that would not otherwise be tested based on their amount
or the auditor's assessment of risk;
(2) Varying the timing of the audit procedures;
(3) Selecting items for testing that have lower amounts or are
otherwise outside customary selection parameters;
(4) Performing audit procedures on an unannounced basis; and
(5) In multi-location audits, varying the location or the nature,
timing, and extent of audit procedures at related locations or business
units from year to year.\88\
---------------------------------------------------------------------------
\88\ For integrated audits, paragraphs 61 and B13 of Auditing
Standard No. 5, An audit of Internal Control Over Financial
Reporting That Is Integrated with An Audit of Financial Statements,
establish requirements for introducing unpredictability in testing
of controls from year to year and in multi-location audits.
---------------------------------------------------------------------------
d. Evaluating the company's selection and application of
significant accounting principles. The auditor should evaluate whether
the company's selection and application of significant accounting
principles, particularly those related to subjective measurements and
complex transactions,\89\ are indicative of bias that could lead to
material misstatement of the financial statements.
---------------------------------------------------------------------------
\89\ Paragraphs 12-13 of Auditing Standard No. 12 discuss the
auditor's responsibilities regarding obtaining an understanding of
the company's selection and application of accounting principles.
See also paragraphs .66-.67 of AU sec. 316, Consideration of Fraud
in a Financial Statement Audit, and paragraphs .04 and .06 of AU
sec. 411, The Meaning of Present Fairly in Conformity With Generally
Accepted Accounting Principles.
---------------------------------------------------------------------------
Note: Paragraph .11 of AU sec. 380, Communication With Audit
Committees, discusses the auditor's judgments about the quality of a
company's accounting principles.
6. The auditor also should determine whether it is necessary to
make pervasive changes to the nature, timing, or extent of audit
procedures to adequately address the assessed risks of material
misstatement. Examples of such pervasive changes include modifying the
audit strategy to:
a. Increase the substantive testing of the valuation of numerous
significant accounts at year end because of significantly deteriorating
market conditions, and
b. Obtain more persuasive audit evidence from substantive
procedures due to the identification of pervasive weaknesses in the
company's control environment.
7. Due professional care requires the auditor to exercise
professional skepticism.\90\ Professional skepticism is an attitude
that includes a questioning mind and a critical assessment of the
appropriateness and sufficiency of audit evidence. The auditor's
responses to the assessed risks of material misstatement, particularly
fraud risks, should involve the application of professional skepticism
in gathering and evaluating audit evidence.\91\ Examples of the
application of professional skepticism in response to the assessed
fraud risks are (a) modifying the planned audit procedures to obtain
more reliable evidence regarding relevant assertions and (b) obtaining
sufficient appropriate evidence to corroborate management's
explanations or representations concerning important matters, such as
through third-party confirmation, use of a specialist engaged or
employed by the auditor, or examination of documentation from
independent sources.
---------------------------------------------------------------------------
\90\ AU secs. 230.07-.09.
\91\ AU sec. 316.13.
---------------------------------------------------------------------------
Responses Involving the Nature, Timing, and Extent of Audit Procedures
8. The auditor should design and perform audit procedures in a
manner that addresses the assessed risks of material misstatement for
each relevant assertion of each significant account and disclosure.
9. In designing the audit procedures to be performed, the auditor
should:
a. Obtain more persuasive audit evidence the higher the auditor's
assessment of risk;
b. Take into account the types of potential misstatements that
could result from the identified risks and the likelihood and magnitude
of potential misstatement; \92\
---------------------------------------------------------------------------
\92\ For example, potential misstatements regarding disclosures
include omission of required disclosures or presentation of
inaccurate or incomplete disclosures.
---------------------------------------------------------------------------
c. In an integrated audit, design the testing of controls to
accomplish the objectives of both audits simultaneously:
(1) To obtain sufficient evidence to support the auditor's control
risk \93\ assessments for purposes of the audit of financial
statements; \94\ and
---------------------------------------------------------------------------
\93\ See paragraph 7.b. of Auditing Standard No. 8, Audit Risk,
for a definition of control risk.
\94\ For purposes of this standard, the term ``audit of
financial statements'' refers to the financial statement portion of
the integrated audit and to the audit of financial statements only.
---------------------------------------------------------------------------
(2) To obtain sufficient evidence to support the auditor's opinion
on internal control over financial reporting as of year-end.
Note: Auditing Standard No. 5 establishes requirements for tests of
controls in the audit of internal control over financial reporting.
10. The audit procedures performed in response to the assessed
risks of material misstatement can be classified into two categories:
(1) tests of controls and (2) substantive procedures.\95\ Paragraphs
16-35 of this standard discuss tests of controls, and paragraphs 36-46
discuss substantive procedures.
---------------------------------------------------------------------------
\95\ Substantive procedures consist of (a) tests of details of
accounts and disclosures and (b) substantive analytical procedures.
---------------------------------------------------------------------------
Note: Paragraphs 16-17 of this standard discuss when tests of
controls are necessary in a financial statement audit. Ordinarily,
tests of controls are performed for relevant assertions for which the
auditor chooses to rely on controls to modify his or her substantive
procedures.
Responses to Significant Risks
11. For significant risks, the auditor should perform substantive
procedures, including tests of details, that are specifically
responsive to the assessed risks.
Note: Auditing Standard No. 12 discusses identification of
significant risks \96\ and states that fraud risks are significant
risks.
---------------------------------------------------------------------------
\96\ See paragraph 71 of Auditing Standard No. 12 for factors
that the auditor should evaluate in determining which risks are
significant risks.
---------------------------------------------------------------------------
Responses to Fraud Risks
12. The audit procedures that are necessary to address the assessed
fraud risks depend upon the types of risks and the relevant assertions
that might be affected.
[[Page 59347]]
Note: If the auditor identifies deficiencies in controls that are
intended to address assessed fraud risks, the auditor should take into
account those deficiencies when designing his or her response to those
fraud risks.
Note: Auditing Standard No. 5 establishes requirements for
addressing assessed fraud risks in the audit of internal control over
financial reporting.\97\
---------------------------------------------------------------------------
\97\ Paragraphs 14-15 of Auditing Standard No. 5.
---------------------------------------------------------------------------
13. Addressing Fraud Risks in the Audit of Financial Statements. In
the audit of financial statements, the auditor should perform
substantive procedures, including tests of details, that are
specifically responsive to the assessed fraud risks. If the auditor
selects certain controls intended to address the assessed fraud risks
for testing in accordance with paragraphs 16-17 of this standard, the
auditor should perform tests of those controls.
14. The following are examples of ways in which planned audit
procedures may be modified to address assessed fraud risks:
a. Changing the nature of audit procedures to obtain evidence that
is more reliable or to obtain additional corroborative information;
b. Changing the timing of audit procedures to be closer to the end
of the period or to the points during the period in which fraudulent
transactions are more likely to occur; and
c. Changing the extent of the procedures applied to obtain more
evidence, e.g., by increasing sample sizes or applying computer-
assisted audit techniques to all of the items in an account.
Note: AU secs. 316.54-.67 provide additional examples of responses
to assessed fraud risks relating to fraudulent financial reporting
(e.g., revenue recognition, inventory quantities, and management
estimates) and misappropriation of assets in the audit of financial
statements.
15. Also, AU sec. 316 indicates that the auditor should perform
audit procedures to specifically address the risk of management
override of controls including:
a. Examining journal entries and other adjustments for evidence of
possible material misstatement due to fraud (AU secs. 316.58-.62);
b. Reviewing accounting estimates for biases that could result in
material misstatement due to fraud (AU secs. 316.63-.65); and
c. Evaluating the business rationale for significant unusual
transactions (AU secs. 316.66-.67).
Testing Controls
Testing Controls in an Audit of Financial Statements
16. Controls to be Tested. If the auditor plans to assess control
risk at less than the maximum by relying on controls,\98\ and the
nature, timing, and extent of planned substantive procedures are based
on that lower assessment, the auditor must obtain evidence that the
controls selected for testing are designed effectively and operated
effectively during the entire period of reliance.\99\ However, the
auditor is not required to assess control risk at less than the maximum
for all relevant assertions and, for a variety of reasons, the auditor
may choose not to do so.
---------------------------------------------------------------------------
\98\ Reliance on controls that is supported by sufficient and
appropriate audit evidence allows the auditor to assess control risk
at less than the maximum, which results in a lower assessed risk of
material misstatement. In turn, this allows the auditor to modify
the nature, timing, and extent of planned substantive procedures.
\99\ Terms defined in Appendix A, Definitions, are set in
boldface type the first time they appear.
---------------------------------------------------------------------------
17. Also, tests of controls must be performed in the audit of
financial statements for each relevant assertion for which substantive
procedures alone cannot provide sufficient appropriate audit evidence
and when necessary to support the auditor's reliance on the accuracy
and completeness of financial information used in performing other
audit procedures.\100\
---------------------------------------------------------------------------
\100\ Paragraph 10 of Auditing Standard No. 15, Audit Evidence,
and paragraph .16 of AU sec. 329, Substantive Analytical Procedures.
---------------------------------------------------------------------------
Note: When a significant amount of information supporting one or
more relevant assertions is electronically initiated, recorded,
processed, or reported, it might be impossible to design effective
substantive tests that, by themselves, would provide sufficient
appropriate evidence regarding the assertions. For such assertions,
significant audit evidence may be available only in electronic form. In
such cases, the sufficiency and appropriateness of the audit evidence
usually depend on the effectiveness of controls over their accuracy and
completeness. Furthermore, the potential for improper initiation or
alteration of information to occur and not be detected may be greater
if information is initiated, recorded, processed, or reported only in
electronic form and appropriate controls are not operating effectively.
18. Evidence about the Effectiveness of Controls in the Audit of
Financial Statements. In designing and performing tests of controls for
the audit of financial statements, the evidence necessary to support
the auditor's control risk assessment depends on the degree of reliance
the auditor plans to place on the effectiveness of a control. The
auditor should obtain more persuasive audit evidence from tests of
controls the greater the reliance the auditor places on the
effectiveness of a control. The auditor also should obtain more
persuasive evidence about the effectiveness of controls for each
relevant assertion for which the audit approach consists primarily of
tests of controls, including situations in which substantive procedures
alone cannot provide sufficient appropriate audit evidence.
Testing Design Effectiveness
19. The auditor should test the design effectiveness of the
controls selected for testing by determining whether the company's
controls, if they are operated as prescribed by persons possessing the
necessary authority and competence to perform the control effectively,
satisfy the company's control objectives and can effectively prevent or
detect error or fraud that could result in material misstatements in
the financial statements.
Note: A smaller, less complex company might achieve its control
objectives in a different manner from a larger, more complex
organization. For example, a smaller, less complex company might have
fewer employees in the accounting function, limiting opportunities to
segregate duties and leading the company to implement alternative
controls to achieve its control objectives. In such circumstances, the
auditor should evaluate whether those alternative controls are
effective.
20. Procedures the auditor performs to test design effectiveness
include a mix of inquiry of appropriate personnel, observation of the
company's operations, and inspection of relevant documentation.
Walkthroughs that include these procedures ordinarily are sufficient to
evaluate design effectiveness.\101\
---------------------------------------------------------------------------
\101\ Paragraphs 37-38 of Auditing Standard No. 12 discuss
performing a walkthrough.
---------------------------------------------------------------------------
Testing Operating Effectiveness
21. The auditor should test the operating effectiveness of a
control selected for testing by determining whether the control is
operating as designed and whether the person performing the control
possesses the necessary authority and competence to perform the control
effectively.
22. Procedures the auditor performs to test operating effectiveness
include a
[[Page 59348]]
mix of inquiry of appropriate personnel, observation of the company's
operations, inspection of relevant documentation, and re-performance of
the control.
Obtaining Evidence From Tests of Controls
23. The evidence provided by the auditor's tests of the
effectiveness of controls depends upon the mix of the nature, timing,
and extent of the auditor's procedures. Further, for an individual
control, different combinations of the nature, timing, and extent of
testing might provide sufficient evidence in relation to the degree of
reliance in an audit of financial statements.
Note: To obtain evidence about whether a control is effective, the
control must be tested directly; the effectiveness of a control cannot
be inferred from the absence of misstatements detected by substantive
procedures.
Nature of Tests of Controls
24. Some types of tests, by their nature, produce greater evidence
of the effectiveness of controls than other tests. The following tests
that the auditor might perform are presented in the order of the
evidence that they ordinarily would produce, from least to most:
inquiry, observation, inspection of relevant documentation, and re-
performance of a control.
Note: Inquiry alone does not provide sufficient evidence to support
a conclusion about the effectiveness of a control.
25. The nature of the tests of controls that will provide
appropriate evidence depends, to a large degree, on the nature of the
control to be tested, including whether the operation of the control
results in documentary evidence of its operation. Documentary evidence
of the operation of some controls, such as management's philosophy and
operating style, might not exist.
Note: A smaller, less complex company or unit might have less
formal documentation regarding the operation of its controls. In those
situations, testing controls through inquiry combined with other
procedures, such as observation of activities, inspection of less
formal documentation, or re-performance of certain controls, might
provide sufficient evidence about whether the control is effective.
Extent of Tests of Controls
26. The more extensively a control is tested, the greater the
evidence obtained from that test.
27. Matters that could affect the necessary extent of testing of a
control in relation to the degree of reliance on a control include the
following:
The frequency of the performance of the control by the
company during the audit period;
The length of time during the audit period that the
auditor is relying on the operating effectiveness of the control;
The expected rate of deviation from a control;
The relevance and reliability of the audit evidence to be
obtained regarding the operating effectiveness of the control;
The extent to which audit evidence is obtained from tests
of other controls related to the assertion;
The nature of the control, including, in particular,
whether it is a manual control or an automated control; and
For an automated control, the effectiveness of relevant
information technology general controls.
Note: AU sec. 350, Audit Sampling, establishes requirements
regarding the use of sampling in tests of controls.
Timing of Tests of Controls
28. The timing of tests of controls relates to when the evidence
about the operating effectiveness of the controls is obtained and the
period of time to which it applies. Paragraph 16 of this standard
indicates that the auditor must obtain evidence that the controls
selected for testing are designed effectively and operated effectively
during the entire period of reliance.
29. Using Audit Evidence Obtained during an Interim Period. When
the auditor obtains evidence about the operating effectiveness of
controls as of or through an interim date, he or she should determine
what additional evidence is necessary concerning the operation of the
controls for the remaining period of reliance.
30. The additional evidence that is necessary to update the results
of testing from an interim date through the remaining period of
reliance depends on the following factors:
The possibility that there have been any significant
changes in internal control over financial reporting subsequent to the
interim date;
Note: If there have been significant changes to the control since
the interim date, the auditor should obtain evidence about the
effectiveness of the new or modified control;
The inherent risk associated with the related account(s)
or assertion(s);
The specific control tested prior to year end, including
the nature of the control and the risk that the control is no longer
effective during the remaining period, and the results of the tests of
the control;
The planned degree of reliance on the control;
The sufficiency of the evidence of effectiveness obtained
at an interim date; and
The length of the remaining period.
31. Using Audit Evidence Obtained in Past Audits. For audits of
financial statements, the auditor should obtain evidence during the
current year audit about the design and operating effectiveness of
controls upon which the auditor relies. When controls on which the
auditor plans to rely have been tested in past audits and the auditor
plans to use evidence about the effectiveness of those controls that
was obtained in prior years, the auditor should take into account the
following factors to determine the evidence needed during the current
year audit to support the auditor's control risk assessments:
The nature and materiality of misstatements that the
control is intended to prevent or detect;
The inherent risk associated with the related account(s)
or assertion(s);
Whether there have been changes in the volume or nature of
transactions that might adversely affect control design or operating
effectiveness;
Whether the account has a history of errors;
The effectiveness of entity-level controls that the
auditor has tested, especially controls that monitor other controls;
The nature of the controls and the frequency with which
they operate;
The degree to which the control relies on the
effectiveness of other controls (e.g., the control environment or
information technology general controls);
The competence of the personnel who perform the control or
monitor its performance and whether there have been changes in key
personnel who perform the control or monitor its performance;
Whether the control relies on performance by an individual
or is automated (i.e., an automated control would generally be expected
to be lower risk if relevant information technology general controls
are effective); \102\
---------------------------------------------------------------------------
\102\ The auditor also may use a benchmarking strategy, when
appropriate, for automated application controls in subsequent years'
audits. Benchmarking is described further beginning at paragraph B28
of Auditing Standard No. 5.
---------------------------------------------------------------------------
The complexity of the control and the significance of the
judgments that must be made in connection with its operation;
[[Page 59349]]
The planned degree of reliance on the control;
The nature, timing, and extent of procedures performed in
past audits;
The results of the previous years' testing of the control;
Whether there have been changes in the control or the
process in which it operates since the previous audit; and
For integrated audits, the evidence regarding the
effectiveness of the controls obtained during the audit of internal
control.
Assessing Control Risk
32. The auditor should assess control risk for relevant assertions
by evaluating the evidence obtained from all sources, including the
auditor's testing of controls for the audit of internal control and the
audit of financial statements, misstatements detected during the
financial statement audit, and any identified control deficiencies.
33. Control risk should be assessed at the maximum level for
relevant assertions (1) for which controls necessary to sufficiently
address the assessed risk of material misstatement in those assertions
are missing or ineffective or (2) when the auditor has not obtained
sufficient appropriate evidence to support a control risk assessment
below the maximum level.
34. When deficiencies affecting the controls on which the auditor
intends to rely are detected, the auditor should evaluate the severity
of the deficiencies and the effect on the auditor's control risk
assessments. If the auditor plans to rely on controls relating to an
assertion but the controls that the auditor tests are ineffective
because of control deficiencies, the auditor should:
a. Perform tests of other controls related to the same assertion as
the ineffective controls, or
b. Revise the control risk assessment and modify the planned
substantive procedures as necessary in light of the increased
assessment of risk.
Note: Auditing Standard No. 5 establishes requirements for
evaluating the severity of a control deficiency and communicating
identified control deficiencies to management and the audit committee
in an integrated audit. AU sec. 325, Communications About Control
Deficiencies in an Audit of Financial Statements, establishes
requirements for communicating significant deficiencies and material
weaknesses in an audit of financial statements only.
Testing Controls in an Audit of Internal Control
35. Auditing Standard No. 5 states that the objective of the tests
of controls in an audit of internal control is to obtain evidence about
the effectiveness of controls to support the auditor's opinion on the
company's internal control over financial reporting. The auditor's
opinion relates to the effectiveness of the company's internal control
over financial reporting as of a point in time and taken as a
whole.\103\ Auditing Standard No. 5 establishes requirements regarding
the selection of controls to be tested and the necessary nature,
timing, and extent of tests of controls in an audit of internal control
over financial reporting.
---------------------------------------------------------------------------
\103\ Paragraph B1 of Auditing Standard No. 5.
---------------------------------------------------------------------------
Substantive Procedures
36. The auditor should perform substantive procedures for each
relevant assertion of each significant account and disclosure,
regardless of the assessed level of control risk.
37. As the assessed risk of material misstatement increases, the
evidence from substantive procedures that the auditor should obtain
also increases. The evidence provided by the auditor's substantive
procedures depends upon the mix of the nature, timing, and extent of
those procedures. Further, for an individual assertion, different
combinations of the nature, timing, and extent of testing might provide
sufficient appropriate evidence to respond to the assessed risk of
material misstatement.
38. Internal control over financial reporting has inherent
limitations,\104\ which, in turn, can affect the evidence that is
needed from substantive procedures. For example, more evidence from
substantive procedures ordinarily is needed for relevant assertions
that have a higher susceptibility to management override or to lapses
in judgment or breakdowns resulting from human failures.\105\
---------------------------------------------------------------------------
\104\ Paragraph A5 of Auditing Standard No. 5.
\105\ See, e.g., paragraph .14 of AU sec. 328, Auditing Fair
Value Measurements and Disclosures.
---------------------------------------------------------------------------
Nature of Substantive Procedures
39. Substantive procedures generally provide persuasive evidence
when they are designed and performed to obtain evidence that is
relevant and reliable. Also, some types of substantive procedures, by
their nature, produce more persuasive evidence than others. Inquiry
alone does not provide sufficient appropriate evidence to support a
conclusion about a relevant assertion.
Note: Auditing Standard No. 15 discusses certain types of
substantive procedures and the relevance and reliability of audit
evidence.
40. Taking into account the types of potential misstatements in the
relevant assertions that could result from identified risks, as
required by paragraph 9.b., can help the auditor determine the types
and combination of substantive audit procedures that are necessary to
detect material misstatements in the respective assertions.
41. Substantive Procedures Related to the Period-end Financial
Reporting Process. The auditor's substantive procedures must include
the following audit procedures related to the period-end financial
reporting process:
a. Reconciling the financial statements with the underlying
accounting records; and
b. Examining material adjustments made during the course of
preparing the financial statements.
Note: AU secs. 316.58-.62 establish requirements for examining
journal entries and other adjustments for evidence of possible material
misstatement due to fraud.
Extent of Substantive Procedures
42. The more extensively a substantive procedure is performed, the
greater the evidence obtained from the procedure. The necessary extent
of a substantive audit procedure depends on the materiality of the
account or disclosure, the assessed risk of material misstatement, and
the necessary degree of assurance from the procedure. However,
increasing the extent of an audit procedure cannot adequately address
an assessed risk of material misstatement unless the evidence to be
obtained from the procedure is reliable and relevant.
Timing of Substantive Procedures
43. Performing certain substantive procedures at interim dates may
permit early consideration of matters affecting the year-end financial
statements, e.g., testing material transactions involving higher risks
of misstatement. However, performing substantive procedures at an
interim date without performing procedures at a later date increases
the risk that a material misstatement could exist in the year-end
financial statements that would not be detected by the auditor. This
risk increases as the period between the interim date and year end
increases.
44. In determining whether it is appropriate to perform substantive
procedures at an interim date, the auditor should take into account the
following:
a. The assessed risk of material misstatement, including:
[[Page 59350]]
(1) The auditor's assessment of control risk, as discussed in
paragraphs 32-34;
(2) The existence of conditions or circumstances, if any, that
create incentives or pressures on management to misstate the financial
statements between the interim test date and the end of the period
covered by the financial statements;
(3) The effects of known or expected changes in the company, its
environment, or its internal control over financial reporting during
the remaining period;
b. The nature of the substantive procedures;
c. The nature of the account or disclosure and relevant assertion;
and
d. The ability of the auditor to perform the necessary audit
procedures to cover the remaining period.
45. When substantive procedures are performed at an interim date,
the auditor should cover the remaining period by performing substantive
procedures, or substantive procedures combined with tests of controls,
that provide a reasonable basis for extending the audit conclusions
from the interim date to the period end. Such procedures should include
(a) comparing relevant information about the account balance at the
interim date with comparable information at the end of the period to
identify amounts that appear unusual and investigating such amounts and
(b) performing audit procedures to test the remaining period.
46. If the auditor obtains evidence that contradicts the evidence
on which the original risk assessments were based, including evidence
of misstatements that he or she did not expect, the auditor should
revise the related risk assessments and modify the planned nature,
timing, or extent of substantive procedures covering the remaining
period as necessary. Examples of such modifications include extending
or repeating at the period end the procedures performed at the interim
date.
Dual-Purpose Tests
47. In some situations, the auditor might perform a substantive
test of a transaction concurrently with a test of a control relevant to
that transaction (a ``dual-purpose test''). In those situations, the
auditor should design the dual-purpose test to achieve the objectives
of both the test of the control and the substantive test. Also, when
performing a dual-purpose test, the auditor should evaluate the results
of the test in forming conclusions about both the assertion and the
effectiveness of the control being tested.\106\
---------------------------------------------------------------------------
\106\ Paragraph .44 of AU sec. 350 discusses applying audit
sampling in dual-purpose tests.
---------------------------------------------------------------------------
APPENDIX A--Definitions
A1. For purposes of this standard, the terms listed below are defined
as follows:
A2. Dual-purpose test--Substantive test of a transaction and a test of
a control relevant to that transaction that are performed concurrently,
e.g., a substantive test of sales transactions performed concurrently
with a test of controls over those transactions.
A3. Period of reliance--The period being covered by the company's
financial statements, or the portion of that period, for which the
auditor plans to rely on controls in order to modify the nature,
timing, and extent of planned substantive procedures.
Auditing Standard No. 14
Evaluating Audit Results
Introduction
1. This standard establishes requirements regarding the auditor's
evaluation of audit results and determination of whether he or she has
obtained sufficient appropriate audit evidence.
Objective
2. The objective of the auditor is to evaluate the results of the
audit to determine whether the audit evidence obtained is sufficient
and appropriate to support the opinion to be expressed in the auditor's
report.
Evaluating the Results of the Audit of Financial Statements
3. In forming an opinion on whether the financial statements are
presented fairly, in all material respects, in conformity with the
applicable financial reporting framework, the auditor should take into
account all relevant audit evidence, regardless of whether it appears
to corroborate or to contradict the assertions in the financial
statements.
4. In the audit of financial statements,\107\ the auditor's
evaluation of audit results should include evaluation of the following:
---------------------------------------------------------------------------
\107\ For purposes of this standard, the term ``audit of
financial statements'' refers to the financial statement portion of
the integrated audit and to the audit of financial statements only.
---------------------------------------------------------------------------
a. The results of analytical procedures performed in the overall
review of the financial statements (``overall review'');
b. Misstatements accumulated during the audit, including, in
particular, uncorrected misstatements; \108\
---------------------------------------------------------------------------
\108\ Terms defined in Appendix A, Definitions, are set in
boldface type the first time they appear.
---------------------------------------------------------------------------
c. The qualitative aspects of the company's accounting practices;
d. Conditions identified during the audit that relate to the
assessment of the risk of material misstatement due to fraud (``fraud
risk'');
e. The presentation of the financial statements, including the
disclosures; and
f. The sufficiency and appropriateness of the audit evidence
obtained.
Performing Analytical Procedures in the Overall Review
5. In the overall review, the auditor should read the financial
statements and disclosures and perform analytical procedures to (a)
evaluate the auditor's conclusions formed regarding significant
accounts and disclosures and (b) assist in forming an opinion on
whether the financial statements as a whole are free of material
misstatement.
6. As part of the overall review, the auditor should evaluate
whether:
a. The evidence gathered in response to unusual or unexpected
transactions, events, amounts, or relationships previously identified
during the audit is sufficient; and
b. Unusual or unexpected transactions, events, amounts, or
relationships \109\ indicate risks of material misstatement that were
not identified previously, including, in particular, fraud risks.
---------------------------------------------------------------------------
\109\ Paragraphs 46-48 of Auditing Standard No. 12, Identifying
and Assessing Risks of Material Misstatement and paragraph .03 of AU
sec. 329, Substantive Analytical Procedures.
---------------------------------------------------------------------------
Note: If the auditor discovers a previously unidentified risk of
material misstatement or concludes that the evidence gathered is not
adequate, he or she should modify his or her audit procedures or
perform additional procedures as necessary in accordance with paragraph
36 of this standard.
7. The nature and extent of the analytical procedures performed
during the overall review may be similar to the analytical procedures
performed as risk assessment procedures. The auditor should perform
analytical procedures relating to revenue through the end of the
reporting period.\110\
---------------------------------------------------------------------------
\110\ Paragraph 47 of Auditing Standard No. 12 contains a
requirement to perform analytical procedures relating to revenue as
part of the risk assessment procedures.
---------------------------------------------------------------------------
8. The auditor should obtain corroboration for management's
explanations regarding significant unusual or unexpected transactions,
[[Page 59351]]
events, amounts, or relationships. If management's responses to the
auditor's inquiries appear to be implausible, inconsistent with other
audit evidence, imprecise, or not at a sufficient level of detail to be
useful, the auditor should perform procedures to address the matter.
9. Evaluating Whether Analytical Procedures Indicate a Previously
Unrecognized Fraud Risk. Whether an unusual or unexpected transaction,
event, amount, or relationship indicates a fraud risk, as discussed in
paragraph 6.b., depends on the relevant facts and circumstances,
including the nature of the account or relationship among the data used
in the analytical procedures. For example, certain unusual or
unexpected transactions, events, amounts, or relationships could
indicate a fraud risk if a component of the relationship involves
accounts and disclosures that management has incentives or pressures to
manipulate, e.g., significant unusual or unexpected relationships
involving revenue and income.
Accumulating and Evaluating Identified Misstatements
10. Accumulating Identified Misstatements. The auditor should
accumulate misstatements identified during the audit, other than those
that are clearly trivial.
Note: ``Clearly trivial'' is not another expression for ``not
material.'' Matters that are clearly trivial will be of a smaller order
of magnitude than the materiality level established in accordance with
Auditing Standard No. 11, Consideration of Materiality in Planning and
Performing an Audit, and will be inconsequential, whether taken
individually or in aggregate and whether judged by any criteria of
size, nature, or circumstances. When there is any uncertainty about
whether one or more items is clearly trivial, the matter is not
considered trivial.
11. The auditor may designate an amount below which misstatements
are clearly trivial and do not need to be accumulated. In such cases,
the amount should be set so that any misstatements below that amount
would not be material to the financial statements, individually or in
combination with other misstatements, considering the possibility of
undetected misstatement.
12. The auditor's accumulation of misstatements should include the
auditor's best estimate of the total misstatement in the accounts and
disclosures that he or she has tested, not just the amount of
misstatements specifically identified. This includes misstatements
related to accounting estimates, as determined in accordance with
paragraph 13 of this standard, and projected misstatements from
substantive procedures that involve audit sampling, as determined in
accordance with AU sec. 350, Audit Sampling.\111\
---------------------------------------------------------------------------
\111\ AU sec. 350.26.
---------------------------------------------------------------------------
13. Misstatements Relating to Accounting Estimates. If the auditor
concludes that the amount of an accounting estimate included in the
financial statements is unreasonable or was not determined in
conformity with the relevant requirements of the applicable financial
reporting framework, he or she should treat the difference between that
estimate and a reasonable estimate determined in conformity with the
applicable accounting principles as a misstatement. If a range of
reasonable estimates is supported by sufficient appropriate audit
evidence and the recorded estimate is outside of the range of
reasonable estimates, the auditor should treat the difference between
the recorded accounting estimate and the closest reasonable estimate as
a misstatement.
Note: If an accounting estimate is determined in conformity with
the relevant requirements of the applicable financial reporting
framework and the amount of the estimate is reasonable, a difference
between an estimated amount best supported by the audit evidence and
the recorded amount of the accounting estimate ordinarily would not be
considered to be a misstatement. Paragraph 27 discusses evaluating
accounting estimates for bias.
14. Considerations as the Audit Progresses. The auditor should
determine whether the overall audit strategy and audit plan need to be
modified if:
a. The nature of accumulated misstatements and the circumstances of
their occurrence indicate that other misstatements might exist that, in
combination with accumulated misstatements, could be material; or
b. The aggregate of misstatements accumulated during the audit
approaches the materiality level or levels used in planning and
performing the audit.\112\
---------------------------------------------------------------------------
\112\ Auditing Standard No. 11.
---------------------------------------------------------------------------
Note: When the aggregate of accumulated misstatements approaches
the materiality level or levels used in planning and performing the
audit, there likely will be greater than an appropriately low level of
risk that possible undetected misstatements, when combined with the
aggregate of misstatements accumulated during the audit that remain
uncorrected, could be material to the financial statements. If the
auditor's assessment of this risk is unacceptably high, he or she
should perform additional audit procedures or determine that management
has adjusted the financial statements so that the risk that the
financial statements are materially misstated has been reduced to an
appropriately low level.
15. The auditor should communicate accumulated misstatements to
management on a timely basis to provide management with an opportunity
to correct them.
16. If management has examined an account or a disclosure in
response to misstatements detected by the auditor and has made
corrections to the account or disclosure, the auditor should evaluate
management's work to determine whether the corrections have been
recorded properly and whether uncorrected misstatements remain.
17. Evaluation of the Effect of Uncorrected Misstatements. The
auditor should evaluate whether uncorrected misstatements are material,
individually or in combination with other misstatements. In making this
evaluation, the auditor should evaluate the misstatements in relation
to the specific accounts and disclosures involved and to the financial
statements as a whole, taking into account relevant quantitative and
qualitative factors.\113\ (See Appendix B.)
---------------------------------------------------------------------------
\113\ If the financial statements contain material
misstatements, AU sec. 508, Reports on Audited Financial Statements,
indicates that the auditor should issue a qualified or an adverse
opinion on the financial statements. AU sec. 508.35 discusses
situations in which the financial statements are materially affected
by a departure from the applicable financial reporting framework.
---------------------------------------------------------------------------
Note: In interpreting the federal securities laws, the Supreme
Court of the United States has held that a fact is material if there is
``a substantial likelihood that the * * * fact would have been viewed
by the reasonable investor as having significantly altered the `total
mix' of information made available.'' \114\ As the Supreme Court has
noted, determinations of materiality require ``delicate assessments of
the inferences a `reasonable shareholder' would draw from a given set
of facts and the significance of those inferences to him * * *.'' \115\
---------------------------------------------------------------------------
\114\ TSC Industries v. Northway, Inc., 426 U.S. 438, 449
(1976). See also Basic, Inc. v. Levinson, 485 U.S. 224 (1988).
\115\ TSC Industries, 426 U.S. at 450.
---------------------------------------------------------------------------
Note: As a result of the interaction of quantitative and
qualitative considerations in materiality judgments, uncorrected
misstatements of relatively small amounts could have a material effect
on the financial statements. For
[[Page 59352]]
example, an illegal payment of an otherwise immaterial amount could be
material if there is a reasonable possibility \116\ that it could lead
to a material contingent liability or a material loss of revenue.\117\
Also, a misstatement made intentionally could be material for
qualitative reasons, even if relatively small in amount.
---------------------------------------------------------------------------
\116\ There is a reasonable possibility of an event, as used in
this standard, when the likelihood of the event is either
``reasonably possible'' or ``probable,'' as those terms are used in
the FASB Accounting Standards Codification, Contingencies Topic,
paragraph 450-20-25-1.
\117\ AU sec. 317, Illegal Acts by Clients.
---------------------------------------------------------------------------
Note: If the reevaluation of the established materiality level or
levels, as set forth in Auditing Standard No. 11,\118\ results in a
lower amount for the materiality level or levels, the auditor should
take into account that lower materiality level or levels in the
evaluation of uncorrected misstatements.
---------------------------------------------------------------------------
\118\ Paragraphs 11-12 of Auditing Standard No. 11.
---------------------------------------------------------------------------
18. The auditor's evaluation of uncorrected misstatements, as
described in paragraph 17 of this standard, should include evaluation
of the effects of uncorrected misstatements detected in prior years and
misstatements detected in the current year that relate to prior years.
19. The auditor cannot assume that an instance of error or fraud is
an isolated occurrence. Therefore, the auditor should evaluate the
nature and effects of the individual misstatements accumulated during
the audit on the assessed risks of material misstatement. This
evaluation is important in determining whether the risk assessments
remain appropriate, as discussed in paragraph 36 of this standard.
20. Evaluating Whether Misstatements Might Be Indicative of Fraud.
The auditor should evaluate whether identified misstatements \119\
might be indicative of fraud and, in turn, how they affect the
auditor's evaluation of materiality and the related audit responses. As
indicated in AU sec. 316, Consideration of Fraud in a Financial
Statement Audit, fraud is an intentional act that results in material
misstatement of the financial statements.\120\
---------------------------------------------------------------------------
\119\ Misstatements include omission and presentation of
inaccurate or incomplete disclosures.
\120\ AU sec. 316.05.
---------------------------------------------------------------------------
21. If the auditor believes that a misstatement is or might be
intentional, and if the effect on the financial statements could be
material or cannot be readily determined, the auditor should perform
procedures to obtain additional audit evidence to determine whether
fraud has occurred or is likely to have occurred and, if so, its effect
on the financial statements and the auditor's report thereon.
22. For misstatements that the auditor believes are or might be
intentional, the auditor should evaluate the implications on the
integrity of management or employees and the possible effect on other
aspects of the audit. If the misstatement involves higher-level
management, it might be indicative of a more pervasive problem, such as
an issue with the integrity of management, even if the amount of the
misstatement is small. In such circumstances, the auditor should
reevaluate the assessment of fraud risk and the effect of that
assessment on (a) the nature, timing, and extent of the necessary tests
of accounts or disclosures and (b) the assessment of the effectiveness
of controls. The auditor also should evaluate whether the circumstances
or conditions indicate possible collusion involving employees,
management, or external parties and, if so, the effect of the collusion
on the reliability of evidence obtained.
23. If the auditor becomes aware of information indicating that
fraud or another illegal act has occurred or might have occurred, he or
she also must determine his or her responsibilities under AU secs.
316.79-.82A, AU sec. 317, and Section 10A of the Securities Exchange
Act of 1934, 15 U.S.C. Sec. 78j-1.
Evaluating the Qualitative Aspects of the Company's Accounting
Practices
24. When evaluating whether the financial statements as a whole are
free of material misstatement, the auditor should evaluate the
qualitative aspects of the company's accounting practices, including
potential bias in management's judgments about the amounts and
disclosures in the financial statements.
25. The following are examples of forms of management bias:
a. The selective correction of misstatements brought to
management's attention during the audit (e.g., correcting misstatements
that have the effect of increasing reported earnings but not correcting
misstatements that have the effect of decreasing reported earnings).
Note: To evaluate the potential effect of selective correction of
misstatements, the auditor should obtain an understanding of the
reasons that management decided not to correct misstatements
communicated by the auditor in accordance with paragraph 15.
b. The identification by management of additional adjusting entries
that offset misstatements accumulated by the auditor. If such adjusting
entries are identified, the auditor should perform procedures to
determine why the underlying misstatements were not identified
previously and evaluate the implications on the integrity of management
and the auditor's risk assessments, including fraud risk assessments.
The auditor also should perform additional procedures as necessary to
address the risk of further undetected misstatement.
c. Bias in the selection and application of accounting
principles.\121\
---------------------------------------------------------------------------
\121\ Paragraph 5.d. of Auditing Standard No. 13, The Auditor's
Responses to the Risks of Material Misstatement.
---------------------------------------------------------------------------
d. Bias in accounting estimates.\122\
---------------------------------------------------------------------------
\122\ Paragraph 27 of this standard.
---------------------------------------------------------------------------
26. If the auditor identifies bias in management's judgments about
the amounts and disclosures in the financial statements, the auditor
should evaluate whether the effect of that bias, together with the
effect of uncorrected misstatements, results in material misstatement
of the financial statements. Also, the auditor should evaluate whether
the auditor's risk assessments, including, in particular, the
assessment of fraud risks, and the related audit responses remain
appropriate.
27. Evaluating Bias in Accounting Estimates. The auditor should
evaluate whether the difference between estimates best supported by the
audit evidence and estimates included in the financial statements,
which are individually reasonable, indicate a possible bias on the part
of the company's management. If each accounting estimate included in
the financial statements was individually reasonable but the effect of
the difference between each estimate and the estimate best supported by
the audit evidence was to increase earnings or loss, the auditor should
evaluate whether these circumstances indicate potential management bias
in the estimates. Bias also can result from the cumulative effect of
changes in multiple accounting estimates. If the estimates in the
financial statements are grouped at one end of the range of reasonable
estimates in the prior year and are grouped at the other end of the
range of reasonable estimates in the current year, the auditor should
evaluate whether management is using swings in estimates to achieve an
expected or desired outcome, e.g., to offset higher or lower than
expected earnings.
[[Page 59353]]
Note: AU secs. 316.64-.65 establish requirements regarding
performing a retrospective review of accounting estimates and
evaluating the potential for fraud risks.
Evaluating Conditions Relating to the Assessment of Fraud Risks
28. When evaluating the results of the audit, the auditor should
evaluate whether the accumulated results of auditing procedures \123\
and other observations affect the assessment of the fraud risks made
throughout the audit and whether the audit procedures need to be
modified to respond to those risks. (See Appendix C.)
---------------------------------------------------------------------------
\123\ Such auditing procedures include, but are not limited to,
procedures in the overall review (paragraph 9 of this standard), the
evaluation of identified misstatements (paragraphs 20-23 of this
standard), and the evaluation of the qualitative aspects of the
company's accounting practices (paragraphs 24-27 of this standard).
---------------------------------------------------------------------------
29. As part of this evaluation, the engagement partner should
determine whether there has been appropriate communication with the
other engagement team members throughout the audit regarding
information or conditions that are indicative of fraud risks.
Note: To accomplish this communication, the engagement partner
might arrange another discussion among the engagement team members
about fraud risks. (See paragraphs 49-51 of Auditing Standard No. 12.)
Evaluating the Presentation of the Financial Statements, Including the
Disclosures
30. The auditor must evaluate whether the financial statements are
presented fairly, in all material respects, in conformity with the
applicable financial reporting framework.
Note: AU sec. 411, The Meaning of Present Fairly in Conformity With
Generally Accepted Accounting Principles, establishes requirements for
evaluating the presentation of the financial statements. Auditing
Standard No. 6, Evaluating Consistency of Financial Statements,
establishes requirements regarding evaluating the consistency of the
accounting principles used in financial statements.
Note: The auditor should look to the requirements of the Securities
and Exchange Commission for the company under audit with respect to the
accounting principles applicable to that company.
31. As part of the evaluation of the presentation of the financial
statements, the auditor should evaluate whether the financial
statements contain the information essential for a fair presentation of
the financial statements in conformity with the applicable financial
reporting framework. Evaluation of the information disclosed in the
financial statements includes consideration of the form, arrangement,
and content of the financial statements (including the accompanying
notes), encompassing matters such as the terminology used, the amount
of detail given, the classification of items in the statements, and the
bases of amounts set forth.
Note: According to AU sec. 508, if the financial statements,
including the accompanying notes, fail to disclose information that is
required by the applicable financial reporting framework, the auditor
should express a qualified or adverse opinion and should provide the
information in the report, if practicable, unless its omission from the
report is recognized as appropriate by a specific auditing
standard.\124\
---------------------------------------------------------------------------
\124\ AU secs. 508.41-.44.
---------------------------------------------------------------------------
Evaluating the Sufficiency and Appropriateness of Audit Evidence
32. Auditing Standard No. 8, Audit Risk, states:
To form an appropriate basis for expressing an opinion on the
financial statements, the auditor must plan and perform the audit to
obtain reasonable assurance about whether the financial statements are
free of material misstatement due to error or fraud. Reasonable
assurance is obtained by reducing audit risk to an appropriately low
level through applying due professional care, including obtaining
sufficient appropriate audit evidence.\125\
---------------------------------------------------------------------------
\125\ Paragraph 3 of Auditing Standard No. 8.
---------------------------------------------------------------------------
33. As part of evaluating audit results, the auditor must conclude
on whether sufficient appropriate audit evidence has been obtained to
support his or her opinion on the financial statements.
34. Factors that are relevant to the conclusion on whether
sufficient appropriate audit evidence has been obtained include the
following:
a. The significance of uncorrected misstatements and the likelihood
of their having a material effect, individually or in combination, on
the financial statements, considering the possibility of further
undetected misstatement (paragraphs 14 and 17-19 of this standard).
b. The results of audit procedures performed in the audit of
financial statements, including whether the evidence obtained supports
or contradicts management's assertions and whether such audit
procedures identified specific instances of fraud (paragraphs 20-23 and
28-29 of this standard).
c. The auditor's risk assessments (paragraph 36 of this standard).
d. The results of audit procedures performed in the audit of
internal control over financial reporting, if the audit is an
integrated audit.
e. The appropriateness (i.e., the relevance and reliability) of the
audit evidence obtained.\126\
---------------------------------------------------------------------------
\126\ Paragraphs 7-9 of Auditing Standard No. 15, Audit
Evidence, discuss the relevance and reliability of audit evidence.
---------------------------------------------------------------------------
35. If the auditor has not obtained sufficient appropriate audit
evidence about a relevant assertion or has substantial doubt about a
relevant assertion, the auditor should perform procedures to obtain
further audit evidence to address the matter. If the auditor is unable
to obtain sufficient appropriate audit evidence to have a reasonable
basis to conclude about whether the financial statements as a whole are
free of material misstatement, AU sec. 508 indicates that the auditor
should express a qualified opinion or a disclaimer of opinion.\127\
---------------------------------------------------------------------------
\127\ AU sec. 508.22-.34 contains requirements regarding audit
scope limitations.
---------------------------------------------------------------------------
36. Evaluating the Appropriateness of Risk Assessments. As part of
the evaluation of whether sufficient appropriate audit evidence has
been obtained, the auditor should evaluate whether the assessments of
the risks of material misstatement at the assertion level remain
appropriate and whether the audit procedures need to be modified or
additional procedures need to be performed as a result of any changes
in the risk assessments. For example, the re-evaluation of the
auditor's risk assessments could result in the identification of
relevant assertions or significant risks that were not identified
previously and for which the auditor should perform additional audit
procedures.
Note: Auditing Standard No. 12 establishes requirements on revising
the auditor's risk assessment.\128\ Auditing Standard No. 13 discusses
the auditor's responsibilities regarding the assessment of control risk
and evaluation of control deficiencies in an audit of financial
statements.\129\
---------------------------------------------------------------------------
\128\ Paragraph 74 of Auditing Standard No. 12.
\129\ Paragraphs 32-34 of Auditing Standard No. 13.
---------------------------------------------------------------------------
Evaluating the Results of the Audit of Internal Control Over Financial
Reporting
37. Auditing Standard No. 5, An Audit of Internal Control Over
Financial Reporting That Is Integrated with An Audit of Financial
Statements, indicates
[[Page 59354]]
that the auditor should form an opinion on the effectiveness of
internal control over financial reporting by evaluating evidence
obtained from all sources, including the auditor's testing of controls,
misstatements detected during the financial statement audit, and any
identified control deficiencies. Auditing Standard No. 5 describes the
auditor's responsibilities regarding evaluating the results of the
audit, including evaluating the identified control deficiencies.\130\
---------------------------------------------------------------------------
\130\ Paragraphs 62-70 of Auditing Standard No. 5 discuss
evaluating identified control deficiencies, and paragraphs 71-73 of
Auditing Standard No. 5 discuss forming an opinion on the
effectiveness of internal control over financial reporting.
---------------------------------------------------------------------------
APPENDIX A--Definitions
A1. For purposes of this standard, the terms listed below are defined
as follows:
A2. Misstatement--A misstatement, if material individually or in
combination with other misstatements, causes the financial statements
not to be presented fairly in conformity with the applicable financial
reporting framework.\131\ A misstatement may relate to a difference
between the amount, classification, presentation, or disclosure of a
reported financial statement item and the amount, classification,
presentation, or disclosure that should be reported in conformity with
the applicable financial reporting framework. Misstatements can arise
from error (i.e., unintentional misstatement) or fraud.\132\
---------------------------------------------------------------------------
\131\ The auditor should look to the requirements of the
Securities and Exchange Commission for the company under audit with
respect to the accounting principles applicable to that company.
\132\ Paragraph .02 of AU sec. 316, Consideration of Fraud in a
Financial Statement Audit.
---------------------------------------------------------------------------
A3. Uncorrected misstatements--Misstatements, other than those that are
clearly trivial,\133\ that management has not corrected.
---------------------------------------------------------------------------
\133\ Paragraph 10 of this standard states that, ``[t]he auditor
should accumulate misstatements identified during the audit, other
than those that are clearly trivial.''
---------------------------------------------------------------------------
APPENDIX B--Qualitative Factors Related to the Evaluation of the
Materiality of Uncorrected Misstatements
B1. Paragraph 17 of this standard states: The auditor should evaluate
whether uncorrected misstatements are material, individually or in
combination with other misstatements. In making this evaluation, the
auditor should evaluate the misstatements in relation to the specific
accounts and disclosures involved and to the financial statements as a
whole, taking into account relevant quantitative and qualitative
factors.\134\
---------------------------------------------------------------------------
\134\ If the financial statements contain material
misstatements, AU sec. 508, Reports on Audited Financial Statements,
indicates that the auditor should issue a qualified or an adverse
opinion on the financial statements. AU sec. 508.35 discusses
situations in which the financial statements are materially affected
by a departure from the applicable financial reporting framework.
---------------------------------------------------------------------------
Note: In interpreting the federal securities laws, the Supreme
Court of the United States has held that a fact is material if there is
``a substantial likelihood that the * * * fact would have been viewed
by the reasonable investor as having significantly altered the `total
mix' of information made available.'' \135\ As the Supreme Court has
noted, determinations of materiality require ``delicate assessments of
the inferences a `reasonable shareholder' would draw from a given set
of facts and the significance of those inferences to him * * * '' \136\
---------------------------------------------------------------------------
\135\ TSC Industries v. Northway, Inc., 426 U.S. 438, 449
(1976). See also Basic, Inc. v. Levinson, 485 U.S. 224 (1988).
\136\ TSC Industries, 426 U.S. at 450.
---------------------------------------------------------------------------
Note: As a result of the interaction of quantitative and
qualitative considerations in materiality judgments, uncorrected
misstatements of relatively small amounts could have a material effect
on the financial statements. For example, an illegal payment of an
otherwise immaterial amount could be material if there is a reasonable
possibility \137\ that it could lead to a material contingent liability
or a material loss of revenue.\138\ Also, a misstatement made
intentionally could be material for qualitative reasons, even if
relatively small in amount.
\137\ There is a reasonable possibility of an event, as used in
this standard, when the likelihood of the event is either
``reasonably possible'' or ``probable,'' as those terms are used in
the FASB Accounting Standards Codification, Contingencies Topic,
paragraph 450-20-25-1.
\138\ AU sec. 317, Illegal Acts by Clients.
B2. Qualitative factors to consider in the auditor's evaluation of the
materiality of uncorrected misstatements, if relevant, include the
following:
a. The potential effect of the misstatement on trends, especially
trends in profitability.
b. A misstatement that changes a loss into income or vice versa.
c. The effect of the misstatement on segment information, for
example, the significance of the matter to a particular segment
important to the future profitability of the company, the pervasiveness
of the matter on the segment information, and the impact of the matter
on trends in segment information, all in relation to the financial
statements taken as a whole.
d. The potential effect of the misstatement on the company's
compliance with loan covenants, other contractual agreements, and
regulatory provisions.
e. The existence of statutory or regulatory reporting requirements
that affect materiality thresholds.
f. A misstatement that has the effect of increasing management's
compensation, for example, by satisfying the requirements for the award
of bonuses or other forms of incentive compensation.
g. The sensitivity of the circumstances surrounding the
misstatement, for example, the implications of misstatements involving
fraud and possible illegal acts, violations of contractual provisions,
and conflicts of interest.
h. The significance of the financial statement element affected by
the misstatement, for example, a misstatement affecting recurring
earnings as contrasted to one involving a non-recurring charge or
credit, such as an extraordinary item.
i. The effects of misclassifications, for example,
misclassification between operating and non-operating income or
recurring and non-recurring income items.
j. The significance of the misstatement or disclosures relative to
known user needs, for example:
The significance of earnings and earnings per share to
public company investors.
The magnifying effects of a misstatement on the
calculation of purchase price in a transfer of interests (buy/sell
agreement).
The effect of misstatements of earnings when contrasted
with expectations.
k. The definitive character of the misstatement, for example, the
precision of an error that is objectively determinable as contrasted
with a misstatement that unavoidably involves a degree of subjectivity
through estimation, allocation, or uncertainty.
l. The motivation of management with respect to the misstatement,
for example, (i) an indication of a possible pattern of bias by
management when developing and accumulating accounting estimates or
(ii) a misstatement precipitated by management's continued
unwillingness to correct weaknesses in the financial reporting process.
[[Page 59355]]
m. The existence of offsetting effects of individually significant
but different misstatements.
n. The likelihood that a misstatement that is currently immaterial
may have a material effect in future periods because of a cumulative
effect, for example, that builds over several periods.
o. The cost of making the correction--it may not be cost-beneficial
for the client to develop a system to calculate a basis to record the
effect of an immaterial misstatement. On the other hand, if management
appears to have developed a system to calculate an amount that
represents an immaterial misstatement, it may reflect a motivation of
management as noted in paragraph B2.l above.
p. The risk that possible additional undetected misstatements would
affect the auditor's evaluation.
APPENDIX C--Matters That Might Affect the Assessment of Fraud Risks
C1. If the following matters are identified during the audit, the
auditor should take into account these matters in the evaluation of the
assessment of fraud risks, as discussed in paragraph 28 of this
standard:
a. Discrepancies in the accounting records, including:
(1) Transactions that are not recorded in a complete or timely
manner or are improperly recorded as to amount, accounting period,
classification, or company policy.
(2) Unsupported or unauthorized balances or transactions.
(3) Last-minute adjustments that significantly affect financial
results.
(4) Evidence of employees' access to systems and records that is
inconsistent with the access that is necessary to perform their
authorized duties.
(5) Tips or complaints to the auditor about alleged fraud.
b. Conflicting or missing evidence, including:
(1) Missing documents.
(2) Documents that appear to have been altered.\139\
---------------------------------------------------------------------------
\139\ Paragraph 9 of Auditing Standard No. 15, Audit Evidence.
---------------------------------------------------------------------------
(3) Unavailability of other than photocopied or electronically
transmitted documents when documents in original form are expected to
exist.
(4) Significant unexplained items in reconciliations.
(5) Inconsistent, vague, or implausible responses from management
or employees arising from inquiries or analytical procedures.
(6) Unusual discrepancies between the company's records and
confirmation responses.
(7) Missing inventory or physical assets of significant magnitude.
(8) Unavailable or missing electronic evidence that is inconsistent
with the company's record retention practices or policies.
(9) Inability to produce evidence of key systems development and
program change testing and implementation activities for current year
system changes and deployments.
(10) Unusual balance sheet changes or changes in trends or
important financial statement ratios or relationships, e.g.,
receivables growing faster than revenues.
(11) Large numbers of credit entries and other adjustments made to
accounts receivable records.
(12) Unexplained or inadequately explained differences between the
accounts receivable subsidiary ledger and the general ledger control
account, or between the customer statement and the accounts receivable
subsidiary ledger.
(13) Missing or nonexistent cancelled checks in circumstances in
which cancelled checks are ordinarily returned to the company with the
bank statement.
(14) Fewer responses to confirmation requests than anticipated or a
greater number of responses than anticipated.
c. Problematic or unusual relationships between the auditor and
management, including:
(1) Denial of access to records, facilities, certain employees,
customers, vendors, or others from whom audit evidence might be sought,
including:\140\
---------------------------------------------------------------------------
\140\ Denial of access to information might constitute a
limitation on the scope of the audit that requires the auditor to
qualify or disclaim an opinion. (See Auditing Standard No. 5, An
Audit of Internal Control Over Financial Reporting That Is
Integrated with An Audit of Financial Statements, and AU sec. 508,
Reports on Audited Financial Statements.)
---------------------------------------------------------------------------
a. Unwillingness to facilitate auditor access to key electronic
files for testing through the use of computer-assisted audit
techniques.
b. Denial of access to key information technology operations staff
and facilities, including security, operations, and systems
development.
(2) Undue time pressures imposed by management to resolve complex
or contentious issues.
(3) Management pressure on engagement team members, particularly in
connection with the auditor's critical assessment of audit evidence or
in the resolution of potential disagreements with management.
(4) Unusual delays by management in providing requested
information.
(5) Management's unwillingness to add or revise disclosures in the
financial statements to make them more complete and transparent.
(6) Management's unwillingness to appropriately address significant
deficiencies in internal control on a timely basis.
d. Other matters, including:
(1) Objections by management to the auditor meeting privately with
the audit committee.
(2) Accounting policies that appear inconsistent with industry
practices that are widely recognized and prevalent.
(3) Frequent changes in accounting estimates that do not appear to
result from changing circumstances.
(4) Tolerance of violations of the company's code of conduct.
Auditing Standard No. 15
Audit Evidence
Introduction
1. This standard explains what constitutes audit evidence and
establishes requirements regarding designing and performing audit
procedures to obtain sufficient appropriate audit evidence.
2. Audit evidence is all the information, whether obtained from
audit procedures or other sources, that is used by the auditor in
arriving at the conclusions on which the auditor's opinion is based.
Audit evidence consists of both information that supports and
corroborates management's assertions regarding the financial statements
or internal control over financial reporting and information that
contradicts such assertions.
Objective
3. The objective of the auditor is to plan and perform the audit to
obtain appropriate audit evidence that is sufficient to support the
opinion expressed in the auditor's report.\141\
---------------------------------------------------------------------------
\141\ Auditing Standard No. 14, Evaluating Audit Results,
establishes requirements regarding evaluating whether sufficient
appropriate evidence has been obtained. Auditing Standard No. 3,
Audit Documentation, establishes requirements regarding documenting
the procedures performed, evidence obtained, and conclusions reached
in an audit.
---------------------------------------------------------------------------
[[Page 59356]]
Sufficient Appropriate Audit Evidence
4. The auditor must plan and perform audit procedures to obtain
sufficient appropriate audit evidence to provide a reasonable basis for
his or her opinion.
5. Sufficiency is the measure of the quantity of audit evidence.
The quantity of audit evidence needed is affected by the following:
Risk of material misstatement (in the audit of financial
statements) or the risk associated with the control (in the audit of
internal control over financial reporting). As the risk increases, the
amount of evidence that the auditor should obtain also increases. For
example, ordinarily more evidence is needed to respond to significant
risks.\142\
---------------------------------------------------------------------------
\142\ Paragraph A5 of Auditing Standard No. 12, Identifying and
Assessing Risks of Material Misstatement.
---------------------------------------------------------------------------
Quality of the audit evidence obtained. As the quality of
the evidence increases, the need for additional corroborating evidence
decreases. Obtaining more of the same type of audit evidence, however,
cannot compensate for the poor quality of that evidence.
6. Appropriateness is the measure of the quality of audit evidence,
i.e., its relevance and reliability. To be appropriate, audit evidence
must be both relevant and reliable in providing support for the
conclusions on which the auditor's opinion is based.
Relevance and Reliability
7. Relevance. The relevance of audit evidence refers to its
relationship to the assertion or to the objective of the control being
tested. The relevance of audit evidence depends on:
a. The design of the audit procedure used to test the assertion or
control, in particular whether it is designed to (1) test the assertion
or control directly and (2) test for understatement or overstatement;
and
b. The timing of the audit procedure used to test the assertion or
control.
8. Reliability. The reliability of evidence depends on the nature
and source of the evidence and the circumstances under which it is
obtained. For example, in general:
Evidence obtained from a knowledgeable source that is
independent of the company is more reliable than evidence obtained only
from internal company sources.
The reliability of information generated internally by the
company is increased when the company's controls over that information
are effective.
Evidence obtained directly by the auditor is more reliable
than evidence obtained indirectly.
Evidence provided by original documents is more reliable
than evidence provided by photocopies or facsimiles, or documents that
have been filmed, digitized, or otherwise converted into electronic
form, the reliability of which depends on the controls over the
conversion and maintenance of those documents.
9. The auditor is not expected to be an expert in document
authentication. However, if conditions indicate that a document may not
be authentic or that the terms in a document have been modified but
that the modifications have not been disclosed to the auditor, the
auditor should modify the planned audit procedures or perform
additional audit procedures to respond to those conditions and should
evaluate the effect, if any, on the other aspects of the audit.
Using Information Produced by the Company
10. When using information produced by the company as audit
evidence, the auditor should evaluate whether the information is
sufficient and appropriate for purposes of the audit by performing
procedures to: \143\
---------------------------------------------------------------------------
\143\ When using the work of a specialist engaged or employed by
management, see AU sec. 336, Using the Work of a Specialist. When
using information produced by a service organization or a service
auditor's report as audit evidence, see AU sec. 324, Service
Organizations, and for integrated audits, see Auditing Standard No.
5, An Audit of Internal Control Over Financial Reporting That Is
Integrated with An Audit of Financial Statements.
---------------------------------------------------------------------------
Test the accuracy and completeness of the information, or
test the controls over the accuracy and completeness of that
information; and
Evaluate whether the information is sufficiently precise
and detailed for purposes of the audit.
Financial Statement Assertions
11. In representing that the financial statements are presented
fairly in conformity with the applicable financial reporting framework,
management implicitly or explicitly makes assertions regarding the
recognition, measurement, presentation, and disclosure of the various
elements of financial statements and related disclosures. Those
assertions can be classified into the following categories:
Existence or occurrence--Assets or liabilities of the
company exist at a given date, and recorded transactions have occurred
during a given period.
Completeness--All transactions and accounts that should be
presented in the financial statements are so included.
Valuation or allocation--Asset, liability, equity,
revenue, and expense components have been included in the financial
statements at appropriate amounts.
Rights and obligations--The company holds or controls
rights to the assets, and liabilities are obligations of the company at
a given date.
Presentation and disclosure--The components of the
financial statements are properly classified, described, and disclosed.
12. The auditor may base his or her work on financial statement
assertions that differ from those in this standard if the assertions
are sufficient for the auditor to identify the types of potential
misstatements and to respond appropriately to the risks of material
misstatement in each significant account and disclosure that has a
reasonable possibility \144\ of containing misstatements that would
cause the financial statements to be materially misstated, individually
or in combination with other misstatements.\145\
---------------------------------------------------------------------------
\144\ There is a reasonable possibility of an event, as used in
this standard, when the likelihood of the event is either
``reasonably possible'' or ``probable,'' as those terms are used in
the FASB Accounting Standards Codification, Contingencies Topic,
paragraph 450-20-25-1.
\145\ For an integrated audit, also see paragraph 28 of Auditing
Standard No. 5.
---------------------------------------------------------------------------
Audit Procedures for Obtaining Audit Evidence
13. Audit procedures can be classified into the following
categories:
a. Risk assessment procedures,\146\ and
---------------------------------------------------------------------------
\146\ Auditing Standard No. 12.
---------------------------------------------------------------------------
b. Further audit procedures,\147\ which consist of:
---------------------------------------------------------------------------
\147\ Auditing Standard No. 13, The Auditor's Responses to the
Risks of Material Misstatement.
---------------------------------------------------------------------------
(1) Tests of controls, and
(2) Substantive procedures, including tests of details and
substantive analytical procedures.
14. Paragraphs 15-21 of this standard describe specific audit
procedures. The purpose of an audit procedure determines whether it is
a risk assessment procedure, test of controls, or substantive
procedure.
Inspection
15. Inspection involves examining records or documents, whether
internal or external, in paper form, electronic form, or other media,
or physically examining an asset. Inspection of records and documents
provides audit evidence of varying degrees of reliability, depending on
their nature and source and, in the case of internal records and
documents, on the effectiveness of the controls over their
[[Page 59357]]
production. An example of inspection used as a test of controls is
inspection of records for evidence of authorization.
Observation
16. Observation consists of looking at a process or procedure being
performed by others, e.g., the auditor's observation of inventory
counting by the company's personnel or the performance of control
activities. Observation can provide audit evidence about the
performance of a process or procedure, but the evidence is limited to
the point in time at which the observation takes place and also is
limited by the fact that the act of being observed may affect how the
process or procedure is performed.\148\
---------------------------------------------------------------------------
\148\ AU sec. 331, Inventories, establishes requirements
regarding observation of the counting of inventory.
---------------------------------------------------------------------------
Inquiry
17. Inquiry consists of seeking information from knowledgeable
persons in financial or nonfinancial roles within the company or
outside the company. Inquiry may be performed throughout the audit in
addition to other audit procedures. Inquiries may range from formal
written inquiries to informal oral inquiries. Evaluating responses to
inquiries is an integral part of the inquiry process.\149\
---------------------------------------------------------------------------
\149\ AU sec. 333, Management Representations, establishes
requirements regarding written management representations, including
confirmation of management responses to oral inquiries.
---------------------------------------------------------------------------
Note: Inquiry of company personnel, by itself, does not provide
sufficient audit evidence to reduce audit risk to an appropriately low
level for a relevant assertion or to support a conclusion about the
effectiveness of a control.
Confirmation
18. A confirmation response represents a particular form of audit
evidence obtained by the auditor from a third party in accordance with
PCAOB standards.\150\
---------------------------------------------------------------------------
\150\ AU sec. 330, The Confirmation Process.
---------------------------------------------------------------------------
Recalculation
19. Recalculation consists of checking the mathematical accuracy of
documents or records. Recalculation may be performed manually or
electronically.
Reperformance
20. Reperformance involves the independent execution of procedures
or controls that were originally performed by company personnel.
Analytical Procedures
21. Analytical procedures consist of evaluations of financial
information made by a study of plausible relationships among both
financial and nonfinancial data. Analytical procedures also encompass
the investigation of significant differences from expected
amounts.\151\
---------------------------------------------------------------------------
\151\ AU sec. 329, Substantive Analytical Procedures,
establishes requirements on performing analytical procedures as
substantive procedures.
---------------------------------------------------------------------------
Selecting Items for Testing to Obtain Audit Evidence
22. Designing substantive tests of details and tests of controls
includes determining the means of selecting items for testing from
among the items included in an account or the occurrences of a control.
The auditor should determine the means of selecting items for testing
to obtain evidence that, in combination with other relevant evidence,
is sufficient to meet the objective of the audit procedure. The
alternative means of selecting items for testing are:
Selecting all items;
Selecting specific items; and
Audit sampling.
23. The particular means or combination of means of selecting items
for testing that is appropriate depends on the nature of the audit
procedure, the characteristics of the control or the items in the
account being tested, and the evidence necessary to meet the objective
of the audit procedure.
Selecting All Items
24. Selecting all items (100 percent examination) refers to testing
the entire population of items in an account or the entire population
of occurrences of a control (or an entire stratum within one of those
populations). The following are examples of situations in which 100
percent examination might be applied:
The population constitutes a small number of large value
items;
The audit procedure is designed to respond to a
significant risk, and other means of selecting items for testing do not
provide sufficient appropriate audit evidence; and
The audit procedure can be automated effectively and
applied to the entire population.
Selecting Specific Items
25. Selecting specific items refers to testing all of the items in
a population that have a specified characteristic, such as:
Key items. The auditor may decide to select specific items
within a population because they are important to accomplishing the
objective of the audit procedure or exhibit some other characteristic,
e.g., items that are suspicious, unusual, or particularly risk-prone or
items that have a history of error.
All items over a certain amount. The auditor may decide to
examine items whose recorded values exceed a certain amount to verify a
large proportion of the total amount of the items included in an
account.
26. The auditor also might select specific items to obtain an
understanding about matters such as the nature of the company or the
nature of transactions.
27. The application of audit procedures to items that are selected
as described in paragraphs 25-26 of this standard does not constitute
audit sampling, and the results of those audit procedures cannot be
projected to the entire population.\152\
---------------------------------------------------------------------------
\152\ If misstatements are identified in the selected items, see
paragraphs 12-13 and paragraphs 17-19 of Auditing Standard No. 14.
---------------------------------------------------------------------------
Audit Sampling
28. Audit sampling is the application of an audit procedure to less
than 100 percent of the items within an account balance or class of
transactions for the purpose of evaluating some characteristic of the
balance or class.\153\
---------------------------------------------------------------------------
\153\ AU sec. 350, Audit Sampling, establishes requirements
regarding audit sampling.
---------------------------------------------------------------------------
Inconsistency in, or Doubts about the Reliability of, Audit Evidence
29. If audit evidence obtained from one source is inconsistent with
that obtained from another, or if the auditor has doubts about the
reliability of information to be used as audit evidence, the auditor
should perform the audit procedures necessary to resolve the matter and
should determine the effect, if any, on other aspects of the audit.
Conforming Amendment to PCAOB Interim Quality Control Standards
Auditing Standards
AU sec. 110, ``Responsibilities and Functions of the Independent
Auditor''
Statement on Auditing Standards (``SAS'') No. 1, ``Codification of
Auditing Standards and Procedures'' section 110, ``Responsibilities and
Functions of the Independent Auditor'' (AU sec. 110, ``Responsibilities
and Functions of the Independent Auditor''), as amended, is amended as
follows: Within footnote 1 to paragraph .02, the reference to section
312, Audit Risk and Materiality in Conducting an Audit, is replaced
with a reference to Auditing Standard No. 11, Consideration of
Materiality in Planning and Performing an Audit.
AU sec. 150, ``Generally Accepted Auditing Standards''
[[Page 59358]]
SAS No. 95, ``Generally Accepted Auditing Standards'' (AU sec. 150,
``Generally Accepted Auditing Standards''), as amended, is amended as
follows:
a. Within paragraph .02, in the third standard of field work, the
word ``competent'' is replaced with the word ``appropriate.''
b. Footnote 2 to paragraph .04 is deleted.
AU sec. 210, ``Training and Proficiency of the Independent
Auditor''
SAS No. 1, ``Codification of Auditing Standards and Procedures''
section 210, ``Training and Proficiency of the Independent Auditor''
(AU sec. 210, ``Training and Proficiency of the Independent Auditor''),
as amended, is amended as follows:
The last sentence of paragraph .03 is replaced with: The engagement
partner must exercise seasoned judgment in the varying degrees of his
supervision and review of the work done and judgments exercised by his
subordinates, who in turn must meet the responsibilities attaching to
the varying gradations and functions of their work.
AU sec. 230, ``Due Professional Care in the Performance of Work''
SAS No. 1, ``Codification of Auditing Standards and Procedures''
section 230, ``Due Professional Care in the Performance of Work'' (AU
sec. 230, ``Due Professional Care in the Performance of Work''), as
amended, is amended as follows:
a. The second and third sentences of paragraph .06 are replaced
with: The engagement partner should know, at a minimum, the relevant
professional accounting and auditing standards and should be
knowledgeable about the client. The engagement partner is responsible
for the assignment of tasks to, and supervision of, the members of the
engagement team.\fn4\
b. Footnote 3 to paragraph .06 is deleted.
c. Within footnote 4 to paragraph .06, the phrase ``See section
311.11'' is replaced with, ``See Auditing Standard No. 10, Supervision
of the Audit Engagement.''
d. Footnote 6 to paragraph .11 is deleted.
e. In the first sentence of paragraph .11, the word ``competent''
is replaced with the word ``appropriate.''
f. At the end of the fifth sentence of paragraph .12, the following
parenthetical is added: ``(See paragraph 9 of Auditing Standard No. 15,
Audit Evidence.)''
AU sec. 310, ``Appointment of the Independent Auditor''
SAS No. 1, ``Codification of Auditing Standards and Procedures''
section 310, ``Appointment of the Independent Auditor'' (AU sec. 310,
``Appointment of the Independent Auditor''), as amended, is amended as
follows:
a. Within footnote ** to the title of the standard, the sentence
``(See section 313.)'' is deleted.
b. Paragraph .02 is replaced with: Audit planning is discussed in
Auditing Standard No. 9, Audit Planning, and supervision of engagement
team members is discussed in Auditing Standard No. 10, Supervision of
the Audit Engagement.
c. In paragraph .03, the sentence ``(See section 313)'' is deleted.
d. Within footnote 3 to paragraph .06, the reference to Section
312, Audit Risk and Materiality in Conducting an Audit, paragraph .04,
is replaced with a reference to Paragraph A2 of Auditing Standard No.
14, Evaluating Audit Results.
AU sec. 311, ``Planning and Supervision''
SAS No. 22, ``Planning and Supervision'' (AU sec. 311, ``Planning
and Supervision''), as amended, is superseded.
AU sec. 9311, ``Planning and Supervision: Auditing Interpretations
of Section 311''
AU sec. 9311, ``Planning and Supervision: Auditing Interpretations
of Section 311'', as amended, is superseded.
AU sec. 312, ``Audit Risk and Materiality in Conducting an Audit''
SAS No. 47, ``Audit Risk and Materiality in Conducting an Audit''
(AU sec. 312, ``Audit Risk and Materiality in Conducting an Audit''),
as amended, is superseded.
AU sec. 9312, ``Audit Risk and Materiality in Conducting an Audit:
Auditing Interpretations of Section 312''
AU sec. 9312, ``Audit Risk and Materiality in Conducting an Audit:
Auditing Interpretations of Section 312'' is superseded.
AU sec. 313, ``Substantive Tests Prior to the Balance Sheet Date''
SAS No. 45, ``Omnibus Statement on Auditing Standards--1983'' (AU
sec. 313, ``Substantive Tests Prior to the Balance Sheet Date''), as
amended, is superseded.
AU sec. 315, ``Communications Between Predecessor and Successor
Auditors''
SAS No. 84, ``Communications Between Predecessor and Successor
Auditors'' (AU sec. 315, ``Communications Between Predecessor and
Successor Auditors''), as amended, is amended as follows:
a. In the first sentence of paragraph .12, the word ``competent''
is replaced with the word ``appropriate.''
b. In the first sentence of paragraph .18, the word ``competent''
is replaced with the word ``appropriate.''
AU sec. 316, ``Consideration of Fraud in a Financial Statement
Audit''
SAS No. 99, ``Consideration of Fraud in a Financial Statement
Audit'' (AU sec. 316, ``Consideration of Fraud in a Financial Statement
Audit''), as amended, is amended as follows:
a. The second sentence of paragraph .01 is replaced with: This
section establishes requirements and provides direction relevant to
fulfilling that responsibility, as it relates to fraud, in an audit of
financial statements.\fn2\
b. In footnote 1 to paragraph .01, delete the following
information: (see section 312, Audit Risk and Materiality in Conducting
an Audit,'' and the closing parenthesis at the end of that sentence.
c. Footnote 2 to paragraph .01 is replaced with: For purposes of
this standard, the term ``audit of financial statements'' refers to the
financial statement portion of the integrated audit and to the audit of
financial statements only.
d. The following paragraph .01A is added: Auditing Standard No. 12,
Identifying and Assessing Risks of Material Misstatement, establishes
requirements regarding the process of identifying and assessing risks
of material misstatement of the financial statements. Auditing Standard
No. 13, The Auditor's Responses to the Risks of Material Misstatement,
establishes requirements regarding designing and implementing
appropriate responses to the risks of material misstatement. Auditing
Standard No. 14, Evaluating Audit Results, establishes requirements
regarding the auditor's evaluation of audit results and determination
of whether he or she has obtained sufficient appropriate audit
evidence.
e. In paragraph .02:
The third through the sixth bullet points are deleted.
The seventh bullet point is replaced with: Responding to
fraud risks
This section discusses certain responses to fraud risks involving
the nature, timing, and extent of audit procedures, including:
[cir] Responses to assessed fraud risks relating to fraudulent
financial reporting and misappropriation of assets (see paragraphs .52
through .56).
[cir] Responses to specifically address the fraud risks arising
from management override of internal controls (see paragraphs .57
through .67).
The eighth bullet point is deleted.
f. Paragraph .03 is deleted.
g. Footnote 5 to paragraph .06 is replaced with: The auditor should
look
[[Page 59359]]
to the requirements of the Securities and Exchange Commission for the
company under audit with respect to accounting principles applicable to
that company.
h. In the third sentence of paragraph .13, the term ``the risk of
material misstatement due to fraud'' is replaced with the term ``fraud
risks.''
i. Paragraphs .14 through .45 are deleted, along with the preceding
heading, ``Discussion Among Engagement Personnel Regarding the Risks of
Material Misstatement Due to Fraud.''
j. Footnotes 8 through 19 related to paragraphs .14 through .45 are
deleted.
k. Paragraphs .46 through .50 are deleted. The heading preceding
paragraph .46, ``Responding to the Results of the Assessment,'' is
replaced with the heading ``Responding to Assessed Fraud Risks.''
l. Paragraph .51 is deleted. The heading preceding paragraph .51,
``Responses Involving the Nature, Timing, and Extent of Procedures to
Be Performed to Address the Identified Risks,'' is replaced with the
heading ``Responses Involving the Nature, Timing, and Extent of
Procedures to Be Performed.''
m. Paragraph .52 is replaced with: Paragraph 8 of Auditing Standard
No. 13, The Auditor's Responses to the Risks of Material Misstatement,
states that ``[t]he auditor should design and perform audit procedures
in a manner that addresses the assessed risks of material misstatement
due to error or fraud for each relevant assertion of each significant
account and disclosure.'' Paragraph 12 of Auditing Standard No. 13
states that ``the audit procedures that are necessary to address the
assessed fraud risks depend upon the types of risks and the relevant
assertions that might be affected.''
Note: Paragraph 71.b. of Auditing Standard No. 12, Identifying and
Assessing Risks of Material Misstatement, states that a fraud risk is a
significant risk. Accordingly, the requirement for responding to
significant risks also applies to fraud risks.
n. In paragraph .53:
The first sentence is replaced with: The following are
examples of responses to assessed fraud risks involving the nature,
timing, and extent of audit procedures:
The fifth bullet point is replaced with: Interviewing
personnel involved in activities in areas in which a fraud risk has
been identified to obtain their insights about the risk and how
controls address the risk. (See paragraph 54 of Auditing Standard No.
12, Identifying and Assessing Risks of Material Misstatement)
In the sixth bullet point, the term ``risk of material
misstatement due to fraud'' is replaced with the term ``fraud risk.''
o. Footnote 20 to paragraph .53 is replaced with: AU sec. 329,
Substantive Analytical Procedures, establishes requirements regarding
performing analytical procedures as substantive tests.
p. The heading preceding paragraph .54, ``Additional Examples of
Responses to Identified Risks of Misstatements Arising From Fraudulent
Financial Reporting,'' is replaced with the heading ``Additional
Examples of Audit Procedures Performed to Respond to Assessed Fraud
Risks Relating to Fraudulent Financial Reporting.''
q. The first sentence in paragraph .54 is replaced with: The
following are additional examples of audit procedures that might be
performed in response to assessed fraud risks relating to fraudulent
financial reporting:
r. In paragraph .54:
In the last sentence of the first bullet point, the term
``risk of material misstatement due to fraud'' is replaced with the
term ``fraud risk.''
In the first sentence of the second bullet point, the term
``risk of material misstatement due to fraud'' is replaced with the
term ``fraud risk.''
In the first sentence of the third bullet point and the
accompanying paragraph to the third bullet point, the term ``risk of
material misstatement due to fraud'' is replaced with the term ``fraud
risk.''
s. Footnotes 21 and 22 to paragraph .54 are amended as follows:
The text of footnote 21 is replaced with ``AU sec. 330,
The Confirmation Process, establishes requirements regarding the
confirmation process in audits of financial statements.''
The text of footnote 22 is replaced with ``AU sec. 336,
Using the Work of a Specialist, establishes requirements for an auditor
who uses the work of a specialist in performing an audit of financial
statements.''
t. The heading preceding paragraph .55, ``Examples of Responses to
Identified Risks of Misstatements Arising From Misappropriations of
Assets,'' is replaced with the heading ``Examples of Audit Procedures
Performed to Respond to Fraud Risks Relating to Misappropriations of
Assets.''
u. In the first sentence of paragraph .55, the term ``risk of
material misstatement due to fraud'' is replaced with the term ``fraud
risk.''
v. In paragraph .56:
The first and second sentences are replaced with: The
audit procedures performed in response to a fraud risk relating to
misappropriation of assets usually will be directed toward certain
account balances. Although some of the audit procedures noted in
paragraphs .53 and .54 and in paragraphs 8 through 15 of Auditing
Standard No. 13, The Auditor's Responses to the Risks of Material
Misstatement, may apply in such circumstances, such as the procedures
directed at inventory quantities, the scope of the work should be
linked to the specific information about the misappropriation risk that
has been identified.
In the third sentence, the words ``design and'' are added
before the words ``operating effectiveness.''
w. The heading preceding paragraph .57, ``Responses to Further
Address the Risk of Management Override of Controls,'' is replaced with
the heading ``Audit Procedures Performed to Specifically Address the
Risk of Management Override of Controls.''
x. The third sentence of paragraph .57 is replaced with:
Accordingly, as part of the auditor's responses that address fraud
risks, the procedures described in paragraphs .58 through .67 should be
performed to specifically address the risk of management override of
controls.
y. Footnote 23 to paragraph .58 is replaced with: See paragraphs 28
through 32 of Auditing Standard No. 12, Identifying and Assessing Risks
of Material Misstatement.
z. In paragraph .61:
In the first sentence of the first bullet point, the term
``the risk of material misstatement due to fraud'' is replaced with the
term ``fraud risk.''
In the second bullet point, the last two sentences are
replaced with the following: Effective controls over the preparation
and posting of journal entries and adjustments may affect the extent of
substantive testing necessary, provided that the auditor has tested the
controls. However, even though controls might be implemented and
operating effectively, the auditor's substantive procedures for testing
journal entries and other adjustments should include the identification
and substantive testing of specific items.
In item (f) of the fifth bullet point, the term ``risk of
material misstatement due to fraud'' is replaced with the term ``fraud
risk.''
The last sentence of the fifth bullet point is replaced
with: In audits of entities that have multiple locations or business
units, the auditor should determine whether to select journal entries
from locations based on factors set forth in paragraphs 11 through 14
of
[[Page 59360]]
Auditing Standard No. 9, Audit Planning.
aa. The last sentence of paragraph .63 is replaced with: Paragraphs
24 through 27 of Auditing Standard No. 14, Evaluating Audit Results,
discuss the auditor's responsibilities for assessing bias in accounting
estimates and the effect of bias on the financial statements.
bb. Paragraphs .68 through .78 are deleted, along with the
preceding heading ``Evaluating Audit Evidence.''
cc. Footnotes 26 through 36 related to paragraphs .68 through .78
are deleted.
dd. In the first sentence of paragraph .80, the term ``risks of
material misstatement due to fraud'' is replaced with the term ``fraud
risks.''
ee. The last sentence of paragraph .80 is replaced with: The
auditor also should evaluate whether the absence of or deficiencies in
controls that address fraud risks or otherwise help prevent, deter, and
detect fraud (see paragraphs 72-73 of Auditing Standard No. 12,
Identifying and Assessing Risks of Material Misstatement) represent
significant deficiencies or material weaknesses that should be
communicated to senior management and the audit committee.
ff. The first sentence of paragraph .81 is replaced with: The
auditor also should consider communicating other fraud risks, if any,
identified by the auditor.
gg. In paragraph .83:
The reference in the first bullet point to paragraphs .14
through .17 is replaced with a reference to paragraphs 52 and 53 of
Auditing Standard No. 12, Identifying and Assessing Risks of Material
Misstatement.
The term ``risks of material misstatement due to fraud''
in the first sentence of the second bullet point is replaced with the
term ``fraud risks.'' The reference in the second bullet point to
paragraphs .19 through .34 is replaced with references to paragraph 47,
paragraphs 56 through 58, and paragraphs 65 through 69 of Auditing
Standard No. 12, Identifying and Assessing Risks of Material
Misstatement.
The third bullet point is replaced with: The fraud risks
that were identified at the financial statement and assertion levels
(see paragraphs 59 through 69 of Auditing Standard No. 12, Identifying
and Assessing Risks of Material Misstatement), and the linkage of those
risks to the auditor's response (see paragraphs 5 through 15 of
Auditing Standard No. 13, The Auditor's Responses to the Risks of
Material Misstatement).
Within the fourth bullet point, the term ``risk of
material misstatement due to fraud'' in the first sentence is replaced
with the term ``fraud risk,'' and the reference to paragraph .41 is
replaced with a reference to paragraph 68 of Auditing Standard No. 12,
Identifying and Assessing Risks of Material Misstatement.
The fifth bullet point is replaced with: The results of
the procedures performed to address the assessed fraud risks, including
those procedures performed to further address the risk of management
override of controls (See paragraph 15 of Auditing Standard No. 13, The
Auditor's Responses to the Risks of Material Misstatements.)
The reference in the sixth bullet point to paragraphs .68
through .73 is replaced with a reference to paragraphs 5 through 9 of
Auditing Standard No. 14, Evaluating Audit Results.
hh. Paragraph .84 and the heading preceding this paragraph,
``Effective Date,'' are deleted.
ii. The first sentence of paragraph .85 is replaced with: This
appendix contains examples of risk factors discussed in paragraphs 65
through 69 of Auditing Standard No. 12, Identifying and Assessing Risks
of Material Misstatement.
AU sec. 317, ``Illegal Acts by Clients''
SAS No. 54, ``Illegal Acts by Clients'' (AU sec. 317, ``Illegal
Acts by Clients'') is amended as follows:
a. The last sentence of paragraph .13 is replaced with: For
example, an illegal payment of an otherwise immaterial amount could be
material if there is a reasonable possibility that it could lead to a
material contingent liability or a material loss of revenue.
b. In paragraph .19, the word ``competent'' is replaced with the
word ``appropriate.''
AU sec. 319, ``Consideration of Internal Control in a Financial
Statement Audit''
SAS No. 55, ``Consideration of Internal Control in a Financial
Statement Audit'' (AU sec. 319, ``Consideration of Internal Control in
a Financial Statement Audit''), as amended, is superseded.
AU sec. 322, ``The Auditor's Consideration of the Internal Audit
Function in an Audit of Financial Statements''
SAS No. 65, ``The Auditor's Consideration of the Internal Audit
Function in an Audit of Financial Statements'' (AU sec. 322, ``The
Auditor's Consideration of the Internal Audit Function in an Audit of
Financial Statements''), as amended, is amended as follows:
a. In the first sentence of paragraph .02, the word ``competent''
is replaced with the word ``appropriate.''
b. Footnote 3 to paragraph .04, is replaced with: Auditing Standard
No. 12, Identifying and Assessing Risks of Material Misstatement,
describes the procedures the auditor performs to obtain an
understanding of internal control over financial reporting.
c. In the first sentence of paragraph .18, the word ``competent''
is replaced with the word ``appropriate.''
d. Within footnote 5 to paragraph .18, the reference to section
326, Evidential Matter, paragraph .19c. is replaced with a reference to
paragraph 8 of Auditing Standard No. 15, Audit Evidence.
e. Within footnote 8 to paragraph .27, the reference to section
311, Planning and Supervision, paragraphs .11 through .14 is replaced
with a reference to Auditing Standard No. 10, Supervision of the Audit
Engagement.
AU sec. 324, ``Service Organizations''
SAS No. 70, ``Service Organizations'' (AU sec. 324, ``Service
Organizations''), as amended, is amended as follows:
a. In the first sentence of paragraph .07, the reference to Section
319, Consideration of Internal Control in a Financial Statement Audit,
is replaced with a reference to Auditing Standard No. 12, Identifying
and Assessing Risks of Material Misstatement.
b. In the first sentence of paragraph .16, the reference to section
319.90 through .99 is replaced with a reference to paragraph 18 and
paragraphs 29 through 31 of Auditing Standard No. 13, The Auditor's
Responses to the Risks of Material Misstatement.
c. In the second sentence of paragraph .23, the reference to
section 312, Audit Risk and Materiality in Conducting an Audit, is
replaced with a reference to Auditing Standard No. 14, Evaluating Audit
Results.
AU sec. 326, ``Evidential Matter''
SAS No. 31, ``Evidential Matter'' (AU sec. 326, ``Evidential
Matter''), as amended, is superseded.
AU sec. 9326, ``Evidential Matter: Auditing Interpretations of
Section 326''
AU sec. 9326, ``Evidential Matter: Auditing Interpretations of
Section 326,'' as amended, is amended as follows:
a. Paragraphs .01-.05 are deleted, along with the preceding heading
``1. Evidential Matter for an Audit of Interim Financial Statements.''
b. The reference in paragraph .10 to Section 326, Evidential
Matter, paragraph .25, is replaced with a reference to Paragraph 35 of
Auditing Standard No. 14, Evaluating Audit Results.
c. In the first and second sentences of paragraph .10, the word
``competent'' is replaced with the word ``appropriate.''
[[Page 59361]]
d. In the second sentence of paragraph .12, the word ``competent''
is replaced with the word ``appropriate.''
e. The last two sentences of paragraph .12 are deleted.
f. In the first sentence of paragraph .13, the word ``competent''
is replaced with the word ``appropriate.''
g. In paragraph .17, the word ``competent'' is replaced with the
word ``appropriate.''
h. In the second sentence of paragraph .21, the word ``competent''
is replaced with the word ``appropriate.''
i. In the fourth sentence of paragraph .22, the word ``competent''
is replaced with the word ``appropriate.''
j. In paragraph .23, the word ``competent'' is replaced with the
word ``appropriate.''
k. Paragraphs .24-.41 are deleted, along with the headings ``3. The
Auditor's Consideration of the Completeness Assertion'' and ``4.
Applying Auditing Procedures to Segment Disclosures in Financial
Statements.''
AU sec. 328, ``Auditing Fair Value Measurements and Disclosures''
SAS No. 101, ``Auditing Fair Value Measurements and Disclosures''
(AU sec. 328, ``Auditing Fair Value Measurements and Disclosures''), as
amended, is amended as follows:
a. In the first sentence of paragraph .03, the word ``competent''
is replaced with the word ``appropriate.''
b. The phrase in paragraph .11 ``Section 319, Consideration of
Internal Control in a Financial Statement Audit, as amended,'' is
replaced with ``Auditing Standard No. 12, Identifying and Assessing
Risks of Material Misstatement,''
c. The reference in paragraph .14 to Section 319 is replaced with a
reference to Paragraph A5, second note of Auditing Standard No. 5, An
Audit of Internal Control Over Financial Reporting That Is Integrated
with An Audit of Financial Statements.
d. In the second sentence of paragraph .14, the reference ``(see
section 316, Consideration of Fraud in a Financial Statement Audit'' is
deleted.
e. Within paragraph .25, in the second sentence of the second
bullet point and in the first sentence in the third bullet point, the
word ``competent'' is replaced with the word ``appropriate.''
f. In the second sentence of paragraph .32, the word ``competent''
is replaced with the word ``appropriate.''
g. In the first sentence of paragraph .42, the word ``competent''
is replaced with the word ``appropriate.''
h. In footnote 8 to paragraph .43, the reference to section 431,
Adequacy of Disclosure in Financial Statements, is replaced with a
reference to ``paragraph 31 of Auditing Standard No. 14, Evaluating
Audit Results.''
i. In the second sentence of paragraph .44, the word ``competent''
is replaced with the word ``appropriate.''
j. The reference in paragraph .47 to section 312, Audit Risk and
Materiality in Conducting an Audit, paragraphs .36 through .41, is
replaced with a reference to paragraphs 12 through 18 and 24 through 27
of Auditing Standard No. 14, Evaluating Audit Results.
AU sec. 329, ``Analytical Procedures''
SAS No. 56, ``Analytical Procedures'' (AU sec. 329, ``Analytical
Procedures''), as amended, is amended as follows:
a. The title of the standard, ``Analytical Procedures,'' is
replaced with the title, ``Substantive Analytical Procedures.''
b. The text of paragraph .01 is replaced with: This section
establishes requirements regarding the use of substantive analytical
procedures in an audit.
Note: Auditing Standard No. 12, Identifying and Assessing Risks of
Material Misstatement, establishes requirements regarding performing
analytical procedures as a risk assessment procedure in identifying and
assessing risks of material misstatement.
Note: Auditing Standard No. 14, Evaluating Audit Results,
establishes requirements regarding performing analytical procedures as
part of the overall review stage of the audit.
c. The last sentence of paragraph .03 is deleted.
d. The text of paragraph .04 is replaced with: Analytical
procedures are used as a substantive test to obtain evidential matter
about particular assertions related to account balances or classes of
transactions. In some cases, analytical procedures can be more
effective or efficient than tests of details for achieving particular
substantive testing objectives.
e. Paragraphs .06-.08 and the preceding heading, ``Analytical
Procedures in Planning the Audit,'' are deleted.
f. At the end of paragraph .09, the following new sentence is
added: (See paragraph 11 of Auditing Standard No. 13, The Auditor's
Responses to the Risks of Material Misstatement.)
g. Within footnote 1 to paragraph .09, the reference to section
326, Evidential Matter, is replaced with a reference to Auditing
Standard No. 15, Audit Evidence.
h. Footnote 2 to paragraph .20 is deleted.
i. In paragraph .21:
In the fourth sentence, the word ``likely'' is deleted.
The reference to section 316, Consideration of Fraud in a
Financial Statement Audit, is replaced with a reference to Auditing
Standard No. 14, Evaluating Audit Results.
j. Footnote 3 to paragraph .21 is deleted.
k. Paragraph .23 and the preceding heading, ``Analytical Procedures
Used in the Overall Review,'' and paragraph .24 and the preceding
heading, ``Effective Date,'' are deleted.
AU sec. 330, ``The Confirmation Process''
SAS No. 67, ``The Confirmation Process'' (AU sec. 330, ``The
Confirmation Process''), is amended as follows:
a. The references in paragraph .02 to section 312, Audit Risk and
Materiality in Conducting an Audit, and section 313, Substantive Tests
Prior to the Balance-Sheet Date, are replaced with a reference to
Auditing Standard No. 13, The Auditor's Responses to the Risks of
Material Misstatement.
b. The reference in paragraph .05 to Section 312 is replaced with a
reference to Auditing Standard No. 8, Audit Risk.
c. The second sentence of paragraph .06 is replaced with: See
paragraph 8 of Auditing Standard No. 15, Audit Evidence, which
discusses the reliability of audit evidence.
d. In the first sentence of paragraph .11, the word ``competent''
is replaced with the word ``appropriate.''
e. In the third sentence of paragraph .11, the reference to Section
326 is replaced with a reference to Auditing Standard No. 15, Audit
Evidence.
f. In the first sentence of paragraph .24, the word ``competence''
is replaced with the word ``appropriateness.''
g. In the last sentence of paragraph .27, the word ``competent'' is
replaced with the word ``appropriate.''
AU sec. 332, ``Auditing Derivative Instruments, Hedging Activities,
and Investments in Securities''
SAS No. 92, ``Auditing Derivative Instruments, Hedging Activities,
and Investment in Securities'' (AU sec. 332, ``Auditing Derivative
Instruments, Hedging Activities, and Investments in Securities''), as
amended, is amended as follows:
a. The reference in paragraph .01 to section 326, Evidential
Matter, paragraphs .03-.08, is replaced with a reference to paragraphs
11 and 12 of Auditing Standard No. 15, Audit Evidence.
b. Paragraph .06 is replaced with: Auditing Standard No. 9, Audit
Planning, discusses the auditor's responsibilities for consideration of
the use of persons with specialized skill or knowledge. Auditing
Standard No. 10,
[[Page 59362]]
Supervision of the Audit Engagement, discusses the auditor's
responsibilities for supervision of specialists who are employed by the
auditor. AU sec. 336, Using the Work of a Specialist, discusses the
auditor's responsibilities for using the work of a specialist engaged
by the auditor.
c. The first and second sentences of paragraph .07 are deleted. The
third sentence is replaced with:
The auditor should design and perform audit procedures regarding
relevant assertions of derivatives and investments in securities that
are based on and that address the risks of material misstatement in
those assertions.
d. The reference in paragraph .09 to Section 319, Consideration of
Internal Control in a Financial Statement Audit, is replaced with a
reference to Auditing Standard No. 12, Identifying and Assessing Risks
of Material Misstatement.
e. The fourth sentence of paragraph .11 is replaced with
``Paragraphs 28 through 32 and B1 through B6 of Auditing Standard No.
12, Identifying and Assessing Risks of Material Misstatement, discuss
the information system, including related business processes, relevant
to financial reporting.''
f. In paragraph .15, the reference to section 319 is replaced with
a reference to Auditing Standard No. 12, Identifying and Assessing
Risks of Material Misstatement.
g. The last sentence of paragraph .35 is replaced with: In
addition, paragraphs 24 through 27 of Auditing Standard No. 14,
Evaluating Audit Results, describe the auditor's responsibilities for
assessing bias in accounting estimates.
h. In paragraph .43, subparagraph a., the word ``competent'' is
replaced with the word ``appropriate.''
i. In paragraph .51, the last sentence is replaced with: (See
paragraph 31 of Auditing Standard No. 14, Evaluating Audit Results.)
j. In paragraph .57, subparagraph c., the word ``competent'' is
replaced with the word ``appropriate.''
AU sec. 333, ``Management Representations''
SAS No. 85, ``Management Representations'' (AU sec. 333,
``Management Representations''), as amended, is amended as follows:
a. Footnote 4 to paragraph .06 is replaced with: Auditing Standard
No. 14, Evaluating Audit Results, indicates that a misstatement can
arise from error or fraud and also discusses the auditor's
responsibilities for evaluating accumulated misstatements.
b. Within footnote 6 to paragraph .06, the reference to Section 312
is replaced with a reference to Paragraph 11 of Auditing Standard No.
14, Evaluating Audit Results.
c. Within footnote 7 to paragraph .06, the reference to section
316, Consideration of Fraud in a Financial Statement Audit, paragraphs
.38 through .40, is replaced with a reference to section 316,
Consideration of Fraud in a Financial Statement Audit, paragraphs .79
through .82.
AU sec. 334, ``Related Parties''
SAS No. 45, ``Related Parties'' (AU sec. 334 ``Related Parties''),
is amended as follows:
a. In the second sentence of paragraph .09, the word ``competent''
is replaced with the word ``appropriate.''
b. In the first sentence of paragraph .11, the word ``competent''
is replaced with the word ``appropriate.''
c. In footnote 8 to paragraph .11, the reference to section 431,
Adequacy of Disclosure in Financial Statements, is replaced with a
reference to paragraph 31 of Auditing Standard No. 14, Evaluating Audit
Results.
AU sec. 9334, ``Related Parties: Auditing Interpretations of
Section 334''
AU sec. 9334, ``Related Parties: Auditing Interpretations of
Section 334,'' is amended as follows: Within footnote 4 to paragraph
.17, the reference to section 312, Audit Risk and Materiality in
Conducting an Audit, is replaced with a reference to Auditing Standard
No. 8, Audit Risk.
AU sec. 336, ``Using the Work of a Specialist''
SAS No. 73, ``Using the Work of a Specialist'' (AU sec. 336,
``Using the Work of a Specialist''), is amended as follows:
a. Footnote 1 to paragraph .01 is replaced with the following:
Because income taxes and information technology are specialized areas
of accounting and auditing, this section does not apply to situations
in which an income tax specialist or information technology specialist
participates in the audit. Auditing Standard No. 10, Supervision of the
Audit Engagement, applies in those situations.
b. Paragraph .05 is replaced with the following: This section does
not apply to situations in which a specialist employed by the auditor's
firm participates in the audit. Auditing Standard No. 10, Supervision
of the Audit Engagement, applies in those situations.
c. In the last sentence of paragraph .06, the word ``competent'' is
replaced with the word ``appropriate.''
d. In the first and last sentences of paragraph .13, the word
``competent'' is replaced with the word ``appropriate.''
AU sec. 9336, ``Using the Work of a Specialist: Auditing
Interpretations of Section 336''
AU sec. 9336, ``Using the Work of a Specialist: Auditing
Interpretations of Section 336,'' is amended as follows:
a. In the second sentence of paragraph .04, the word ``competent''
is replaced with the word ``appropriate.''
b. In paragraph .05, the word ``competent'' is replaced with the
word ``appropriate.''
c. In the second sentence of paragraph .11, the word ``competent''
is replaced with the word ``appropriate.''
d. The penultimate sentence of paragraph .15, is replaced with:
Paragraph 6 of Auditing Standard No. 15, Audit Evidence, states, ``[t]o
be appropriate, audit evidence must be both relevant and reliable in
providing support for the conclusions on which the auditor's opinion is
based.''
AU sec. 341, ``The Auditor's Consideration of an Entity's Ability
to Continue as a Going Concern''
SAS No. 59, ``The Auditor's Consideration of an Entity's Ability to
Continue as Going Concern'' (AU sec. 341, ``The Auditor's Consideration
of an Entity's Ability to Continue as a Going Concern''), as amended,
is amended as follows: The reference in paragraph .02 to section 326,
Evidential Matter, is replaced with a reference to Auditing Standard
No. 15, Audit Evidence.
AU sec. 342, ``Auditing Accounting Estimates''
SAS No. 57, ``Auditing Accounting Estimates'' (AU sec. 342,
``Auditing Accounting Estimates''), as amended, is amended as follows:
a. In the first sentence of paragraph .01, the word ``competent''
is replaced with the word ``appropriate.''
b. In the first sentence of paragraph .07, the word ``competent''
is replaced with the word ``appropriate.''
c. The text of footnote 3 to paragraph .07 is replaced with: See
paragraph 31 of Auditing Standard No. 14, Evaluating Audit Results.
d. The reference in paragraph .08 subparagraph b.1. to section 311,
Planning and Supervision, is replaced with a reference to Auditing
Standard No. 12, Identifying and Assessing Risks of Material
Misstatement.
e. Paragraph .14, is replaced with: Paragraphs 24 through 27 of
Auditing Standard No. 14, Evaluating Audit Results, discuss the
auditor's responsibilities for assessing bias and evaluating accounting
estimates in relationship to the financial statements taken as a whole.
AU sec. 9342, ``Auditing Accounting Estimates: Auditing
Interpretations of Section 342''
[[Page 59363]]
AU sec. 9342, ``Auditing Accounting Estimates: Auditing
Interpretations of Section 342,'' is amended as follows: In the second
sentence of paragraph .02, the word ``competent'' is replaced with the
word ``appropriate.''
AU sec. 350, ``Audit Sampling''
SAS No. 39, ``Audit Sampling'' (AU sec. 350, ``Audit Sampling''),
as amended, is amended as follows:
a. Within footnote 2 to paragraph .02, the reference to section
312, Audit Risk and Materiality in Conducting an Audit, is replaced
with a reference to Auditing Standard No. 14, Evaluating Audit Results.
b. The last sentence of paragraph .03 is replaced with: Either
approach to audit sampling can provide sufficient evidential matter
when applied properly. This section applies to both nonstatistical and
statistical sampling.
c. Paragraph .04 is deleted.
d. In paragraph .06:
The first sentence is deleted.
In the last sentence, the word ``competence'' is replaced
with the word ``appropriateness.''
The following note is added to the paragraph:
Note: Auditing Standard No. 15, Audit Evidence, discusses the
appropriateness of audit evidence, and Auditing Standard No. 14,
Evaluating Audit Results, discusses the auditor's responsibilities for
evaluating the sufficiency and appropriateness of audit evidence.
e. Paragraph .08 is deleted.
f. In paragraph .09:
The sentence in paragraph .09 referring to section 313,
which is in parentheses, is deleted.
The following note is added to the paragraph:
Note: Auditing Standard No. 8, Audit Risk, describes audit risk and
its components in a financial statement audit--the risk of material
misstatement (consisting of inherent risk and control risk) and
detection risk.
g. In paragraph .11:
The phrase ``(see section 311, Planning and Supervision)''
is deleted.
The sentence ``(See section 313.)'' is deleted.
h. The second sentence of paragraph .15 is replaced with: See
Auditing Standard No. 9, Audit Planning.
i. In the first bullet in paragraph .16, the phrase ``(see section
326, Evidential Matter)'' is deleted.
j. In the second bullet of paragraph .16, the phrase ``Preliminary
judgments about materiality levels'' is replaced with the phrase
``Tolerable misstatement. (See paragraphs .18-18A.)''
k. Paragraph .18 is replaced with: Evaluation in monetary terms of
the results of a sample for a substantive test of details contributes
directly to the auditor's purpose, since such an evaluation can be
related to his or her judgment of the monetary amount of misstatements
that would be material. When planning a sample for a substantive test
of details, the auditor should consider how much monetary misstatement
in the related account balance or class of transactions may exist, in
combination with other misstatements, without causing the financial
statements to be materially misstated. This maximum monetary
misstatement for the account balance or class of transactions is called
tolerable misstatement.
l. Paragraph .18A is added: Paragraphs 8-9 of Auditing Standard No.
11, Consideration of Materiality in Planning and Performing an Audit,
describe the auditor's responsibilities for determining tolerable
misstatement at the account or disclosure level. When the population to
be sampled constitutes a portion of an account balance or transaction
class, the auditor should determine tolerable misstatement for the
population to be sampled for purposes of designing the sampling plan.
Tolerable misstatement for the population to be sampled ordinarily
should be less than tolerable misstatement for the account balance or
transaction class to allow for the possibility that misstatement in the
portion of the account or transaction class not subject to audit
sampling, individually or in combination with other misstatements,
would cause the financial statements to be materially misstated.
m. Paragraph .20 is deleted.
n. The first sentence of paragraph .21 is replaced with the
following sentence: The sufficiency of tests of details for a
particular account balance or class of transactions is related to the
individual importance of the items examined as well as to the potential
for material misstatement.
o. Paragraph .23 is replaced with: To determine the number of items
to be selected in a sample for a particular substantive test of
details, the auditor should take into account tolerable misstatement
for the population; the allowable risk of incorrect acceptance (based
on the assessments of inherent risk, control risk, and the detection
risk related to the substantive analytical procedures or other relevant
substantive tests); and the characteristics of the population,
including the expected size and frequency of misstatements.
p. Paragraph .23A is added: Table 1 of the Appendix describes the
effects of the factors discussed in the preceding paragraph on sample
sizes in a statistical or nonstatistical sampling approach. When
circumstances are similar, the effect on sample size of those factors
should be similar regardless of whether a statistical or nonstatistical
approach is used. Thus, when a nonstatistical sampling approach is
applied properly, the resulting sample size ordinarily will be
comparable to, or larger than, the sample size resulting from an
efficient and effectively designed statistical sample.
q. The last sentence of paragraph .25 is replaced with: The auditor
also should evaluate whether the reasons for his or her inability to
examine the items have (a) implications in relation to his or her risk
assessments (including the assessment of fraud risk), (b) implications
regarding the integrity of management or employees, and (c) possible
effects on other aspects of the audit.
r. Footnote 6 to paragraph .26 is replaced with: Paragraphs 10
through 23 of Auditing Standard No. 14, Evaluating Audit Results,
discuss the auditor's consideration of differences between the
accounting records and the underlying facts and circumstances.
s. Within footnote 7 to paragraph .32, the phrase ``(see section
319.85)'' is deleted. In the first sentence of the footnote, the phrase
``often plans'' is replaced with the phrase ``may plan.'' The last
sentence of the footnote, which is in brackets, is deleted.
t. The last sentence of paragraph .38 is replaced with: When
circumstances are similar, the effect on sample size of those factors
should be similar regardless of whether a statistical or nonstatistical
approach is used. Thus, when a nonstatistical sampling approach is
applied properly, the resulting sample size ordinarily will be
comparable to, or larger than, the sample size resulting from an
efficient and effectively designed statistical sample.
u. The fifth sentence of paragraph .39 is replaced with: Paragraphs
44 through 46 of Auditing Standard No. 13, The Auditor's Responses to
the Risks of Material Misstatement, describe the auditor's
responsibilities for performing procedures between the interim date of
testing and period end.
v. In paragraph .39, the last sentence, which is in brackets, is
deleted.
w. In paragraph .44:
The first sentence is replaced with: In some
circumstances, the auditor may design a sample that will be used for
dual purposes: as a test of control and as a substantive test.
[[Page 59364]]
The third sentence is replaced with: For example, an
auditor designing a test of a control over entries in the voucher
register may design a related substantive test at a risk level that is
based on an expectation of reliance on the control.
The fifth sentence is replaced with: In evaluating such
tests, deviations from the control that was tested and monetary
misstatements should be evaluated separately using the risk levels
applicable for the respective purposes.
The following Note is added to the paragraph:
Note: Paragraph 47 of Auditing Standard No. 13, The Auditor's
Responses to the Risks of Material Misstatement, provides additional
discussion of the auditor's responsibilities for performing dual-
purpose tests.
x. The reference in paragraph .45 to paragraph .04 is changed to a
reference to paragraph .03.
y. In item 2 of paragraph .48, the last sentence is deleted.
z. Within footnote 1 to item 4 in paragraph .48, the sentence
``(See section 313.)'' is deleted.
aa. The sentence in item 6 of paragraph .48 ``(See section 313.)''
is deleted.
AU sec. 9350, ``Audit Sampling: Auditing Interpretations of Section
350''
AU sec. 9350, ``Audit Sampling: Auditing Interpretations of Section
350,'' is superseded.
AU sec. 380, ``Communication With Audit Committees''
SAS No. 61, ``Communication With Audit Committees'' (AU sec. 380,
``Communication With Audit Committees''), as amended, is amended as
follows:
In footnote 5 to paragraph .10, the reference to section
316A.38-.40 is replaced with a reference to AU secs. 316.79-.82; the
reference to section 316A is replaced with a reference to section 316.
AU sec. 411, ``The Meaning of Present Fairly in Conformity With
Generally Accepted Accounting Principles''
SAS No. 69, ``The Meaning of Present Fairly in Conformity With
Generally Accepted Accounting Principles'' (AU sec. 411, ``The Meaning
of Present Fairly in Conformity with Generally Accepted Accounting
Principles''), as amended, is amended as follows:
a. In paragraph .04, the reference in (c) to section 431 is
replaced with a reference to paragraph 31 of Auditing Standard No. 14,
Evaluating Audit Results; in (d), the reference to section 431 is
replaced with a reference to paragraph 31 of Auditing Standard No. 14.
b. The reference in footnote 1 to paragraph .04 to 312.10 is
replaced with a reference to Auditing Standard No. 11, Consideration of
Materiality in Planning and Performing an Audit.
AU sec. 431, ``Adequacy of Disclosure in Financial Statements''
SAS No. 32, ``Adequacy of Disclosure in Financial Statements'' (AU
sec. 431, ``Adequacy of Disclosure in Financial Statements''), as
amended, is superseded.
AU sec. 508, ``Reports on Audited Financial Statements''
SAS No. 58, ``Reports on Audited Financial Statements'' (AU sec.
508, ``Reports on Audited Financial Statements''), as amended, is
amended as follows:
a. In paragraph 18C, the phrase ``and in AU sec. 431'' is deleted.
b. In subparagraph .20.a., the word ``competent'' is replaced with
the word ``appropriate.''
c. In the second sentence of paragraph .22, the word ``competent''
is replaced with the word ``appropriate.''
d. In the third sentence of paragraph .24, the word ``competent''
is replaced with the word ``appropriate.''
e. In footnote 15 to paragraph .38, the first sentence is replaced
with:
In this context, practicable means that the information is
reasonably obtainable from management's accounts and records and that
providing the information in the report does not require the auditor to
assume the position of a preparer of financial information.
f. The references in paragraph .49 to section 312, Audit Risk and
Materiality, and to section 342, Auditing Accounting Estimates, are
replaced with a reference to paragraph 13 of Auditing Standard No. 14,
Evaluating Audit Results.
g. In the first sentence of paragraph .63, the word ``competent''
is replaced with the word ``appropriate.''
h. In paragraph .66, the second sentence is replaced with:
(See paragraph 31 of Auditing Standard No. 14, Evaluating Audit
Results.)
AU sec. 9508, ``Reports on Audited Financial Statements: Auditing
Interpretations of Section 508''
AU sec. 9508, ``Reports on Audited Financial Statements: Auditing
Interpretations of Section 508,'' is amended as follows:
In paragraph .02, the word ``competent'' is replaced with the word
``appropriate.''
AU sec. 530, ``Dating of the Independent Auditor's Report''
SAS No. 1, ``Codification of Auditing Standards and Procedures,''
section 530, ``Dating of the Independent Auditor's Report'' (AU sec.
530, ``Dating of the Independent Auditor's Report''), as amended, is
amended as follows:
a. In the first sentence of paragraph .01, the word ``competent''
is replaced with the word ``appropriate.''
b. In the second note to paragraph .01, the word ``competent'' is
replaced with the word ``appropriate.''
c. In the first sentence of paragraph .05, the word ``competent''
is replaced with the word ``appropriate.''
AU sec. 543, ``Part of Audit Performed by Other Independent
Auditors''
SAS No. 1, ``Codification of Auditing Standards and Procedures,''
section 543 ``Part of Audit Performed by Other Independent Auditors''
(AU sec. 543, ``Part of Audit Performed by Other Independent
Auditors''), as amended, is amended as follows:
a. The following note is added as the second note to paragraph .01:
Note: For situations in which the auditor engages an accounting
firm or individual accountants to participate in the audit engagement
and AU sec. 543 does not apply, the auditor should supervise them in
accordance with the requirements of Auditing Standard No. 10,
Supervision of the Audit Engagement.
b. Within paragraph .12:
Subparagraph b. is replaced with: A list of significant
risks, the auditor's responses, and the results of the auditor's
related procedures.
Subparagraph f. is replaced with: A schedule of
accumulated misstatements, including a description of the nature and
cause of each accumulated misstatement, and an evaluation of
uncorrected misstatements, including the quantitative and qualitative
factors the auditor considered to be relevant to the evaluation.
AU sec. 9543, ``Part of Audit Performed by Other Independent
Auditors: Auditing Interpretations of Section 543''
AU sec. 9543, ``Part of Audit Performed by Other Independent
Auditors: Auditing Interpretations of Section 543,'' as amended, is
amended as follows:
a. Paragraph .16 is replaced with: Interpretation--The principal
auditor's response should ordinarily be made by the engagement partner.
The engagement partner should take those steps that he or she considers
reasonable under the circumstances to be informed of known matters
pertinent to the other auditor's inquiry. For example, the engagement
partner may inquire of engagement team members responsible for various
aspects of the engagement or he or she may direct engagement team
members to bring to his or her attention
[[Page 59365]]
any significant matters of which they become aware during the audit.
The principal auditor is not required to perform any procedures
directed toward identifying matters that would not affect his or her
audit or his or her report.
b. Footnote 4 to paragraph .16 is deleted.
AU sec. 722, ``Interim Financial Information''
SAS No. 100, ``Interim Financial Information'' (AU sec. 722,
``Interim Financial Information''), as amended, is amended as follows:
a. Within footnote 7 to paragraph .11, the first sentence is
replaced with: Paragraphs 10 through 23 of Auditing Standard No. 14,
Evaluating Audit Results, require the auditor to accumulate and
evaluate the misstatements identified during the audit.
b. The reference in paragraph .13 to section 319, Consideration of
Internal Control in a Financial Statement Audit, is replaced with a
reference to Auditing Standard No. 12, Identifying and Assessing Risks
of Material Misstatement.
c. Within the last sentence of paragraph .16, the title of section
329, ``Analytical Procedures,'' is replaced with the title
``Substantive Analytical Procedures.''
d. Footnote 20 to paragraph .26 is deleted.
e. The reference in paragraph .56, subparagraph C5, to section 319
is replaced with a reference to section 316.
Auditing Standard No. 3, Audit Documentation
Auditing Standard No. 3, Audit Documentation, as amended, is
amended as follows:
a. Within paragraph 3, subparagraph b. is replaced with:
Supervisory personnel who review documentation prepared by other
members of the engagement team.
b. Paragraph 9A is added: Documentation of risk assessment
procedures and responses to risks of misstatement should include (1) a
summary of the identified risks of misstatement and the auditor's
assessment of risks of material misstatement at the financial statement
and assertion levels and (2) the auditor's responses to the risks of
material misstatement, including linkage of the responses to those
risks.
c. Within paragraph 12:
Within subparagraph a.:, (1) a footnote reference 2A is
added at the end of the first sentence: See paragraphs 12-13 of
Auditing Standard No. 12, Identifying and Assessing Risks of Material
Misstatement, and paragraphs .66-.67 of AU sec. 316, Consideration of
Fraud in a Financial Statement Audit. and (2) the second sentence of
subparagraph a. is deleted.
Subparagraph b. is replaced with: Results of auditing
procedures that indicate a need for significant modification of planned
auditing procedures, the existence of material misstatements (including
omissions in the financial statements), and the existence of
significant deficiencies or material weaknesses in internal control
over financial reporting.
Subparagraph c. is replaced with: Accumulated
misstatements and evaluation of uncorrected misstatements, including
the quantitative and qualitative factors the auditor considered to be
relevant to the evaluation.
Footnote 2B is added to subparagraph c.: See paragraphs
10-23 of Auditing Standard No. 14, Evaluating Audit Results.
Subparagraph d. is replaced with: Disagreements among
members of the engagement team or with others consulted on the
engagement about final conclusions reached on significant accounting or
auditing matters, including the basis for the final resolution of those
disagreements. If an engagement team member disagrees with the final
conclusions reached, he or she should document that disagreement.
Subparagraph f. is replaced with: Significant changes in
the auditor's risk assessments, including risks that were not
identified previously, and the modifications to audit procedures or
additional audit procedures performed in response to those changes.
Footnote 2C is added to subparagraph f.: See paragraph 74
of Auditing Standard No. 12, Identifying and Assessing Risks of
Material Misstatement, and paragraph 36 of Auditing Standard No. 14,
Evaluating Audit Results.
Subparagraph f-1. is added: Risks of material misstatement
that are determined to be significant risks and the results of the
auditing procedures performed in response to those risks.
d. Within paragraph 19:
Subparagraph b. is replaced with: A list of significant
risks, the auditor's responses, and the results of the auditor's
related procedures.
Subparagraph f. is replaced with: A schedule of
accumulated misstatements, including a description of the nature and
cause of each accumulated misstatement, and an evaluation of
uncorrected misstatements, including the quantitative and qualitative
factors the auditor considered to be relevant to the evaluation.
e. Paragraph 21 and the preceding heading, ``Effective Date,'' are
deleted.
Auditing Standard No. 4, Reporting on Whether a Previously Reported
Material Weakness Continues to Exist
Auditing Standard No. 4, Reporting on Whether a Previously Reported
Material Weakness Continues to Exist, as amended, is amended as
follows: In the first sentence of paragraph 18, the word ``competent''
is replaced with the word ``appropriate.''
Auditing Standard No. 5, An Audit of Internal Control Over
Financial Reporting That Is Integrated with An Audit of Financial
Statements
Auditing Standard No. 5, An Audit of Internal Control Over
Financial Reporting That Is Integrated with An Audit of Financial
Statements, is amended as follows:
a. In the second sentence of paragraph 3, the word ``competent'' is
replaced with the word ``appropriate.''
b. In the first sentence of paragraph 9, the phrase ``any
assistants'' is replaced with the phrase ``the engagement team
members.''
c. Within footnote 10 to paragraph 14, the reference to paragraphs
.19-.42 of AU sec. 316, Consideration of Fraud in a Financial Statement
Audit, is replaced with a reference to Auditing Standard No. 12,
Identifying and Assessing Risks of Material Misstatement.
d. The reference in paragraph 15 to AU sec. 316.44 and .45 is
replaced with a reference to paragraphs 65-69 of Auditing Standard No.
12, Identifying and Assessing Risks of Material Misstatement.
e. Within footnote 11 to paragraph 20, the reference to AU sec.
312, Audit Risk and Materiality in Conducting an Audit, is replaced
with a reference to Auditing Standard No. 11, Consideration of
Materiality in Planning and Performing an Audit.
f. Within footnote 12 to paragraph 28, the reference to AU sec.
326, Evidential Matter, is replaced with a reference to Auditing
Standard No. 15, Audit Evidence.
g. Within footnote 13 to the note to paragraph 31, the reference to
AU sec. 312.39 is replaced with a reference to paragraph 14 of Auditing
Standard No. 14, Evaluating Auditing Results. The reference to AU sec.
316.50 is replaced with a reference to paragraph 5 of Auditing Standard
No. 13, The Auditor's Responses to the Risks of Material Misstatement.
h. The references in paragraph 36 to paragraphs .16-.20, .30-.32,
and .77-.79 of AU sec. 319, Consideration of Internal Control in a
Financial Statement Audit, are replaced with references to paragraph 29
and
[[Page 59366]]
Appendix B of Auditing Standard No. 12, Identifying and Assessing Risks
of Material Misstatement.
i. In the first sentence of paragraph 51, the word ``competent'' is
replaced with the word ``appropriate.''
j. In the first sentence of paragraph 89, the word ``competent'' is
replaced with the word ``appropriate.''
k. Within the note to paragraph C6 in Appendix C, the word
``competent'' is replaced with the word ``appropriate.''
Auditing Standard No. 6, Evaluating Consistency of Financial
Statements
Auditing Standard No. 6, Evaluating Consistency of Financial
Statements, is amended as follows:
a. Footnote 3 to paragraph 4 is deleted.
b. In paragraph 10, the reference to AU sec. 431, Adequacy of
Disclosure in Financial Statements, is replaced with a reference to
paragraph 31 of Auditing Standard No. 14, Evaluating Audit Results.
Auditing Standard No. 7, Engagement Quality Review
Auditing Standard No. 7, Engagement Quality Review, is amended as
follows:
a. Footnote 3 to paragraph 5 is replaced with: The term
``engagement partner'' has the same meaning as the ``practitioner-in-
charge of an engagement'' in PCAOB interim quality control standard QC
sec. 40, The Personnel Management Element of a Firm's System of Quality
Control-Competencies Required by a Practitioner-in-Charge of an Attest
Engagement. QC sec. 40 describes the competencies required of a
practitioner-in-charge of an attest engagement.
b. In paragraph 10, the note following subparagraph b. is replaced
with: Note: A significant risk is a risk of material misstatement that
requires special audit consideration.
Ethics Standards
ET sec. 102, ``Integrity and Objectivity''
ET sec. 102, ``Integrity and Objectivity,'' is amended as follows:
Footnote 1 to paragraph .05 is replaced with: See paragraph 5.b. of
Auditing Standard No. 10, Supervision of the Audit Engagement, and
paragraph 12.d. of Auditing Standard No. 3, Audit Documentation.
II. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
In its filing with the Commission, the Board included statements
concerning the purpose of, and basis for, the proposed rules and
discussed any comments it received on the proposed rules. The text of
these statements may be examined at the places specified in Item IV
below. The Board has prepared summaries, set forth in sections A, B,
and C below, of the most significant aspects of such statements.
A. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
(a) Purpose
Section 103(a) of the Act directs the Board, by rule, to establish,
among other things, ``auditing and related attestation standards * * *
to be used by registered public accounting firms in the preparation and
issuance of audit reports, as required by th[e] Act or the rules of the
Commission, or as may be necessary or appropriate in the public
interest or for the protection of investors.'' As discussed more fully
in Exhibit 3, the Board adopted eight auditing standards and related
amendments that benefit investors by establishing requirements that
enhance the effectiveness of the auditor's assessment of and response
to the risks of material misstatement in an audit.
In an audit performed in accordance with PCAOB standards, risk
underlies the entire audit process, including the procedures that the
auditor performs to support the opinion expressed in the auditor's
report. Most of the Board's interim auditing standards relating to
assessing and responding to risk in an audit of financial statements
were developed in the 1980s.\154\ Those standards described in general
terms the auditor's responsibilities for assessing and responding to
risk. They directed auditors to vary the amount of audit attention
related to particular financial statement accounts based on the risks
presented by them. The standards also allowed the auditor to use tests
of controls to reduce substantive testing.\155\
---------------------------------------------------------------------------
\154\ Examples of those standards include AU sec. 312, Audit
Risk and Materiality in Conducting an Audit, and AU sec. 319,
Consideration of Internal Control in a Financial Statement Audit.
\155\ AU sec. 319.
---------------------------------------------------------------------------
A number of factors and events led the Board to reexamine those
standards and seek to improve them. These included the widespread use
of risk-based audit methodologies; recommendations to the profession on
ways in which auditors could improve risk assessment; \156\ advice from
the Board's Standing Advisory Group (``SAG''); \157\ adoption of
Auditing Standard No. 5, An Audit of Internal Control Over Financial
Reporting That Is Integrated with An Audit of Financial Statements; and
observations from the Board's oversight activities.
---------------------------------------------------------------------------
\156\ See, e.g., Public Oversight Board, Panel on Audit
Effectiveness (``PAE''), Report and Recommendations (August 31,
2000). For a summary of the PAE's recommendations related to risk
assessment, see PCAOB Standing Advisory Group (``SAG'') Meeting
Briefing Paper, ``Risk Assessment in Financial Statement Audits''
(February 16, 2005), Appendix A, available at: http://www.pcaobus.org/News_and_Events/Events/2005/02-16.aspx.
\157\ Webcasts of SAG meetings are available on the Board's Web
site at: http://www.pcaobus.org/News_and_Events/Webcasts.
---------------------------------------------------------------------------
On October 21, 2008, the Board proposed a set of auditing standards
to update the requirements for assessing and responding to risk in an
audit (``the original proposed standards'').\158\ The original proposed
standards were intended to improve the auditing standards and to
benefit investors by establishing requirements that enhance the
effectiveness of auditors' assessment of and response to risk through:
---------------------------------------------------------------------------
\158\ PCAOB Release No. 2008-006, Proposed Auditing Standards
Related to the Auditor's Assessment of and Response to Risk (October
21, 2008).
Performing procedures that provide a reasonable basis for
identifying and assessing risks of material misstatement, whether due
to error or fraud
Tailoring the audit to respond appropriately to the risks of
material misstatement
Making a comprehensive evaluation of the evidence obtained
during the audit to form the opinion(s) in the auditor's report
The Board also sought to emphasize the auditor's responsibilities
for consideration of fraud by incorporating requirements for
identifying and responding to the risks of material misstatement due to
fraud (``fraud risks'') and evaluating audit results from the existing
PCAOB standard, AU sec. 316, Consideration of Fraud in a Financial
Statement Audit.\159\ Incorporating these requirements makes clear that
the auditor's responsibilities for assessing and responding to fraud
risks are an integral part of the audit process rather than a separate,
parallel process. It also benefits investors by prompting auditors to
make a more thoughtful and thorough assessment of fraud risks and to
develop appropriate audit responses.
---------------------------------------------------------------------------
\159\ Paragraphs .14-.51 and paragraphs .68-.78 of AU sec. 316,
Consideration of Fraud in a Financial Statement Audit.
---------------------------------------------------------------------------
Improvements in the standards related to risk assessment also
should enhance integration of the audit of financial statements with
the audit of internal control over financial reporting (``audit of
internal control'') by articulating a process for identifying and
assessing risks of material misstatement that applies to both portions
of the
[[Page 59367]]
integrated audit when the auditor is performing an integrated audit.
The proposed rules also amend the Board's interim standards
including superseding the following sections of PCAOB interim auditing
standards:
AU sec. 311, Planning and Supervision
AU sec. 312, Audit Risk and Materiality in Conducting an Audit
AU sec. 313, Substantive Tests Prior to the Balance Sheet Date
AU sec. 319, Consideration of Internal Control in a Financial
Statement Audit
AU sec. 326, Evidential Matter
AU sec. 431, Adequacy of Disclosure in Financial Statements
Similarly, the auditing interpretations of AU secs. 311, 312, and
350 have been incorporated into the risk assessment standards and thus
are superseded. The auditing interpretations of AU sec. 326, except for
Interpretation No. 2 (AU secs. 9326.06-.23), also are superseded.\160\
---------------------------------------------------------------------------
\160\ Interpretation No. 2 relates in part to AU sec. 336 and AU
sec. 337, Inquiry of a Client's Lawyer Concerning Litigation,
Claims, and Assessments, and it will be evaluated in connection with
standards-setting projects related to those standards.
---------------------------------------------------------------------------
(b) Statutory Basis
The statutory basis for the proposed rules is Title I of the Act.
B. Board's Statement on Burden on Competition
The Board does not believe that the proposed rule changes will
result in any burden on competition that is not necessary or
appropriate in furtherance of the purposes of the Act. The proposed
rule changes would apply equally to all registered public accounting
firms conducting audits in accordance with PCAOB standards.
C. Board's Statement on Comments on the Proposed Rules Received From
Members, Participants or Others
The Board released the proposed rules for public comment in PCAOB
Release No. 2008-006 (October 21, 2008). The Board received 33 written
comments. The Board considered these comments and made changes to the
initial proposed rules. As a result, the Board again sought public
comment in PCOAB Release No. 2009-007 (December 21, 2009). The Board
received 23 written comment letters relating to its reproposal of the
proposed rules. A copy of PCAOB Release Nos. 2008-006 and 2009-007 and
the comment letters received in response to the PCAOB's request for
comment in both releases are available on the PCAOB's Web site at
http://www.pcaobus.org.
The Board has carefully considered all comments it has received. In
response to the written comments received on both the initial and
reproposal of the proposed rules, the Board has clarified and modified
certain aspects of the proposed rules, as discussed below.
Overview of the Risk Assessment Standards
Many commenters on the original proposed standards were supportive
of the Board's efforts to update its risk assessment requirements and
offered numerous suggestions for changing the original proposed
standards. After considering all of the comments received on those
standards, the Board made numerous refinements to the original proposed
standards. Because the standards address many fundamental aspects of
the audit process and are expected to serve as a foundation for future
standards-setting, the Board reproposed the standards for public
comment on December 17, 2009 (``the reproposed standards'').\161\
---------------------------------------------------------------------------
\161\ PCAOB Release No. 2009-007, Proposed Auditing Standards
Related to the Auditor's Assessment of and Response to Risk
(December 17, 2009).
---------------------------------------------------------------------------
The Board received 23 comment letters on the reproposed
standards.\162\ The Board discussed the comments received with the SAG
on April 8, 2010.\163\ Most commenters were generally supportive of the
reproposed standards and the improvements made to those standards. Many
commenters also offered suggestions to improve the standards, which the
Board has carefully analyzed.
---------------------------------------------------------------------------
\162\ Comments on the original proposed standards and the
reproposed standards are available on the Board's Web site at:
http://www.pcaobus.org/Rules/Rulemaking/Pages/Docket026.aspx.
\163\ A transcript of the portion of the meeting that related to
the reproposed standards is available on the Board's Web site at:
http://www.pcaobus.org/Rules/Rulemaking/Pages/Docket026.aspx.
---------------------------------------------------------------------------
After consideration of the comments received, the Board has refined
the standards to provide additional clarity. The Board has decided to
adopt the following standards for assessing and responding to risk in
an audit and the related amendments to PCAOB standards:
Auditing Standard No. 8, Audit Risk
Auditing Standard No. 9, Audit Planning
Auditing Standard No. 10, Supervision of the Audit Engagement
Auditing Standard No. 11, Consideration of Materiality in
Planning and Performing an Audit
Auditing Standard No. 12, Identifying and Assessing Risks of
Material Misstatement
Auditing Standard No. 13, The Auditor's Responses to the Risks
of Material Misstatement
Auditing Standard No. 14, Evaluating Audit Results
Auditing Standard No. 15, Audit Evidence
1. Notable Areas of Change in the Standards
The changes made to the reproposed standards reflect refinements
rather than significant shifts in approach. This section describes the
areas of change to the reproposed standards that are most notable,
e.g., because they affect multiple standards or multiple sections of an
individual standard. This Release discusses these and other changes in
more detail.
a. Planning and Supervision Standards
The reproposed standards included a standard covering both audit
planning and supervision. Some commenters observed that audit planning
and supervision should be covered in separate standards.
Audit planning and supervision, although related in some respects,
are distinct activities that should be presented in separate standards.
Accordingly, the Board has divided the planning and supervision
standard into separate standards for planning and for supervision.
Presenting the requirements for planning and supervision in separate
standards is a technical change that, by itself, does not affect the
auditor's responsibilities for planning the audit or supervision of the
work of engagement team members as described in the reproposed
standards.
b. Requirements for Multi-Location Audits
The reproposed standard on audit planning and supervision included
requirements regarding establishing the scope of testing of individual
locations in multi-location engagements. The reproposed standard on
consideration of materiality in planning and performing an audit
included requirements for determining materiality of individual
locations in multi-location audits. Some commenters requested
clarification on the Board's expectations regarding how to apply those
requirements in audits in which part of the work is performed by other
auditors, specifically, auditors of financial statements of individual
locations or business units that are included in the consolidated
financial statements.
The multi-location requirements have been revised to take into
account situations in which part of the work is
[[Page 59368]]
performed by other auditors.\164\ This release discusses those
revisions in more detail and explains the Board's expectations
regarding how to apply the respective requirements in situations
involving other auditors.
---------------------------------------------------------------------------
\164\ Paragraphs 11-14 of Auditing Standard No. 9, Audit
Planning, and paragraph 10 of Auditing Standard No. 11,
Consideration of Materiality in Planning and Performing an Audit.
---------------------------------------------------------------------------
The reproposed standard on audit planning and supervision also
included a statement, similar to a statement in Auditing Standard No.
5, that ``The direction in paragraph 5 of Proposed Auditing Standard,
The Auditor's Responses to the Risks of Material Misstatement,
regarding incorporating an element of unpredictability in the auditing
procedures means that the auditor should vary the nature, timing, and
extent of audit procedures at locations or business units from year to
year.'' Some commenters stated that the statement in the reproposed
audit planning and supervision standard was unnecessarily prescriptive.
After considering the comments received, the requirement regarding
unpredictability was removed from the audit planning standard, and the
discussion in Auditing Standard No. 13 regarding incorporating an
element of unpredictability was expanded to include varying the testing
in the selected locations.\165\ However, this does not change the
requirements in Auditing Standard No. 5 regarding incorporating
unpredictability in testing controls at individual locations in audits
of internal control.\166\
---------------------------------------------------------------------------
\165\ Paragraph 5 of Auditing Standard No. 13, The Auditor's
Responses to the Risks of Material Misstatement.
\166\ Paragraphs 61 and B13 of Auditing Standard No. 5.
---------------------------------------------------------------------------
c. Requirement for Performing Walkthroughs
In the original proposed standards, the standard on identifying and
assessing risks of material misstatement referred auditors to Auditing
Standard No. 5 for a discussion of the performance of walkthroughs.
Some commenters on the original proposed standards stated that the
proposed standard should include a discussion of walkthroughs rather
than referring to Auditing Standard No. 5. The reproposed standard on
identifying and assessing risks of material misstatement included a
discussion of the objectives for understanding likely sources of
potential misstatements and of performing walkthroughs, which
paralleled a discussion in Auditing Standard No. 5.\167\ Some
commenters expressed concerns that those new requirements would lead to
unnecessary walkthroughs, particularly in audits of financial
statements only.
---------------------------------------------------------------------------
\167\ Paragraph 34 of Auditing Standard No. 5.
---------------------------------------------------------------------------
The intention of including the discussion of walkthroughs was to
describe how to perform walkthroughs, not to impose additional
requirements regarding when to perform walkthroughs. The discussion has
been revised to focus on how the auditor should perform walkthroughs,
and the discussion of the objectives for understanding likely sources
of potential misstatements has been removed.\168\ Consequently, the
objectives in paragraph 34 of Auditing Standard No. 5 for understanding
potential sources of likely misstatement will continue to apply only to
integrated audits.
---------------------------------------------------------------------------
\168\ Paragraphs 37-38 of Auditing Standard No. 12, Identifying
and Assessing Risks of Material Misstatement.
---------------------------------------------------------------------------
d. Requirements Regarding Financial Statement Disclosures
Because of the importance of disclosures to the fair presentation
of financial statements and based on observations from the Board's
oversight activities, the reproposed standards included additional
requirements intended to increase the auditor's attention on the
disclosures in the financial statements. For example, the reproposed
standard on identifying and assessing risks of material misstatement
included a new requirement related to developing an expectation about
the necessary financial statement disclosures as part of obtaining an
understanding of the company and its environment. Some commenters
stated that the requirements should be clarified as applying to
disclosures required by the applicable financial reporting framework.
Also, the reproposed standard on evaluating audit results included
expanded requirements for the auditor to evaluate whether the financial
statements include the required disclosures. Some commenters stated
that the standard should clarify that the requirements apply only to
material disclosures.
After analyzing the comments, those two requirements have been
revised to clarify that they refer to the fair presentation of the
financial statements in conformity with the applicable financial
reporting framework.\169\
---------------------------------------------------------------------------
\169\ Paragraph 13 of Auditing Standard No. 12 and paragraph 31
of Auditing Standard No. 14, Evaluating Audit Results.
---------------------------------------------------------------------------
2. Discussion of Comments That Relate to Many of the Reproposed
Standards
The following paragraphs discuss matters raised by commenters that
relate to many of the reproposed standards. Section II.C.13 of this
release contains a discussion of other topics raised by commenters on
matters other than the risk assessment standards or the related
amendments.
a. Consideration of Fraud in the Audit
Section I of the Board's adopting release discusses the Board's
objectives regarding incorporating into its risk assessment standards
the requirements for identifying and responding to risks of material
misstatement due to fraud (``fraud risks'') and evaluating audit
results from AU sec. 316, Consideration of Fraud in a Financial
Statement Audit.\170\
---------------------------------------------------------------------------
\170\ The risk assessment standards incorporate paragraphs
.14-.51 and .68-.78 of AU sec. 316. Accordingly, those paragraphs
are removed from AU sec. 316 by means of a related amendment.
---------------------------------------------------------------------------
The number of comments received on this approach to incorporate the
requirements from AU sec. 316 declined significantly from the original
proposed standards.\171\ The views of commenters continue to be mixed.
One commenter supported the approach, and two commenters expressed
concerns about the approach.
---------------------------------------------------------------------------
\171\ As discussed in Section I, the risk assessment standards
were originally proposed on October 21, 2008. See PCAOB Release No.
2008-006, Proposed Auditing Standards Related to the Auditor's
Assessment of and Response to Risk.
---------------------------------------------------------------------------
The risk assessment standards continue to include relevant
requirements from AU sec. 316. The Board has observed from its
oversight activities instances in which auditors have performed the
procedures required in AU sec. 316 mechanically, without using the
procedures to develop insights on fraud risk or to modify the audit
plan to address that risk. The Board also has observed instances in
which firms have failed to respond appropriately to identified fraud
risks.
These observations suggest that some auditors may improperly view
the consideration of fraud as an isolated, mechanical process rather
than an integral part of audits under PCAOB standards. Integrating the
requirements from AU sec. 316 into the risk assessment standards
emphasizes to auditors that assessing and responding to fraud risks is
an integral part of an audit in accordance with PCAOB standards, rather
than a separate consideration. Such integration also should prompt
auditors to make a more thoughtful and thorough assessment of the risks
affecting the financial
[[Page 59369]]
statements, including fraud risks, and to develop appropriate audit
responses. Furthermore, AU sec. 316, as amended, will continue to
provide relevant information on determining the necessary procedures
for considering fraud in a financial statement audit. (See section
II.C.11.F.(ii). of this release for more discussion about AU sec. 316.)
b. Organization and Style of Standards (Including the Use of Notes and
Appendices)
In response to comments on the original proposed standards, the
Board presented the reproposed standards using an organization and
style that is intended to be a template for future standards of the
Board. The organization and style includes an objective for each
standard, which provides additional context for understanding the
requirements in the standard, and a separate appendix for definitions
of terms used in each standard.
Commenters generally supported the organization and style of the
reproposed standards, and some commenters suggested that existing PCAOB
standards be revised to implement this organization and style. As
stated in the release accompanying the reproposed standards, the
organization and style used in the reproposed standards draws from
previously issued standards of the Board, e.g., Auditing Standard No.
7, Engagement Quality Review. Also, the Board will apply this template
in the course of its other standards-setting activities.
Commenters expressed concerns about including requirements in
appendices and notes to the standard. Consistent with standards
previously issued by the Board, the notes and appendices in the risk
assessment standards are integral parts of the standards and carry the
same authoritative weight as the other portions of the standards.
c. Use of Terms
PCAOB Rule 3101, Certain Terms Used in Auditing and Related
Professional Practice Standards, sets forth the terminology that the
Board uses to describe the degree of responsibility that the auditing
and related professional practice standards impose on auditors. The
original proposed standards used terms in the requirements in a manner
that was consistent with Rule 3101.
Some comments received on the original proposed standards suggested
revisions to the terms used in the requirements or asked for
clarification about certain terms or phrases, e.g., ``take into
account.'' The reproposed standards reflected numerous revisions to the
terms used in the standards, and the risk assessment standards reflect
further refinements. For example, the standards use ``should consider''
only when referring to a requirement to consider performing an action
or procedure, which is consistent with Rule 3101.
As explained in the release accompanying the reproposed standards,
the phrase ``take into account'' has been used previously in PCAOB
standards in reference to information or matters that the auditor
should think about or give attention to in performing an audit
procedure or reaching a conclusion.\172\ Accordingly, the results of
the auditor's thinking on the relevant matters should be reflected in
the performance and documentation of the respective audit procedure
performed or conclusion reached. The accompanying standards continue to
use ``take into account'' in the same way.
---------------------------------------------------------------------------
\172\ AU sec. 316.45 and paragraphs 14, 44, 59, and B 12 of
Auditing Standard No. 5, An Audit of Internal Control Over Financial
Reporting That Is Integrated with An Audit of Financial Statements.
---------------------------------------------------------------------------
Some commenters asked about the meaning of certain terms, e.g.,
``assess,'' ``evaluate,'' or ``determine.'' Those commenters also
stated that the Board should use those terms consistently throughout
its standards. The Board has reviewed the use of each of those terms
and has revised the standards as necessary to apply those terms more
consistently. Subsequent sections of this release discuss specific
revisions to the individual standards.
One commenter expressed concerns about statements that involve the
use of present tense in the reproposed standards. As with standards
that the Board previously issued, the present tense is used in the risk
assessment standards for statements that are factual or definitional,
e.g., to provide additional explanation of a required auditing
procedure.\173\ Subsequent sections of this release discuss specific
instances of the use of present tense in the risk assessment standards.
---------------------------------------------------------------------------
\173\ See, e.g., paragraph 21 of Auditing Standard No. 5 for an
example of the use of the present tense for this purpose.
---------------------------------------------------------------------------
d. Requirements and the Application of Judgment
Some commenters on the original proposed standards stated that the
original proposed standards contained requirements that were ``too
prescriptive,'' limiting the auditor's ability to ``use professional
judgment or scale the audit,'' e.g., because of the number of
requirements in the standards and because the standards did not
explicitly refer to professional judgment in the requirements. In the
release accompanying the reproposed standards, the Board discussed the
importance of professional judgment in fulfilling the requirements of
the standards. After examining each requirement, the Board revised
certain provisions in the reproposed standards to streamline the
presentation of those requirements.
Although the Board received fewer comments on the reproposed
standard related to this topic, two commenters continue to express
concerns about whether the reproposed standards made adequate allowance
for the auditor to use professional judgment in assessing and
responding to risk in an audit.
PCAOB standards recognize that the auditor uses judgment in
planning and performing audit procedures and evaluating the evidence
obtained from those procedures.\174\ As under other PCAOB standards,
auditors need to exercise judgment in fulfilling the requirements of
the risk assessment standards in the particular circumstances. Making
references to judgment in selected portions of the standards, however,
could be misinterpreted as indicating that judgment is required only in
certain aspects of the audit. Instead of referring to judgment
selectively, the risk assessment standards set forth principles for
meeting the requirements of the standards and allow the auditor to
determine the most appropriate way to comply with the requirements in
the circumstances.
---------------------------------------------------------------------------
\174\ See, e.g., paragraph .11 of AU sec. 230, Due Professional
Care in the Performance of Work.
---------------------------------------------------------------------------
3. Auditing Standard No. 8--Audit Risk
a. Background
Auditing Standard No. 8 discusses audit risk and the relationships
among the various components of audit risk in an audit of financial
statements. The standard applies to integrated audits and to audits of
financial statements only.
b. Objective
The reproposed standard stated that the objective of the auditor is
to conduct the audit of financial statements in a manner that reduces
audit risk to an appropriately low level. This objective provided
important context for understanding how the concept of audit risk is
applied in an audit.
One commenter observed that the reproposed standards sometimes used
the phrase, ``appropriately low level'' and occasionally used the
phrase ``acceptably low level,'' and that
[[Page 59370]]
commenter suggested revising the standards to use ``acceptably low
level'' in each instance. The Board continues to believe the term
``appropriately low level'' is more suitable because it is aligned more
closely with the degree of assurance described in the auditor's
opinion, i.e., the auditor conducts the audit to reduce audit risk to
an appropriately low level in order to express an opinion with
reasonable assurance. In contrast, the term ``acceptably low'' is less
clear and could be misinterpreted. The risk assessment standards have
been revised to use the phrase ``appropriately low level,'' as
applicable.
c. Due Professional Care and Sufficient Appropriate Audit Evidence
The reproposed standard stated that, to form an appropriate basis
for expressing an opinion on the financial statements, the auditor must
plan and perform the audit to obtain reasonable assurance about whether
the financial statements are free of material misstatement due to error
or fraud. It also stated that reasonable assurance is obtained by
reducing audit risk to an appropriately low level through applying due
professional care, including obtaining sufficient appropriate audit
evidence.\175\
---------------------------------------------------------------------------
\175\ Paragraph 3 of Auditing Standard No. 8.
---------------------------------------------------------------------------
A commenter suggested that due professional care is a
responsibility throughout the audit, similar to professional skepticism
and judgment, and need not be repeated throughout the Board's
standards. The Board agrees that due professional care is a
responsibility throughout the audit. On the other hand, existing PCAOB
standards state that due professional care allows the auditor to obtain
reasonable assurance,\176\ and the statement in Auditing Standard No. 8
acknowledges that principle.
---------------------------------------------------------------------------
\176\ AU sec. 230.10.
---------------------------------------------------------------------------
d. Audit Risk and Risk of Material Misstatement
Some commenters on the original proposed standard requested more
explanation about risks at the overall financial statement level, e.g.,
by providing examples of such risks. The reproposed standard elaborated
further on risks at the financial statement level.\177\
---------------------------------------------------------------------------
\177\ Paragraph 6 of Auditing Standard No. 8.
---------------------------------------------------------------------------
Commenters on the reproposed standard asked for more explanation
regarding how financial statement level risks can result in material
misstatement of the financial statements. The examples of financial
statement level risks in Auditing Standard No. 8 have been expanded to
illustrate how those risks can result in material misstatement of the
financial statements.\178\
---------------------------------------------------------------------------
\178\ Ibid.
---------------------------------------------------------------------------
Some individual commenters offered suggestions for refining or
clarifying the discussion of the risk of material misstatement and its
components. For example, one commenter suggested that the description
of the risk of material misstatement should state that the risk exists
``prior to the audit'' to more clearly indicate that it is the
company's risk. The Board agrees that the risk of material misstatement
exists irrespective of the audit, while the risk of not detecting
material misstatement is the auditor's risk. However, the suggested
phrase could be misinterpreted, e.g., as implying that the auditor need
not consider the risk of misstatements occurring during the audit.
The reproposed standard included a statement that inherent risk and
control risk are the company's risks; they exist independently of the
audit. One commenter suggested that the statement was not informative
and suggested revising the standard to state that inherent risk and
control risk are functions of the company's characteristics, but
influence the auditor's actions. The Board agrees that more discussion
of the auditor's consideration of inherent risk and control risk is
appropriate. Thus, Auditing Standard No. 8 has been expanded to discuss
the sources of evidence the auditor uses when assessing inherent risk
and control risk.\179\ Also, the description of control risk in
Auditing Standard No. 8 has been aligned with the discussion of
internal control concepts in Auditing Standard No. 5.
---------------------------------------------------------------------------
\179\ Paragraph 8 of Auditing Standard No. 8.
---------------------------------------------------------------------------
One commenter expressed a concern that descriptions of inherent
risk, control risk, and detection risk that included the phrase ``that
could be material, individually or in combination with other
misstatements,'' may be misinterpreted by the auditor as a requirement
to consider whether the combination of dissimilar risks will result in
a material misstatement. The commenter suggested changing
``combination'' to ``aggregate.'' However, the standard does not
discuss the combination of risks but, rather, the risk of a
misstatement that could be material, individually or in combination
with other misstatements, which is consistent with the description of
the auditor's evaluation of uncorrected misstatements in Auditing
Standard No. 14, Evaluating Audit Results. Thus, the term
``combination'' was retained as proposed.
e. Detection Risk
The reproposed standard indicated that detection risk is reduced by
performing substantive procedures. Some commenters stated that the
discussion of detection risk should be modified to indicate that
auditors can reduce detection risk through procedures other than
substantive procedures (e.g., risk assessment procedures and tests of
controls). A commenter also suggested changing the sentence in the
standard to refer to ``audit procedures'' instead of ``substantive
procedures.''
The Board acknowledges that auditors might obtain evidence of
misstatements through procedures other than substantive procedures.
However, that does not diminish the auditor's responsibility to plan
and perform substantive procedures for significant accounts and
disclosures that are sufficient to provide reasonable assurance of
detecting misstatements that would result in material misstatement of
the financial statements. Changing ``substantive procedures'' to
``audit procedures,'' as suggested by the commenter, is not consistent
with AU sec. 319, Consideration of Internal Control in a Financial
Statement Audit, and could be misunderstood by auditors, resulting in
inadequate substantive procedures.\180\ To provide further
clarification, Auditing Standard No. 8 has been revised to describe the
role of risk assessment procedures and tests of controls in assessing
the risk of material misstatement, which, in turn, affects the
appropriate level of detection risk.\181\
---------------------------------------------------------------------------
\180\ AU secs. 319.81-.82. AU sec. 319, along with AU sec. 311,
Planning and Supervision, AU sec. 312, Audit Risk and Materiality in
Conducting an Audit, AU sec. 313, Substantive Tests Prior to the
Balance Sheet Date, AU sec. 326, Evidential Matter, and AU sec. 431,
Adequacy of Disclosure in Financial Statements, are superseded by
the risk assessment standards.
\181\ Paragraphs 8-9 of Auditing Standard No. 8.
---------------------------------------------------------------------------
Some commenters expressed concerns that the reproposed standard did
not adequately link the concepts of inherent risk and control risk to
detection risk. They stated that a discussion on the relationship of
these concepts is necessary for the auditor to determine the acceptable
level of detection risk for the financial statement assertions, which,
in turn, is used to determine the nature, timing, and extent of
substantive procedures. The following discussion, which is adapted from
AU sec. 319, was added to paragraph 10 of Auditing
[[Page 59371]]
Standard No. 8: ``The auditor uses the assessed risk of material
misstatement to determine the appropriate level of detection risk for a
financial statement assertion. The higher the risk of material
misstatement, the lower the level of detection risk needs to be in
order to reduce audit risk to an appropriately low level.'' \182\
---------------------------------------------------------------------------
\182\ Paragraph 10 of Auditing Standard No. 8.
---------------------------------------------------------------------------
f. Integrated Audit Considerations
Auditing Standard No. 8 applies both to audits of financial
statements only and to the financial statement audit portion of
integrated audits. Audit risk in the audit of financial statements
relates to whether the auditor expresses an inappropriate audit opinion
when the financial statements are materially misstated, while audit
risk in an audit of internal control over financial reporting (``audit
of internal control'') relates to whether the auditor expresses an
inappropriate audit opinion when one or more material weaknesses exist.
The two forms of audit risk are related, however, and Auditing Standard
No. 12, Identifying and Assessing Risks of Material Misstatement,
indicates that the risk assessment procedures apply to both the audit
of financial statements and the audit of internal control.
Some commenters suggested revisions to the first paragraph and the
first footnote of the reproposed standard to clarify how the concepts
of audit risk in this standard apply to audits of financial statements
only and to integrated audits. The first paragraph has been revised to
indicate that Auditing Standard No. 8 applies to either an audit of
financial statements only or to an integrated audit. The first footnote
also has been revised to clarify that, in integrated audits, the risks
of material misstatement are the same for both the audit of financial
statements and the audit of internal control.
4. Auditing Standard No. 9--Audit Planning
a. Background
Auditing Standard No. 9 describes the auditor's responsibilities
for planning an integrated audit or an audit of financial statements
only.
b. Planning and Supervision
The original proposed standard and the reproposed standard
discussed both audit planning and supervision, similar to AU sec. 311.
Some commenters observed that audit planning and supervision should be
covered in separate standards.
The Board agrees that audit planning and supervision of engagement
team members are distinct activities that should be covered in separate
standards. Accordingly, the Board has divided the requirements of the
reproposed planning and supervision standard into separate standards.
Dividing the requirements for planning and supervision into separate
standards does not affect the auditor's responsibilities for planning
the audit or supervising the work of engagement team members.
c. Responsibilities of the Engagement Partner
AU sec. 311 stated, ``The auditor with final responsibility for the
audit may delegate portions of the planning and supervision of the
audit to other firm personnel.'' Auditing Standard No. 9 uses the term
``engagement partner'' instead of ``auditor with final responsibility
for the audit'' and states more directly that the engagement partner is
responsible for properly planning the audit. The standard also allows
the engagement partner to seek assistance from appropriate engagement
team members in fulfilling his or her planning responsibilities.
Because the requirements in Auditing Standard No. 9 apply to the
engagement partner and engagement team members who assist the
engagement partner in planning the audit, the standard uses the term
``auditor,'' and a footnote was added to clarify that the requirements
in the standard apply to the engagement partner and other engagement
team members who participate in planning the audit.
d. Preliminary Engagement Activities
The reproposed standard included a note in paragraph 6 stating that
the decision regarding continuance of the client relationship and the
determination of compliance with independence and ethics requirements
were not limited to preliminary engagement activities and should be
reevaluated with changes in circumstances. One commenter expressed
concern that the note did not describe the changes in circumstances for
which it would be appropriate for the auditor to reevaluate these
decisions. The acceptance and continuance of the client relationship
are discussed in QC sec. 20, System of Quality Control for a CPA Firm's
Accounting and Auditing Practice. Other PCAOB standards discuss certain
circumstances that warrant reevaluating the client relationship.\183\
Auditors also may reevaluate their engagement acceptance decision for
other reasons. However, because auditors must comply with independence
and ethics requirements throughout the audit, the note was moved in
Auditing Standard No. 9 to modify paragraph 6.b. and revised to state
that determination of compliance with independence and ethics
requirements is not limited to preliminary engagement activities and
should be reevaluated upon changes in circumstances.
---------------------------------------------------------------------------
\183\ See, e.g., paragraphs .18-.21 of AU sec. 317, Illegal Acts
by Clients.
---------------------------------------------------------------------------
e. Planning Activities
The reproposed standard stated that, as part of establishing the
audit strategy and audit plan, the auditor should evaluate whether
certain matters specified in the standard are important to the
company's financial statements and internal control over financial
reporting (``internal control'') and, if so, how those matters would
affect the auditor's procedures. The requirement in the reproposed
standard was the same as in paragraph 9 of Auditing Standard No. 5,
thus extending its application to an audit of financial statements.
Evaluation of the matters listed in paragraph 7 of Auditing
Standard No. 9 can lead auditors to develop more effective audit
strategies and audit plans. For example, evaluation of those matters
can highlight areas that might warrant additional attention during the
auditor's risk assessment procedures, which, in turn, could affect the
audit procedures performed in response to the risks of material
misstatement. Also, evaluation of the internal control related matters
can help the auditor develop an appropriate audit strategy, e.g., in
determining accounts for which reliance on controls might be
appropriate in the audit of financial statements.
Some commenters suggested changes to the requirement, including
deleting some of the matters discussed in the requirement, moving other
matters elsewhere within the standard, or making specific revisions to
the language of the standard. Also, some commenters suggested using
``should consider'' instead of ``should evaluate.''
The Board considered the suggested changes to the standard and
determined that those changes would not substantially improve the
standard. Also, it is important for the language in this requirement to
be identical to the language in Auditing Standard No. 5 to emphasize
that this required procedure is to be performed only once in an
integrated audit, with the results of the procedure to be applied in
planning both the financial statement audit and the audit of internal
control. Also, reframing the requirement from ``should evaluate'' to
``should consider'' would
[[Page 59372]]
weaken the requirement. Therefore, Auditing Standard No. 9 retains the
wording from the reproposed standard.
f. Audit Strategy and Audit Plan
Auditing Standard No. 9 requires the auditor to take into account
certain matters when establishing the overall audit strategy, including
the reporting objectives of the engagement and the nature of the
communications required by PCAOB standards; the factors that are
significant in directing the activities of the engagement team; the
results of preliminary engagement activities and the auditor's
evaluation of certain important matters; and the nature, timing, and
extent of resources necessary to perform the engagement.\184\ These
matters generally relate to information that auditors obtain through
other required procedures. One commenter suggested that this
requirement should discuss the need for specialists. Auditing Standard
No. 9 was revised to include a reference to paragraph 16 regarding the
requirement for the auditor to determine whether specialized skill or
knowledge is needed to perform the engagement.
---------------------------------------------------------------------------
\184\ Paragraph 9 of Auditing Standard No. 9.
---------------------------------------------------------------------------
The reproposed standard required the auditor to develop and
document an audit plan that includes the planned nature, timing, and
extent of the risk assessment procedures. One commenter suggested that
it was unnecessary to document the timing of the risk assessment
procedures because risk assessment is an ongoing process that occurs
throughout the execution of the audit. Auditing Standard No. 9 retains
the requirement to document the timing of the risk assessment
procedures. Identifying and appropriately assessing the risks of
material misstatement provide a basis for designing and implementing
responses to the risks of material misstatement, so the timing of the
risk assessment procedures is important to determine the timing of
other audit procedures.
The reproposed standard also required the auditor to develop and
document the planned nature, timing, and extent of tests of controls
and substantive procedures. One commenter suggested that the
requirement should specify that the audit plan include planned tests at
the ``relevant assertion level.'' Auditing Standard No. 9 retains the
requirement as reproposed. Audit procedures are not performed only at
the assertion level, e.g., certain general audit procedures and tests
of certain entity-level controls in the audit of internal control over
financial reporting. Therefore, it is not appropriate to update the
standard with the suggested language.
g. Requirements for Multi-Location Engagements
Auditing Standard No. 9 establishes requirements that apply to
audits of companies with operations in multiple locations or business
units. Auditing Standard No. 9 requires the auditor to determine the
extent to which audit procedures should be performed at selected
locations or business units to obtain sufficient appropriate evidence
to obtain reasonable assurance about whether the consolidated financial
statements are free of material misstatement. This includes determining
the locations or business units at which to perform audit procedures,
as well as the nature, timing, and extent of the procedures to be
performed at those individual locations or business units. The auditor
is required to assess the risks of material misstatement to the
consolidated financial statements associated with the location or
business unit and correlate the amount of audit attention devoted to
the location or business unit with the degree of risk of material
misstatement associated with that location or business unit. Auditing
Standard No. 9 also lists factors that are relevant to the assessment
of the risks of material misstatement associated with a particular
location or business unit and the determination of the necessary audit
procedures. These requirements are risk-focused and aligned with the
requirements in Auditing Standard No. 5.
An example was added to one of the factors in Auditing Standard No.
9 to highlight that the auditor's consideration of risks associated
with a location or business unit includes whether significant unusual
transactions are executed at that location or business unit, e.g.,
whether certain transactions were conducted at the location or business
unit to achieve a particular accounting result. AU sec. 316 already
requires the auditor to perform procedures regarding significant
unusual transactions.
The reproposed standard included a statement, similar to Auditing
Standard No. 5, that ``The direction in paragraph 5 of Proposed
Auditing Standard, The Auditor's Responses to the Risks of Material
Misstatement, regarding incorporating an element of unpredictability in
the auditing procedures means that the auditor should vary the nature,
timing, and extent of audit procedures at locations or business units
from year to year.'' Some commenters stated that the statement in the
reproposed standard was unnecessarily prescriptive. After considering
the comments received, the requirement regarding unpredictability was
removed from the audit planning standard, and the requirements in
Auditing Standard No. 13, The Auditor's Responses to the Risks of
Material Misstatement, regarding incorporating an element of
unpredictability were expanded to include discussion of varying the
testing in the selected locations.\185\ However, this does not change
the requirements in Auditing Standard No. 5 regarding incorporating
unpredictability in testing controls at individual locations in audits
of internal control.\186\
---------------------------------------------------------------------------
\185\ Paragraph 5 of Auditing Standard No. 13.
\186\ Paragraphs 61 and B13 of Auditing Standard No. 5.
---------------------------------------------------------------------------
The reproposed standard included a requirement for the auditor to
determine the extent to which auditing procedures should be performed
at selected locations or business units to obtain sufficient
appropriate evidence to obtain reasonable assurance about whether the
consolidated financial statements are free of material misstatements.
One commenter was concerned that the use of the term ``consolidated
financial statements'' is inconsistent with the terminology used
elsewhere in the standards and that the financial statements of
companies with multiple divisions might not meet the definition of
consolidated. The use of ``consolidated financial statements'' is
consistent with the term used in Auditing Standard No. 5. The use of
the term ``consolidated'' applies to situations in which the company
has multiple locations or business units. Auditing Standard No. 9
retains the language as reproposed.
Some commenters requested clarification on how the requirements are
expected to be applied in audits in which part of the work is performed
by other auditors of financial statements of individual locations or
business units that are included in the consolidated financial
statements. A paragraph was added to Auditing Standard No. 9 to clarify
that the auditor should apply the requirements in paragraphs 11-13 to
determine the locations or business units for testing when the auditor
plans to use the work and reports of other independent auditors who
have audited the financial statements of one or more of the locations
or business units (including subsidiaries, divisions, branches,
components, or investments) that are included in the consolidated
financial statements. AU sec. 543, Part of Audit Performed by Other
[[Page 59373]]
Independent Auditors, describes the auditor's responsibilities when the
auditor uses the work and reports of other independent auditors.\187\
---------------------------------------------------------------------------
\187\ Paragraph 14 of Auditing Standard No. 9.
---------------------------------------------------------------------------
h. Persons With Specialized Skill or Knowledge
Auditing Standard No. 9 indicates that the auditor should determine
whether specialized skill or knowledge is needed to perform appropriate
risk assessments, plan or perform audit procedures, or evaluate audit
results. The responsibility has been extended from a similar
requirement in AU sec. 311 regarding considering whether specialized
information technology (``IT'') skill or knowledge is needed in an
audit. The requirement was extended to specialized skill or knowledge
in areas besides IT, e.g., valuation specialists, actuarial
specialists, income tax specialists, and forensic specialists, because
of the prevalent use of such individuals by auditors.
The reproposed standard included a note that described the term
``specialized skill or knowledge'' as persons engaged or employed by
the auditor who have specialized skill or knowledge. Some commenters
suggested that this note be removed because paragraph 17 included a
similar description. The note was removed from Auditing Standard No. 9
because it was unnecessary and redundant.
One commenter suggested revising the standard to require the
auditor to consider using a fraud specialist. The suggested requirement
to consider using a fraud specialist was not added to Auditing Standard
No. 9 because the requirement in the reproposed standard already covers
fraud specialists, and the types of specialized skill or knowledge that
might be needed on a particular audit depend on the particular
circumstances and the skill and knowledge of the engagement team.
Some commenters suggested that the requirements relating to the
involvement of specialists be reframed as ``assisting'' the auditor.
Such a formulation is too narrow to describe the range of involvement
of specialists, which could include providing assistance to the auditor
or actually performing audit procedures.
Paragraph 17 of Auditing Standard No. 9 describes the required
level of knowledge of the subject matter in terms of the general types
of procedures that the auditor should be able to perform with regard to
the person with specialized skill or knowledge. Paragraph 17, by
itself, does not impose procedural requirements for working with
persons with specialized skill or knowledge because those
responsibilities already are described in either the supervision
provisions of Auditing Standard No. 10, Supervision of the Audit
Engagement, or AU sec. 336, Using the Work of a Specialist, as
applicable.
5. Auditing Standard No. 10--Supervision of the Audit Engagement
a. Background
Auditing Standard No. 10 sets forth requirements for supervising
the audit engagement, including supervising the work of engagement team
members.
Auditing Standard No. 10 retains the basic requirements regarding
supervision from AU sec. 311, with changes to align the requirements
more closely with the other risk assessment standards. Auditing
Standard No. 10 does not change the responsibilities for supervision
from those in the supervision section of the reproposed standard on
audit planning and supervision. However, the language in the standard
has been revised in certain respects to describe more directly the
supervisory responsibilities of the engagement partner and engagement
team members who assist the engagement partner in supervision. As
discussed later in this section, the Board has separate standards-
setting projects regarding specialists and principal auditors, which
will likely result in changes to the auditor's responsibilities
regarding the auditor's use of specialists and use of other auditors,
and, in turn, may result in changes to Auditing Standard No. 10.
b. Planning and Supervision
As discussed in section II.C.4.b., the original proposed standard
and the reproposed standard included requirements for both audit
planning and supervision, similar to AU sec. 311. Some commenters
observed that audit planning and supervision should be covered in
separate standards.
The Board agrees that audit planning and supervision of engagement
team members are distinct activities that should be covered in separate
standards. Accordingly, the Board has divided the requirements of the
planning and supervision standard into separate standards. Dividing the
requirements for planning and supervision into separate standards does
not affect the auditor's responsibilities for planning the audit or
supervising the work of engagement team members.
c. Objective
When the requirements for planning and supervision were divided
into separate standards, the objective for supervision of the work of
engagement team members was adapted from the elements of proper
supervision in the reproposed standard. Auditing Standard No. 10
states, ``The objective of the auditor is to supervise the audit
engagement, including supervising the work of engagement team members
so that the work is performed as directed and supports the conclusions
reached.'' The revised objective does not alter the supervision
responsibilities included in the original proposed standard or the
reproposed standard.
d. Responsibilities of the Engagement Partner
AU sec. 311 stated, ``The auditor with final responsibility for the
audit may delegate portions of the planning and supervision of the
audit to other firm personnel.'' Auditing Standard No. 10 uses the term
``engagement partner'' instead of ``auditor with final responsibility
for the audit.''
Auditing Standard No. 10 states that the engagement partner is
responsible for the engagement and its performance. Accordingly, the
engagement partner is responsible for proper supervision of the work of
engagement team members and for compliance with PCAOB standards,
including standards regarding using the work of specialists,\188\ other
auditors,\189\ internal auditors,\190\ and others who are involved in
testing controls.\191\ As discussed previously, as the Board considers
changes to the auditor's responsibilities regarding the auditor's use
of specialists and use of other auditors, it also may consider changes
to Auditing Standard No. 10.
---------------------------------------------------------------------------
\188\ See Section II.C.5.f.
\189\ Ibid.
\190\ AU sec. 322, The Auditor's Consideration of the Internal
Audit Function in an Audit of Financial Statements.
\191\ Paragraphs 16-19 of Auditing Standard No. 5.
---------------------------------------------------------------------------
Auditing Standard No. 10 allows the engagement partner to seek
assistance from appropriate engagement team members in fulfilling his
or her responsibilities pursuant to the standard. Engagement team
members who assist the engagement partner in supervision should comply
with the relevant requirements of Auditing Standard No. 10. The
requirements in PCAOB standards for assignment of responsibilities to
engagement team members also apply to assignments that involve
assisting the engagement
[[Page 59374]]
partner with his or her responsibilities pursuant to the standard.\192\
---------------------------------------------------------------------------
\192\ See, e.g. AU sec. 230.06 and paragraph 5 of Auditing
Standard No. 13, The Auditor's Responses to the Risks of Material
Misstatement.
---------------------------------------------------------------------------
e. Supervision of the Work of Engagement Team Members
Previously adopted PCAOB standards use either the term ``engagement
team members'' or the term ``assistants.'' Auditing Standard No. 10
uses ``engagement team members,'' which is consistent with the other
risk assessment standards. The Board is amending other PCAOB standards
to conform to this terminology.
Auditing Standard No. 10 describes the required supervisory
activities that should be performed by the engagement partner and, as
applicable, by other engagement team members with supervisory
responsibilities.\193\ Those activities include informing engagement
team members of their responsibilities and information relevant to
those responsibilities, directing engagement team members to bring
significant accounting and auditing issues arising during the audit to
the attention of the engagement partner or other engagement team
members performing supervisory activities, and reviewing the work of
engagement team members as described in the standard.
---------------------------------------------------------------------------
\193\ Paragraph 5 of Auditing Standard No. 10.
---------------------------------------------------------------------------
Auditing Standard No. 10 describes the factors that should be taken
into account in determining the necessary extent of supervision, i.e.,
the extent of supervision necessary so that the work of engagement team
members is performed as directed and appropriate conclusions are formed
based on the results of their work.\194\ Factors that affect the
necessary extent of supervision include the risks of material
misstatement, the nature of work assigned to the engagement team
member, and the nature of the company, which includes the
organizational structure of the company and its size and complexity.
The extent of supervision of the work of an individual engagement team
member increases or decreases, but cannot be eliminated, based on those
factors. For example, the extent of supervision should be commensurate
with the risks of material misstatement, which means, among other
things, that the higher risk areas of the audit require more
supervisory attention from the engagement partner.
---------------------------------------------------------------------------
\194\ Paragraph 6 of Auditing Standard No. 10.
---------------------------------------------------------------------------
One commenter suggested that the standard provide examples of
``levels of supervision in relation to review,'' such as face-to-face
review when reviewing higher risk areas. Auditing Standard No. 10 does
not prescribe a particular method of review, so the engagement partner
can determine the most effective way to comply with the requirements
regarding the necessary nature of supervisory activities and necessary
extent of supervision.
f. Persons with Specialized Skill or Knowledge and Other Auditors,
Accounting Firms, and Individual Accountants
Auditing Standard No. 10 states that the engagement partner is
responsible for, among other things, compliance with PCAOB standards
regarding using of the work of specialists and refers to AU sec. 336.
AU sec. 336 applies to situations in which the auditor engages a
specialist in an area other than accounting or auditing and uses the
work of that specialist as audit evidence.\195\ Paragraphs 5-6 of
Auditing Standard No. 10 describe the nature and extent of the
supervisory activities necessary for proper supervision of a person
with specialized skill or knowledge who participates in the audit and
is either (a) employed by the auditor or (b) engaged by the auditor to
provide services in a specialized area of accounting or auditing. AU
sec. 336 has been amended to clarify when the auditor should look to
the supervisory requirements in Auditing Standard No. 10 instead of AU
sec. 336.
---------------------------------------------------------------------------
\195\ AU sec. 336 also applies to situations in which the
auditor uses the work of a specialist engaged or employed by
management. The discussion in this section of the release focuses on
the auditor's use of specialists who are employed or engaged by the
auditor.
---------------------------------------------------------------------------
AU sec. 543 describes the principal auditor's \196\
responsibilities for using the work and reports of other independent
auditors who have audited the financial statements of one or more
subsidiaries, divisions, branches, components, or investments included
in the financial statements presented. The principal auditor should
look to the requirements in AU sec. 543 \197\ in those situations. For
situations in which the auditor engages an accounting firm or
individual accountants to participate in the audit engagement and AU
sec. 543 does not apply,\198\ the auditor should supervise them in
accordance with the requirements of Auditing Standard No. 10. AU sec.
543 has been amended to emphasize those points.
---------------------------------------------------------------------------
\196\ AU sec. 543 uses the term ``principal auditor'' to refer
to the auditor who issues the audit report on the financial
statements presented.
\197\ For integrated audits, see also paragraphs C8-C11 of
Auditing Standard No. 5.
\198\ Examples of situations that are not covered by AU sec. 543
include loan staff arrangements.
---------------------------------------------------------------------------
It should be noted, however, that the Board has separate standards-
setting projects regarding specialists and principal auditors, which
will include comprehensive reviews of AU sec. 336 and AU sec. 543,
respectively, in light of, among other things, observations from the
Board's inspection activities. Those projects will likely result in
changes to the auditor's responsibilities regarding the auditor's use
of specialists and use of other auditors, and, in turn, may result in
changes to Auditing Standard No. 10.
g. Differences of Opinion Within an Engagement Team
The original proposed standard included a requirement, adapted from
AU sec. 311.14, that the engagement partner and other engagement team
members should make themselves aware of the procedures to be followed
when differences of opinion concerning accounting and auditing issues
exist among the engagement team members. Since the intention of
including this provision was to require adequate documentation of
disagreements, this paragraph was removed from the reproposed standard,
and the documentation requirements from the original proposed standard
were incorporated into an amendment to Auditing Standard No. 3, Audit
Documentation.\199\ The documentation requirements regarding
disagreements among members of the engagement team or with others
consulted on the engagement about final conclusions reached on
significant accounting or auditing matters include documenting the
basis for the final resolution of those disagreements. If an engagement
team member disagrees with the final conclusions reached, he or she
should document that disagreement.
---------------------------------------------------------------------------
\199\ Paragraph 12.d. of Auditing Standard No. 3.
---------------------------------------------------------------------------
One commenter indicated concern that the requirement for the
engagement partner and other engagement team members to be aware of how
disagreements should be handled has been removed. The commenter
indicated that disagreements are a sensitive area and that it is
important that engagement team members are aware of how disagreements
should be handled. In connection with the requirement to direct
engagement team members to bring significant accounting and auditing
issues to the attention of the engagement partner or other engagement
team members performing supervisory activities, Auditing Standard No.
10 also states that each engagement team member has a responsibility to
bring to the attention of
[[Page 59375]]
appropriate persons, disagreements or concerns the engagement team
member might have with respect to accounting and auditing issues that
he or she believes are of significance to the financial statements or
the auditor's report regardless of how those disagreements or concerns
may have arisen.\200\
---------------------------------------------------------------------------
\200\ Note to paragraph 5.b. of Auditing Standard No. 10.
---------------------------------------------------------------------------
6. Auditing Standard No. 11--Consideration of Materiality in Planning
and Performing an Audit
a. Background
Auditing Standard No. 11 discusses the auditor's responsibilities
for applying the concept of materiality, as described by the courts in
interpreting the federal securities laws, in planning the audit and
determining the scope of the audit procedures. The standard applies to
integrated audits and audits of financial statements only.
b. Materiality in the Context of an Audit
Auditing Standard No. 11 discusses the concept of materiality that
is applicable to audits performed in accordance with PCAOB standards,
which is the articulation of materiality used by the courts in
interpreting the federal securities laws.\201\ The Supreme Court of the
United States has held that a fact is material if there is ``a
substantial likelihood that the * * * fact would have been viewed by
the reasonable investor as having significantly altered the `total mix'
of information made available.'' \202\
---------------------------------------------------------------------------
\201\ Paragraph 2 of Auditing Standard No. 11.
\202\ See TSC Industries Northway, Inc., 426 U.S. 438, 449
(1976). See also Basic, Inc. v. Levinson, 485 U.S. 224 (1988).
---------------------------------------------------------------------------
Some commenters questioned the use of the court's articulation in
the reproposed standard and suggested that this articulation might be
difficult for auditors to apply. Also, some commenters asked whether
the use of this articulation of materiality, in contrast to the
quotation from a FASB Concept Statement\203\ used in AU sec. 312 was
intended to result in a change in audit practice.
---------------------------------------------------------------------------
\203\ Financial Accounting Standards Board Statement of
Financial Accounting Concepts No. 2, Qualitative Characteristics of
Accounting Information. FASB Concepts Statements are not included in
FASB's Codification of Accounting Standards.
---------------------------------------------------------------------------
Although the discussion of materiality in the accounting literature
might help auditors understand how accounting standards-setters view
materiality in the context of preparation and presentation of financial
statements, the concept of materiality that is relevant for audits to
which PCAOB standards apply is the concept used by the courts in
interpreting the Federal securities laws. Because the auditor has a
responsibility to plan and perform audit procedures to detect
misstatements that, individually or in combination with other
misstatements, would result in material misstatement of the financial
statements, it is important for the auditor to plan and perform his or
her audit procedures based on the applicable concept of materiality.
Accordingly, Auditing Standard No. 11 uses the concept of materiality
articulated by the courts.
Because the courts' articulation of the concept of materiality is
not new, using that articulation in Auditing Standard No. 11 is not
intended to result in changes in practice for most auditors. Auditing
Standard No. 11 emphasizes that an auditor's consideration of
materiality should reflect matters that would affect the judgment of a
reasonable investor.
c. Establishing a Materiality Level for the Financial Statements as a
Whole
Auditing Standard No. 11 requires the auditor to establish an
appropriate materiality level for the financial statements as a
whole.\204\ This materiality level should be established in light of
the particular circumstances based on factors that could influence the
judgment of a reasonable investor. The standard states that this
requirement includes consideration of the company's earnings and other
relevant factors. This statement is intended to emphasize that a
company's net earnings are often an important factor in the total mix
of information available to a reasonable investor, but Auditing
Standard No. 11 does not require the use of earnings as the basis for
the established materiality level in all cases. Other factors besides
earnings might be more relevant depending on the particular
circumstances, e.g., based on a company's industry or situations in
which the company's earnings were near zero. Auditors are expected to
consider the factors that would be relevant to the judgment of a
reasonable investor.
---------------------------------------------------------------------------
\204\ Paragraph 6 of Auditing Standard No. 11.
---------------------------------------------------------------------------
d. Qualitative Considerations
The concept of materiality involves consideration of both
quantitative and qualitative factors.\205\ Under Auditing Standard No.
11, qualitative considerations can affect the auditor's establishment
of materiality levels in the following ways:
---------------------------------------------------------------------------
\205\ Paragraph 3 of Auditing Standard No. 11.
---------------------------------------------------------------------------
Establishing a materiality level for the financial
statements as a whole that is appropriate in light of the particular
circumstances. This involves matters such as consideration of the
elements of the financial statements that are more important to a
reasonable investor and the level of misstatements that would influence
the judgment of a reasonable investor.
Establishing lower levels of materiality for certain
accounts or disclosures when, in light of the particular circumstances,
there are certain accounts or disclosures for which there is a
substantial likelihood that misstatements of lesser amounts than the
materiality level established for the financial statements as a whole
would influence the judgment of a reasonable investor. The requirement
in the standard \206\ is consistent with the principle of considering
the judgment of a reasonable investor when establishing materiality
levels because it recognizes that, in certain circumstances,
misstatements in some accounts might have more significant consequences
than in other accounts. The following are examples of such
circumstances:
---------------------------------------------------------------------------
\206\ Paragraph 7 of Auditing Standard No. 11.
---------------------------------------------------------------------------
[cir] Laws, regulations, or the applicable financial reporting
framework affect investors' expectations about the measurement or
disclosure of certain items, e.g., related party transactions and
compensation of senior management.
[cir] Significant attention has been focused on a particular aspect
of a company's business that is separately disclosed in the financial
statements, e.g., a recent business acquisition.
[cir] Certain disclosures are particularly important to investors
in the industry in which the company operates.
Auditing Standard No. 11 does not allow the auditor to establish a
materiality level for an account or disclosure at an amount that
exceeds the materiality level for the financial statements as a whole.
The reproposed standard included a statement, adapted from AU sec.
312, that ordinarily it is not practical to design audit procedures to
detect misstatements that are material based solely on qualitative
factors.\207\ One commenter suggested removing the word ``ordinarily''
from the statement because, in the commenter's view, it is not
practical to design audit procedures to detect misstatements that are
material based solely on qualitative factors. Auditing Standard No. 11
retains the
[[Page 59376]]
statement as proposed. This statement reflects the principle that
judgments about whether a particular misstatement is material involve
consideration of the particular circumstances, including the nature of
the misstatement and its effect on the financial statements. Also, if
an auditor is aware of potential misstatements that would be material
based on qualitative factors, he or she has a responsibility to design
audit procedures to detect such misstatements.
---------------------------------------------------------------------------
\207\ AU sec. 312.20.
---------------------------------------------------------------------------
e. Tolerable Misstatement
The reproposed standard required the auditor to determine tolerable
misstatement for purposes of assessing risks of material misstatement
and planning and performing audit procedures at the account or
disclosure level.\208\ Tolerable misstatement is a concept used in
determining the scope of audit procedures. AU sec. 350, Audit Sampling,
indicates that tolerable misstatement is the maximum amount of
misstatement in an account or a class of transactions that may exist
without causing the financial statements to be materially
misstated.\209\ Tolerable misstatement is required to be set at an
amount less than the materiality level for the financial statements as
a whole and for particular accounts or disclosures, if lower
materiality levels were established for particular accounts or
disclosures.
---------------------------------------------------------------------------
\208\ Paragraphs 8-9 of Auditing Standard No. 11.
\209\ AU sec. 350.18.
---------------------------------------------------------------------------
Some commenters suggested replacing the term ``tolerable
misstatement'' in the reproposed standard with the term ``performance
materiality,'' which is the term used in the International Standards on
Auditing (``ISA'').
The Board decided to retain the term ``tolerable misstatement'' in
its standards. The concept of tolerable misstatement is already
understood by auditors, and the Board is not seeking to change the
concept as described in PCAOB standards. Because the term ``performance
materiality'' uses the word ``materiality,'' it could be misunderstood,
e.g., by nonauditors, as having a meaning other than that intended in
the standard. The concept of materiality that applies to financial
statements of companies that are audited in accordance with PCAOB
standards is rooted in case law and reflects a reasonable investor's
perspective. In contrast, tolerable misstatement is a concept used in
audit scoping decisions at the account level, considering potential
uncorrected and undetected misstatement.
One commenter stated that the requirement to establish tolerable
misstatement eliminated the need to establish a lower level of
materiality for particular accounts or disclosures. However, the two
concepts are designed for different purposes. The requirement to
establish a lower materiality level is intended to address the need for
a lower threshold when, in light of the particular circumstances,
misstatements of lesser amounts have a substantial likelihood of
influencing the judgment of a reasonable investor. As mentioned
previously, tolerable misstatement is a concept used in audit scoping
decisions at the account level, considering potential uncorrected and
undetected misstatement.
The reproposed standard also required the auditor to take into
account the nature, cause (if known), and amount of misstatements that
were accumulated in audits of financial statements of prior periods.
One commenter suggested that the Board should clarify its intent
regarding this requirement and provide additional guidance regarding
its application. Tolerable misstatement is affected by the expected
level of misstatement in the account or disclosure, and the nature,
cause, and amount of misstatements from prior periods are relevant to
developing expectations about the level of misstatement. Generally, as
the expected level of misstatement increases, the amount of tolerable
misstatement decreases.
f. Consideration of Materiality for Multi-location Engagements
The reproposed standard included requirements for establishing
materiality levels in multi-location engagements. The reproposed
standard stated that when the auditor plans to perform procedures at
selected locations or business units, the auditor should establish the
materiality level for the individual locations or business units at an
amount that reduces to an appropriately low level the probability that
the total of uncorrected and undetected misstatements would result in
material misstatement of the consolidated financial statements. The
reproposed standard also stated that the materiality level for the
selected locations or business units generally should be lower than the
materiality level for the consolidated financial statements. Those
requirements were an application of the fundamental principles to
audits of consolidated financial statements of companies with multiple
locations or business units.
Some commenters suggested removing the word ``generally'' as it
could be misinterpreted as permitting the use of the materiality level
for the consolidated financial statements as a whole for planning and
performing audit procedures at the individual location or business unit
level. Other commenters questioned how the requirements would be
applied when a principal auditor makes reference to the report of
another auditor in the auditor's report on consolidated financial
statements in accordance with AU sec. 543.
After considering the comments, the Board has made certain
clarifying revisions to the requirements for multi-location
engagements.\210\ First, the language in the standard has been revised
to use term ``tolerable misstatement'' for an individual location to
more clearly distinguish that term from the materiality level for the
financial statements as a whole. In addition, the requirements were
revised to state that tolerable misstatement for a location or business
unit should be less than the materiality level for the financial
statements as a whole. The word ``generally'' was removed from the
requirements to reduce the risk of misinterpretation of the provision.
Also, the phrase ``to be used in performing audit procedures'' has been
removed from the requirement to determine tolerable misstatement for
the individual locations or business units to avoid a misinterpretation
about the principal auditor's responsibilities for situations in which
the principal auditor makes reference to the report of the other
auditor in accordance with AU sec. 543. Auditing Standard No. 11
requires the principal auditor to determine tolerable misstatement for
the location or business unit audited by the other auditor, but the
principal auditor is not expected to impose that determination of
tolerable misstatement on the other auditor. Rather, tolerable
misstatement for the location or business unit audited by the other
auditor would be relevant to certain requirements under AU sec. 543
\211\ and in determining an appropriate amount of tolerable
misstatement for the remaining locations or business units included in
the consolidated financial statements.
---------------------------------------------------------------------------
\210\ Paragraph 10 of Auditing Standard No. 11.
\211\ For example, AU sec. 543.10 states that the auditor should
adopt measures to assure the coordination of the principal auditor's
activities with those of the other auditor in order to achieve a
proper review of matters affecting the consolidating or combining of
accounts in the financial statements.
---------------------------------------------------------------------------
[[Page 59377]]
g. Reevaluating the Materiality Level and Tolerable Misstatement
The reproposed standard stated that the established materiality
level and tolerable misstatement should be reevaluated if changes in
the particular circumstances or additional information comes to the
auditor's attention that are likely to influence the judgment of a
reasonable investor. In addition, the reproposed standard provided
examples of situations that would require such reevaluation, and
additional examples were discussed in the release accompanying the
reproposed standards.
Some commenters suggested that the examples in the release should
be included in the reproposed standard. The examples in Auditing
Standard No. 11 have been revised to clarify the types of situations
that would require reevaluation of the established materiality level
and tolerable misstatement.
The reevaluation required by Auditing Standard No. 11 is important
because if that reevaluation results in a lower materiality level or
levels and tolerable misstatement than the auditor's initial
determination, the standard states that the auditor should (1) evaluate
the effect, if any, of the lower amount or amounts on his or her risk
assessments and audit procedures and (2) modify the nature, timing, and
extent of audit procedures as necessary to obtain sufficient
appropriate audit evidence.\212\
---------------------------------------------------------------------------
\212\ Paragraph 12 of Auditing Standard No. 11.
---------------------------------------------------------------------------
Auditing Standard No. 11 does not allow the auditor to modify the
established level or levels of materiality and tolerable misstatement
solely because they are approximately equal to or are exceeded by the
amount of uncorrected misstatements. Such a practice is inconsistent
with the requirement to reevaluate the established materiality level or
levels or tolerable misstatement if changes in the particular
circumstances or additional information come to the auditor's attention
that are likely to affect the judgments of a reasonable investor.
Rather, Auditing Standard No. 14 establishes requirements for
evaluating uncorrected misstatements \213\ and describes the auditor's
responsibilities in situations in which uncorrected misstatements
approach established materiality level or levels used in planning and
performing an audit.\214\
---------------------------------------------------------------------------
\213\ Paragraphs 17-23 of Auditing Standard No. 14.
\214\ Paragraph 14.b. of Auditing Standard No. 14.
---------------------------------------------------------------------------
7. Auditing Standard No. 12--Identifying and Assessing Risks of
Material Misstatement
a. Background
Auditing Standard No. 12 describes the auditor's responsibilities
for the process of identifying and assessing risks of material
misstatement in an audit of financial statements only and in an
integrated audit. This process includes (1) performing information-
gathering procedures, known as risk assessment procedures, and (2)
identifying and assessing the risks of material misstatement using
information obtained from the risk assessment procedures.
As discussed in the release accompanying the reproposed standards,
the requirements in this standard are intended to improve the auditor's
risk assessments and ability to focus on areas of increased risk in
audits of financial statements only and in integrated audits. The
effectiveness of a risk-based audit depends on whether the auditor
identifies the risks of material misstatement and has an appropriate
basis for assessing those risks. Inappropriate identification or
assessment of risks of material misstatements can lead to overlooking
relevant risks to the financial statements, e.g., business conditions
that affect asset quality or create pressures to manipulate the
financial statements, or assessing risks too low without having an
appropriate basis for the assessment. In turn, these situations can
lead to misdirected or inadequate audit work.
Auditing Standard No. 12 employs a top-down approach to risk
assessment. Such an approach begins at the financial statement level
and with the auditor's overall understanding of the company and its
environment and works down to the significant accounts and disclosures
and their relevant assertions. Also, the requirements for performing
risk assessment procedures are designed to be scalable to companies of
varying size and complexity.
In an integrated audit, the risks of material misstatement affect
both the audit of financial statements and the audit of internal
control, so the risk assessment process described in Auditing Standard
No. 12 is for a single process that applies to both the audit of
financial statements and the audit of internal control. Auditing
Standard No. 12 seeks to enhance the integration of the audit of
financial statements with the audit of internal control by aligning
these risk assessment standards with Auditing Standard No. 5.
Accordingly, Auditing Standard No. 12 reflects certain foundational
risk assessment principles from Auditing Standard No. 5 that also apply
to audits of financial statements. On the other hand, the provisions of
this standard also are designed to be tailored for audits of financial
statements only, e.g., the requirements relating to the understanding
of internal control over financial reporting.
b. Objective
Some commenters recommended that the Board revise the objective in
the reproposed standard to indicate that the auditor's identification
and assessment of risks are through understanding of the company and
its environment. The objective in Auditing Standard No. 12 was retained
from the reproposed standard. The revision suggested by the commenters
is too narrow because Auditing Standard No. 12 requires other risk
assessment procedures beyond obtaining an understanding of the company
and its environment.
c. Performing Risk Assessment Procedures
The overarching requirement for risk assessment procedures in
Auditing Standard No. 12 is that the auditor should perform risk
assessment procedures that are sufficient to provide a reasonable basis
for the identification and assessment of the risks of material
misstatement, whether due to error or fraud, and to design further
audit procedures.\215\ Auditing Standard No. 12 discusses the auditor's
responsibilities for determining and performing the risk assessment
procedures necessary to satisfy that overarching requirement.\216\
---------------------------------------------------------------------------
\215\ Paragraph 4 of Auditing Standard No. 12. The phrase
``design further audit procedures'' applies to substantive
procedures and to tests of controls in the audit of financial
statements and the audit of internal control over financial
reporting.
\216\ Paragraphs 5-58 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Risks of material misstatement may exist at the financial statement
level or at the assertion level. Risks of material misstatement also
can arise from a variety of sources, including external factors, such
as conditions in the company's industry and environment, and company-
specific factors, such as the nature of the company, its activities,
and internal control over financial reporting. Since the risks of
material misstatement come from various sources, the auditor's risk
assessment procedures need to encompass both external factors and
company-specific factors. Auditing Standard No. 12 requires the
following risk assessment procedures:
[[Page 59378]]
Obtaining an understanding of the company and its
environment; \217\
---------------------------------------------------------------------------
\217\ Paragraphs 7-17 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Obtaining an understanding of the company's internal
control over financial reporting; \218\
---------------------------------------------------------------------------
\218\ Paragraphs 18-40 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Considering information from the client acceptance and
retention evaluation, audit planning activities, past audits, and other
engagements performed for the company; \219\
---------------------------------------------------------------------------
\219\ Paragraphs 41-45 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Performing analytical procedures; \220\
---------------------------------------------------------------------------
\220\ Paragraphs 46-48 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Conducting a discussion among engagement team members
regarding the risks of material misstatement; \221\ and
---------------------------------------------------------------------------
\221\ Paragraphs 49-53 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Inquiring of the audit committee, management, and others
within the company about the risks of material misstatement.\222\
---------------------------------------------------------------------------
\222\ Paragraphs 54-58 of Auditing Standard No. 12.
---------------------------------------------------------------------------
The reproposed standard required the auditor to perform risk
assessment procedures that are designed to help the auditor identify
the areas of greater risk, appropriately assess those risks, and design
and perform further audit procedures to address risks of material
misstatements in the financial statements, whether due to error or
fraud. One commenter suggested adding the phrase ``and to design
further audit procedures focused on the areas of greatest risk'' to the
end of the sentence in paragraph 4. The suggested language is not
included in Auditing Standard No. 12 because that principle is already
addressed in Auditing Standard No. 13.
One commenter on the reproposed standard asked for more discussion
of the connection between the components of audit risk and the risk
assessment process. That discussion has been added to Auditing Standard
No. 8.\223\
---------------------------------------------------------------------------
\223\ Paragraphs 8-11 of Auditing Standard No. 8.
---------------------------------------------------------------------------
d. Obtaining an Understanding of the Company and Its Environment
Like the reproposed standard, Auditing Standard No. 12 requires the
auditor to obtain an understanding of the company and its environment
to understand the events, conditions, and company activities that might
reasonably be expected to have a significant effect on the risks of
material misstatement (``obtaining an understanding of the
company'').\224\ These requirements are an expansion of requirements
that were in AU sec. 311 regarding obtaining knowledge of matters that
relate to the nature of the entity's business, its organization, and
its operating characteristics as part of audit planning.\225\ The
expanded requirements are intended to focus the auditor on the degree
of ``knowledge of the company'' that is necessary for a risk-based
audit and to explain how knowledge of the company informs the auditor's
identification and assessment of risk.
---------------------------------------------------------------------------
\224\ Paragraph 7 of Auditing Standard No. 12.
\225\ AU secs. 311.06-.09.
---------------------------------------------------------------------------
Auditing Standard No. 12 requires that the understanding of the
company and its environment include understanding the following:
Relevant industry, regulatory, and other external factors;
The nature of the company;
The company's selection and application of accounting
principles, including related disclosures;
The company's objectives and strategies and those related
business risks that might reasonably be expected to result in risks of
material misstatement; and
The company's measurement and analysis of its financial
performance.\226\
---------------------------------------------------------------------------
\226\ Paragraph 7 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Auditing Standard No. 12 requires the auditor to evaluate whether
significant changes in the company from prior periods, including
changes in its internal control over financial reporting, affect the
risks of material misstatement.\227\ This requirement builds on the
requirement in paragraph 7 of Auditing Standard No. 9 to evaluate
whether, among other things, the extent of recent changes, if any, in
the company, its operations, or its internal control over financial
reporting is important to the company's financial statements and
internal control over financial reporting and, if so, how those changes
will affect the auditor's procedures. PCAOB standards have recognized
that many risks of material misstatement arise due to changes in the
company. For example, AU sec. 319 listed the following examples of
circumstances that can result in risks or changes to existing risks:
changes in operating environment; new personnel; new or revamped
information systems; rapid growth; new technology; new business models,
products, or activities; corporate restructurings; expanded foreign
operations; and new accounting pronouncements.\228\
---------------------------------------------------------------------------
\227\ Paragraph 8 of Auditing Standard No. 12.
\228\ AU sec. 319.38.
---------------------------------------------------------------------------
Paragraphs 9-17 of Auditing Standard No. 12 explain more fully the
necessary understanding of the preceding aspects of the company and its
environment, e.g., what it means to obtain an understanding of the
nature of the company. The discussion of relevant industry, regulatory,
and other external factors is adapted from AU sec. 311. The discussion
of the nature of the company is also adapted from AU sec. 311 and has
been updated to reflect certain changes in business practices since AU
sec. 311 was originally issued (e.g., to encompass alternative
investments and financing arrangements and to recognize the development
of new business models).
One commenter said that the requirement to obtain an understanding
of the company and its environment should be revised because none of
the aspects of the company and its environment listed in paragraph 7 is
an event, condition, or company activity. However, the understanding of
those aspects should lead the auditor to obtain an understanding of
relevant events, conditions, and company activities. For example,
obtaining an understanding of relevant industry, regulatory, and
external factors helps an auditor understand the external conditions in
which the company operates that represent risks of material
misstatement at the financial statement level.
The reproposed standard contained a note about how the size and
complexity of the company can affect the risks of misstatement and the
controls necessary to address those risks. This note was intended to be
a reminder to auditors that both size and complexity affect risks. One
commenter stated that complexity rather than size is likely to heighten
risk. Auditing Standard No. 12 retains the note as reproposed.\229\ The
size and complexity of the company can affect the risks of misstatement
and the controls necessary to address those risks. Scaling the audit is
most effective as a natural extension of the risk-based approach and
applies to all audits, and the requirements in Auditing Standard No. 12
are intended to be scalable to companies of varying size and
complexity. Auditing Standard No. 12 contains certain notes regarding
scaling the audit based on a company's size and complexity.
---------------------------------------------------------------------------
\229\ First note to paragraph 10 of Auditing Standard No. 12.
---------------------------------------------------------------------------
(i). Additional Procedures to Obtain an Understanding of the Company
and its Environment
The reproposed standard presented a list of procedures that the
auditor should consider performing as part of obtaining an
understanding of the company and its environment. These
[[Page 59379]]
procedures include reading public information about the company,
observing or reading transcripts of earnings calls, obtaining an
understanding of compensation arrangements with senior management, and
obtaining information about significant unusual developments regarding
trading activity in the company's securities. The auditor's decisions
about whether to perform one or more of the additional procedures and
the extent of those procedures depend on whether the matters addressed
in those procedures are important to the company's internal control or
financial statements and whether such procedures are necessary to meet
the overall requirements for obtaining an understanding of the company
and performing risk assessment procedures.
Members of the Board's Standing Advisory Group (``SAG'') suggested
that these matters could provide valuable information for identifying
risks of material misstatement, e.g., to obtain information about
business risks relevant to financial reporting or to identify
incentives or pressures on management to manipulate financial
results.\230\ Also, the Public Oversight Board, Panel on Audit
Effectiveness, Report and Recommendations (``PAE Report''), recommended
that auditors consider published analysts' reports and forecasts when
gaining an understanding of the company's business and industry,
assessing risks, and evaluating identified misstatements.\231\
---------------------------------------------------------------------------
\230\ February 16, 2005. Webcasts of SAG meetings are available
on the Board's Web site at: http://www.pcaobus.org/News_and_Events/Webcasts.
\231\ Public Oversight Board, Panel on Audit Effectiveness,
Report and Recommendations (August 31, 2000), p. 58.
---------------------------------------------------------------------------
Commenters requested clarification of the Board's expectations
regarding these procedures and expressed concern that the broad
language used to describe some of the procedures might lead auditors to
expend considerable efforts to decide and document whether to perform
certain procedures. This requirement is not intended to require
auditors to make a specific determination about each bit of data to
which a procedure might be applied, e.g., to document each individual
item of publicly available information to decide whether it should be
reviewed.
Instead, the intention is for auditors to consider whether and to
what extent such procedures should be performed to achieve the
objectives in paragraphs 4 and 7 of Auditing Standard No. 12. For
example, observing the company's earnings calls and other meetings with
investors are likely to provide important information about the
measurement and review of the company's financial performance,
particularly the performance measures monitored by investors and
analysts. Likewise, an understanding of compensation arrangements with
senior management often can provide important information about
incentives or pressures on management to manipulate the financial
statements.
Auditing Standard No. 12 was revised to clarify that considering
whether to perform the procedures listed in paragraph 11 also includes
consideration of the extent of the procedures.
(ii). Selection and Application of Accounting Principles, Including
Related Disclosures
PCAOB standards require auditors to obtain an understanding of the
accounting practices common to the industry and to evaluate the quality
of a company's accounting principles as part of his or her response to
fraud risks and in determining matters to be communicated to the audit
committee.\232\ Auditing Standard No. 12 imposes a responsibility to
obtain an understanding of the applicable financial reporting framework
and to evaluate whether the company's selection and application of
accounting principles are consistent with the applicable accounting
framework and the accounting principles used in the relevant
industry.\233\ Such procedures can provide important information for
identifying relevant matters such as (1) accounts that are susceptible
to misstatement, e.g., if an account balance is determined using
accounting principles that are inconsistent with the applicable
financial reporting framework or (2) more general conditions that
affect risks of material misstatement, e.g., if the company's selection
or application of accounting principles is more aggressive than
prevailing practices in the relevant industry.
---------------------------------------------------------------------------
\232\ See AU sec. 316 and AU sec. 380, Communication With Audit
Committees.
\233\ Paragraph 12 of Auditing Standard No. 12.
---------------------------------------------------------------------------
In connection with obtaining an understanding of the applicable
financial reporting framework and evaluating the company's selection
and application of accounting principles, including related
disclosures, Auditing Standard No. 12 requires the auditor to develop
expectations about the disclosures that are necessary for the company's
financial statements to be presented fairly in conformity with the
applicable financial reporting framework.\234\ The language in this
requirement was revised to clarify that the auditor should develop an
expectation about the disclosures as part of the risk assessment
procedures and that the expectations should be based on the disclosures
necessary for the fair presentation of the financial statements in
conformity with the applicable financial reporting framework.
---------------------------------------------------------------------------
\234\ Ibid.
---------------------------------------------------------------------------
Auditing Standard No. 12 also presents a list of matters that, if
present, are relevant to the necessary understanding of the company's
selection and application of accounting principles.\235\ The amount of
auditor attention devoted to an individual matter would depend on its
importance in meeting the overall requirements for obtaining an
understanding of the company and performing risk assessment
procedures.\236\
---------------------------------------------------------------------------
\235\ Paragraph 13 of Auditing Standard No. 12.
\236\ Paragraphs 4 and 7 of Auditing Standard No. 12.
---------------------------------------------------------------------------
(iii). Company Objectives, Strategies, and Related Business Risks
The reproposed standard required the auditor to obtain an
understanding of the company's objectives, strategies, and related
business risks in order to identify those business risks that could
reasonably be expected to result in material misstatement of the
financial statements. The PAE Report recommended that auditors be
required to obtain an understanding of the company's business
risks.\237\
---------------------------------------------------------------------------
\237\ PAE Report, p. 20.
---------------------------------------------------------------------------
Commenters on the reproposed standard requested additional
discussion about business risks, including going concern risks, fraud
risks, and how business risks can result in misstatements of the
financial statements. Additional discussion has been added to Auditing
Standard No. 8 and Auditing Standard No. 12.\238\
---------------------------------------------------------------------------
\238\ Paragraph 6 of Auditing Standard No. 8 and the note to
paragraph 15 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Auditing Standard No. 12 discusses how business risks can lead to
misstatements and provides examples of business risks that may result
in a risk of material misstatement of the financial statements.\239\
However, the list of examples is meant to be illustrative rather than a
checklist of factors to consider. Auditors would need to consider the
business risks that are relevant to the particular company and
industry. For example, in today's economic environment, business risks
[[Page 59380]]
might include financing risks (e.g., access to necessary financing) or
product risks (e.g., investments in certain financial products).
---------------------------------------------------------------------------
\239\ Paragraphs 5 and 14-15 of Auditing Standard No. 12.
---------------------------------------------------------------------------
(iv). The Company's Measurement and Analysis of its Financial
Performance
The risk assessment procedures in the reproposed standard included
obtaining an understanding of the company's performance measures. The
purpose of obtaining that understanding is to identify those
performance measures, whether external or internal, that affect the
risks of material misstatement. For example, understanding performance
measures can help the auditor identify accounts or disclosures that
might be susceptible to manipulation to achieve certain performance
targets (or to conceal failures to achieve those targets) or to
understand how management uses performance measures to monitor risks
affecting the financial statements.
Commenters requested clarification regarding the examples of
performance measures. A note was added to Auditing Standard No. 12 to
explain the significance of the individual examples.\240\
---------------------------------------------------------------------------
\240\ Paragraph 17 of Auditing Standard No 12.
---------------------------------------------------------------------------
e. Obtaining an Understanding of Internal Control Over Financial
Reporting
Auditing Standard No. 12 describes the auditor's responsibilities
for obtaining an understanding of internal control over financial
reporting (``understanding of internal control''). Auditing Standard
No. 12 requires the auditor to obtain a sufficient understanding of
each component of internal control over financial reporting to (a)
identify the types of potential misstatements, (b) assess the factors
that affect the risks of material misstatement, and (c) design further
audit procedures.\241\ These requirements are, in substance, equivalent
to those in AU sec. 319, but the formulation in the proposed standard
is aligned more clearly with Auditing Standard No. 5. Like the
requirements in AU sec. 319, the requirements in Auditing Standard No.
12 indicate that although the auditor's primary focus is on internal
control over financial reporting, the auditor may obtain an
understanding of controls related to operations or compliance
objectives if they pertain to data that the auditor plans to use in
applying auditing procedures.\242\
---------------------------------------------------------------------------
\241\ Paragraph 18 of Auditing Standard No. 12.
\242\ Paragraph 19 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Auditing Standard No. 12 sets forth certain principles regarding
the sufficiency of the auditor's understanding of internal control. The
size and complexity of the company; the auditor's existing knowledge of
the company's internal control; the nature of the company's internal
controls, including the company's use of IT; the nature and extent of
changes in systems and operations; and the nature of the company's
documentation of its internal control over financial reporting affect
the nature, timing, and extent of procedures necessary to obtain an
understanding of internal control. For example, the auditor's
procedures to obtain an understanding of internal control would be more
extensive when the auditor plans to test controls more extensively
(e.g., in an integrated audit), the company's internal control is more
complex, or the company's controls have changed significantly.
The reproposed standard stated that the auditor's understanding of
internal control includes evaluating the design of controls and
determining whether the controls are implemented. Commenters observed
that the reproposed standard stated that walkthroughs that include the
necessary procedures ordinarily are sufficient to evaluate design
effectiveness, but the reproposed standard did not make a similar
statement about the use of walkthroughs to determine whether controls
have been implemented. Auditing Standard No. 12 has been revised to
include a statement that walkthroughs that include the procedures
described in the standard ordinarily are sufficient to determine
whether a control has been implemented.\243\ Under Auditing Standard
No. 12, as under AU sec. 319,\244\ the amount of audit attention
devoted to design and operating effectiveness will vary based on the
auditor's plan for testing controls. For example, if the auditor plans
to test controls, more attention should be devoted to controls that the
auditor plans to test.
---------------------------------------------------------------------------
\243\ Paragraph 20 of Auditing Standard No. 12.
\244\ AU sec. 319.58.
---------------------------------------------------------------------------
(i). Obtaining an Understanding of Individual Components of Internal
Control Over Financial Reporting
To describe the auditor's responsibilities for obtaining an
understanding of internal control, it was necessary to describe the
components of internal control over financial reporting. The components
described in Auditing Standard No. 12 are similar to those in AU sec.
319.\245\ Auditing Standard No. 12 also states that auditors may use
other suitable, recognized frameworks \246\ in accordance with the
provisions of the standard. If the auditor uses a suitable, recognized
internal control framework with components that differ from those in
the standard, the auditor should adapt the requirements in the standard
for the components in the framework used.\247\
---------------------------------------------------------------------------
\245\ Paragraph 21 of Auditing Standard No. 12.
\246\ See Securities Exchange Act Release No. 34-47986 (June 5,
2003) for a description of the characteristics of a suitable,
recognized framework.
\247\ Paragraph 22 of Auditing Standard No. 12.
---------------------------------------------------------------------------
(ii). Control Environment
Auditing Standard No. 12 requires the auditor to assess the
following matters as part of obtaining an understanding of the control
environment:
Whether management's philosophy and operating style
promote effective internal control over financial reporting;
Whether sound integrity and ethical values, particularly
of top management, are developed and understood; and
Whether the board or audit committee understands and
exercises oversight responsibility over financial reporting and
internal control.\248\
---------------------------------------------------------------------------
\248\ Paragraph 24 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Although this requirement is aligned with a similar requirement in
Auditing Standard No. 5 for evaluating the control environment, the
auditor's process for assessing the control environment in an audit of
financial statements only is not expected to be the same as that
required when expressing an opinion on internal control over financial
reporting. For audits of financial statements only, Auditing Standard
No. 12 allows the auditor to base his or her assessment on evidence
obtained as part of obtaining an understanding of the control
environment and other relevant knowledge possessed by the auditor.\249\
---------------------------------------------------------------------------
\249\ Ibid.
---------------------------------------------------------------------------
Because of the importance of an effective control environment to
address fraud risks, Auditing Standard No. 12 states that if the
auditor identifies a control deficiency in the company's control
environment, the auditor should evaluate the extent to which this
control deficiency is indicative of a fraud risk factor.\250\
---------------------------------------------------------------------------
\250\ Paragraph 25 of Auditing Standard No. 12.
---------------------------------------------------------------------------
(iii) The Company's Risk Assessment Process
Auditing Standard No. 12 requires the auditor to obtain an
understanding of management's risk assessment process for (a)
identifying risks relevant to financial reporting objectives, including
risks of material misstatement due to fraud, (b) assessing the
likelihood and significance of misstatements resulting from those
risks, and (c) deciding about
[[Page 59381]]
actions to address those risks.\251\ The standard also requires the
auditor to obtain an understanding of the risks of material
misstatement identified and assessed by management and the actions
taken to address those risks.\252\ Compliance with these requirements
will help make sure that the auditor's risk assessments are
appropriately informed by management's risk assessments and the
controls that management put in place to address the risks.
---------------------------------------------------------------------------
\251\ Paragraph 26 of Auditing Standard No. 12.
\252\ Paragraph 27 of Auditing Standard No. 12.
---------------------------------------------------------------------------
(iv) Information and Communication
The reproposed standard required the auditor to obtain an
understanding of the information system, including the related business
processes, relevant to financial reporting. One commenter suggested
removing the requirement to understand the company's business
processes. The requirement was retained as reproposed.\253\ Obtaining
an understanding of the company's business processes assists the
auditor in obtaining an understanding of how transactions are
initiated, authorized, processed, and recorded. Also, the requirement
to understand business processes is a recommendation in the PAE
Report.\254\ Auditing Standard No. 12 describes the necessary
understanding of business processes to help auditors identify those
business processes that are relevant to financial reporting.\255\
---------------------------------------------------------------------------
\253\ Paragraph 28 of Auditing Standard No. 12.
\254\ PAE Report, p. 15.
\255\ Paragraphs 28-32 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Auditing Standard No. 12 also contains requirements for
understanding the period-end financial reporting process \256\ and
describes important elements of that process.\257\ Because the period-
end financial reporting process is a common source of potential
misstatements, it is important for the auditor to have an adequate
understanding of the aspects of the period-end financial reporting
process in all audits, including audits of financial statements only.
Auditing Standard No. 12 requires the auditor only to obtain an
understanding \258\ of the process, as compared to Auditing Standard
No. 5, which requires the auditor also to evaluate that process in the
audit of internal control.
---------------------------------------------------------------------------
\256\ AU sec. 319.49 used the term ``financial reporting process
used to prepare the entity's financial statements,'' but Auditing
Standard No. 12 uses the same term as used in Auditing Standard No.
5.
\257\ Paragraphs 28 and 32 of Auditing Standard No. 12.
\258\ Paragraph 20 of Auditing Standard No. 12 discusses
procedures that the auditor performs to obtain an understanding of
internal control.
---------------------------------------------------------------------------
To appropriately highlight the importance of IT risks in
determining the scope of the audit, the standard requires the auditor
to obtain an understanding of how IT affects the company's flow of
transactions. The standard also contains a note that states that the
identification of risks and controls within IT is not a separate
evaluation. Instead, it is an integral part of the approach used to
identify significant accounts and disclosures and their relevant
assertions and, when applicable, to select the controls to test, as
well as to assess risk and allocate audit effort.
Regarding the auditor's understanding of communication, one
commenter suggested that the standard clarify that the auditor should
understand how the company communicates financial reporting roles and
responsibilities and significant matters relating to financial
reporting. The requirement in Auditing Standard No. 12 has been revised
to clarify that point.\259\
---------------------------------------------------------------------------
\259\ Paragraph 33 of Auditing Standard No. 12.
---------------------------------------------------------------------------
(v) Control Activities
The reproposed standard required the auditor to obtain an
understanding of control activities that is sufficient to assess the
factors that affect the risks of material misstatement and to design
further audit procedures. As under AU sec. 319, a more extensive
understanding of control activities is needed in areas in which the
auditor plans to test controls. Thus, for purposes of evaluating the
effectiveness of internal control over financial reporting in an
integrated audit, the auditor's understanding of control activities
encompasses a broader range of accounts and disclosures than that which
is normally obtained in an audit of financial statements only.
Some commenters expressed concern that the language in the
requirement could be misinterpreted as requiring the auditor to obtain
an understanding of all controls, even in an audit of financial
statements only in which the auditor does not plan to test controls. A
few commenters suggested framing the requirement in terms of
understanding control activities relevant to the audit.
The Board did not intend to expand the auditor's responsibilities
for obtaining an understanding of control activities beyond what is
required in AU sec. 319. The discussion in Auditing Standard No. 12 on
obtaining an understanding of control activities has been revised,
primarily using language adapted from AU sec. 319, to clarify that the
substance of the requirement has not changed.\260\
---------------------------------------------------------------------------
\260\ AU sec. 319.42 and paragraph 34 of Auditing Standard No.
12.
---------------------------------------------------------------------------
(vi). Performing Walkthroughs
The original proposed standard referred auditors to Auditing
Standard No. 5 for a discussion of the performance of walkthroughs.
Some commenters on the original proposed standard stated that the
standard should include a discussion of walkthroughs rather than
referring to Auditing Standard No. 5. The reproposed standard included
a discussion of performing walkthroughs as part of meeting certain
specified objectives, which paralleled a requirement in Auditing
Standard No. 5 \261\ regarding understanding likely sources of
potential misstatements. Some commenters expressed concerns that the
discussion would lead to unnecessary walkthroughs, particularly in
audits of financial statements only.
---------------------------------------------------------------------------
\261\ Paragraph 34 of Auditing Standard No. 5.
---------------------------------------------------------------------------
The intention of including the discussion of walkthroughs was to
explain how to perform walkthroughs rather than to impose requirements
regarding when walkthroughs should be performed. The standard has been
revised to focus on how the auditor should perform walkthroughs, e.g.,
in connection with understanding the flow of transactions in the
information system relevant to financial reporting, evaluating the
design of controls relevant to the audit, and determining whether those
controls have been implemented.\262\ The discussion of the objectives
for understanding likely sources of potential misstatements has been
removed from Auditing Standard No. 12, so those objectives would
continue to apply only to integrated audits.
---------------------------------------------------------------------------
\262\ Paragraph 37 of Auditing Standard No. 12.
---------------------------------------------------------------------------
(vii). Relationship of Understanding of Internal Control to Tests of
Controls
Auditing Standard No. 12, like the reproposed standard, contains a
discussion about the relationship between obtaining an understanding of
controls and testing controls, including entity-level controls.\263\
The requirements in Auditing Standard No. 12 clarify that the objective
of obtaining an understanding of internal control as a risk assessment
procedure is different from testing controls for the purpose of
assessing control risk \264\ or for the purpose of expressing an
opinion on internal control over financial reporting
[[Page 59382]]
in the audit of internal control.\265\ The standard allows the auditor
the flexibility of obtaining an understanding of internal control
concurrently with performing tests of controls if he or she obtains
sufficient appropriate evidence to achieve the objectives of both
procedures.\266\
---------------------------------------------------------------------------
\263\ Paragraph 39 of Auditing Standard No. 12.
\264\ Paragraphs 16-31 of Auditing Standard No. 13.
\265\ Paragraph B1 of Auditing Standard No. 5.
\266\ Paragraph 39 of Auditing Standard No. 12.
---------------------------------------------------------------------------
f. Information Obtained from Past Audits and Other Engagements
(i). Information from Past Audits
The reproposed standard included a requirement for the auditor to
incorporate knowledge obtained during past audits into the auditor's
process for identifying risks of material misstatement. One commenter
asked for clarification of the meaning of the term ``incorporate.'' Two
commenters stated that the most important issue is to determine whether
information from past audits is still relevant.
The term ``incorporate'' is not new and should be familiar to most
auditors. For example, it has been used in AU sec. 316 regarding the
requirement to incorporate an element of unpredictability in the audit
in response to fraud risks. The requirement in the reproposed standard
was similar to a requirement in Auditing Standard No. 5 to incorporate
knowledge obtained during past audits in subsequent year audits of
internal control.\267\ Accordingly the term has been retained in
Auditing Standard No. 12.
---------------------------------------------------------------------------
\267\ Paragraph 57 of Auditing Standard No. 5.
---------------------------------------------------------------------------
Auditing Standard No. 12 also states that if the auditor plans to
limit the nature, timing, or extent of his or her risk assessment
procedures by relying on information from past audits, the auditor
should evaluate whether the prior-years' information remains relevant
and reliable.\268\
---------------------------------------------------------------------------
\268\ Paragraph 43 of Auditing Standard No. 12.
---------------------------------------------------------------------------
(ii). Information from Other Engagements
The reproposed standard included a requirement for the auditor to
take into account relevant information obtained through other
engagements performed by the auditor for the company.\269\ This
requirement was intended to focus on the responsibility to take
relevant information into account in identifying and assessing risks
rather than to prescribe a particular method for obtaining that
information.
---------------------------------------------------------------------------
\269\ PCAOB Rule 1001, Definitions of Terms Employed in Rules,
states that, when used in rules of the PCAOB, unless the context
otherwise requires, ``[t]he term `auditor' means both public
accounting firms registered with the Public Company Accounting
Oversight Board and associated persons thereof.''
---------------------------------------------------------------------------
Some commenters suggested that the requirement should be limited to
consideration of other engagements performed by the engagement partner.
The suggested change would weaken the standard. Limiting the
consideration of information to engagements performed for the company
by the engagement partner is too narrow because it omits other
important information sources that are available to the engagement
team. Also, limiting the consideration to engagements performed by the
engagement partner is inconsistent with prior PCAOB standards. For
example, AU sec. 311.04 stated that procedures the auditor may consider
in planning an audit usually involve discussions with other firm
personnel, and includes the following example ``Discussing matters that
may affect the audit with firm personnel responsible for non-audit
services to the entity.'' Also, paragraph 03 of AU sec. 9311, Planning
and Supervision: Auditing Interpretations of Section 311, stated:
The auditor should consider the nature of non-audit services
that have been performed. He should assess whether the services
involve matters that might be expected to affect the entity's
financial statements or the performance of the audit, for example,
tax planning or recommendations on a cost accounting system. If the
auditor decides that the performance of the non-audit services or
the information likely to have been gained from it may have
implications for his audit, he should discuss the matter with
personnel who rendered the services and consider how the expected
conduct and scope of his audit may be affected. In some cases, the
auditor may find it useful to review the pertinent portions of the
work papers prepared for the non-audit engagement as an aid in
determining the nature of the services rendered or the possible
audit implications.
Other commenters suggested that the requirement be revised to use
more of the language from AU sec. 9311. The requirement in Auditing
Standard No. 12 \270\ has been revised as follows:
---------------------------------------------------------------------------
\270\ Paragraph 45 of Auditing Standard No. 12.
The auditor should obtain an understanding of the nature of the
services that have been performed for the company by the auditor or
affiliates of the firm\271\ and should take into account relevant
information obtained from those engagements in identifying risks of
material misstatement.\272\
---------------------------------------------------------------------------
\271\ See PCAOB Rule 3501(a)(i), which defines ``affiliate of
the accounting firm.''
\272\ Paragraph 7 of Auditing Standard No. 9.
One commenter stated that audit firms will need to develop very
costly reporting systems to enable them to convey relevant information
about nonassurance engagements to audit engagement teams. Existing
PCAOB and SEC rules already require firms to track and report nonaudit
services provided to the company. Complying with these requirements
would mean that the audit firms have a mechanism in place to track
these services. For example, PCAOB Rules 3524 \273\ and 352 \274\
require the auditor to describe to the company's audit committee, among
other things, the scope of and the potential effect on independence of
other services provided by the firm. It is expected that the system
used to capture, track, and monitor these services for compliance with
these PCAOB independence rules would also be applicable to comply with
the requirements of Auditing Standard No. 12.
---------------------------------------------------------------------------
\273\ PCAOB Rule 3524, Audit Committee Pre-approval of Certain
Tax Services.
\274\ PCAOB Rule 3526, Communication With Audit Committees
Concerning Independence.
---------------------------------------------------------------------------
g. Performing Analytical Procedures
The reproposed standard retained requirements from AU sec. 329,
Analytical Procedures, to perform analytical procedures during the
planning phase of the audit.\275\ Such analytical procedures are, in
essence, risk assessment procedures, so the respective requirements and
direction have been incorporated into Auditing Standard No. 12.\276\
One commenter stated that it is unclear whether the PCAOB intends a
change in practice regarding the execution of analytical procedures
performed as risk assessment procedures, e.g., because the requirements
in the reproposed standard discussed developing expectations and
comparing them to recorded amounts. AU sec. 329, states that analytical
procedures involve developing expectations and comparing those
expectations to recorded amounts.\277\
---------------------------------------------------------------------------
\275\ AU secs. 329.06-.08.
\276\ Paragraphs 46-48 of Auditing Standard No. 12.
\277\ AU sec. 329.05.
---------------------------------------------------------------------------
Auditing Standard No. 12 states that analytical procedures
performed as risk assessment procedures often use data that is
preliminary or data that is aggregated at a high level and that in
those instances such analytical procedures are not designed with the
level of precision necessary for substantive analytical
procedures.\278\ In those situations, the auditor's expectations in
performing analytical procedures as risk assessment procedures do not
require the same
[[Page 59383]]
degree of precision as substantive analytical procedures.
---------------------------------------------------------------------------
\278\ Paragraph 48 of Auditing Standard No. 12.
---------------------------------------------------------------------------
h. Conducting a Discussion Among Engagement Team Members Regarding
Risks of Material Misstatement
Like the reproposed standard, Auditing Standard No. 12 includes a
requirement that key engagement team members discuss (1) the company's
selection and application of accounting principles, including related
disclosure requirements and (2) the susceptibility of the company's
financial statements to material misstatement due to error or
fraud.\279\ The standard explains that key engagement team members
include the engagement partner and all engagement team members who have
significant engagement responsibilities.\280\ The term ``significant
engagement responsibilities'' should be familiar to auditors because it
is already used in AU sec. 316 regarding the appropriate assignment of
engagement team members in the overall responses to fraud risks.
---------------------------------------------------------------------------
\279\ Paragraph 49 of Auditing Standard No. 12.
\280\ Paragraph 50 of Auditing Standard No. 12.
---------------------------------------------------------------------------
One commenter stated that the requirement for participation in the
discussion among engagement team members on the reproposed standard
should be revised to use the language in ISA 315, Identifying and
Assessing the Risks of Material Misstatement through Understanding the
Entity and its Environment, so that the engagement partner makes the
determination of what needs to be reported to whom on a ``need to
know'' basis.
The language in Auditing Standard No. 12 was retained as
reproposed. The Board believes that the discussion among engagement
team members is an important part of the auditor's risk assessment
procedures. Through its oversight activities, the Board has observed
deficiencies relating to discussions among engagement team members
regarding fraud risks, including instances in which key engagement team
members did not participate.\281\
---------------------------------------------------------------------------
\281\ PCAOB Release 2007-001, Observations on Auditors'
Implementation of PCAOB Standards Relating to Auditors'
Responsibilities with Respect to Fraud (January 22, 2007).
---------------------------------------------------------------------------
(i). Discussion of the Potential for Material Misstatement Due to Fraud
A number of comments were received regarding the requirements for
discussing the risks of material misstatement due to fraud.
One commenter suggested that the standard should require the
auditor to consider using a fraud specialist. The Board believes that
this point is already covered by the requirement in Auditing Standard
No. 9 to evaluate whether a person with specialized skill or knowledge
is needed to assess risks.\282\
---------------------------------------------------------------------------
\282\ Paragraphs 16-17 of Auditing Standard No. 12.
---------------------------------------------------------------------------
One commenter suggested that the requirement to discuss how the
financial statements could be materially misstated through omitting or
presenting incomplete disclosures also should include the possibility
of presenting inaccurate disclosures. The requirement has been revised
to include that topic.\283\Another commenter stated that the standard
should provide more ``guidance'' about how fraud risks relate to
disclosures. The manner in which management might intentionally omit
disclosures or present inaccurate or incomplete disclosures to commit
or conceal intentional misstatement of the financial statements
necessarily depends on the circumstances, including the incentives or
pressures and the opportunities to manipulate the financial statements.
The discussion of fraud risks required by the standard should prompt
engagement team members to consider ways in which omissions or
inaccuracies in disclosures might be involved with fraudulent financial
reporting.
---------------------------------------------------------------------------
\283\ Paragraph 52 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Another commenter stated that the requirement for the auditor to
emphasize certain matters regarding fraud to the engagement team
members during the fraud risk discussion does not assign the
responsibility to a specific person. The requirement focuses on the
communication of important matters rather than on the person
communicating the matters. Since the engagement partner has the overall
responsibility for the audit engagement, the engagement partner is
likely to be the most appropriate person to make the communications.
However, Auditing Standard No. 12 allows the communications to be made
by another engagement team member, when appropriate.
(ii) Communication Among Engagement Team Members
Auditing Standard No. 12 states that communication among the
engagement team members about significant matters affecting the risks
of material misstatement should continue throughout the audit,
including when conditions change. This requirement carries forward and
builds upon a requirement in AU sec. 316.\284\
---------------------------------------------------------------------------
\284\ AU sec. 316.18.
---------------------------------------------------------------------------
i. Inquiring of the Audit Committee, Management, and Others Within the
Company About the Risks of Material Misstatement
Like the reproposed standard, Auditing Standard No. 12 requires the
auditor to make inquiries of the audit committee, or equivalent (or its
chair), management, the internal audit function, and others within the
company who might reasonably be expected to have information that is
important to the identification and assessment of risks of material
misstatement.\285\ The requirement to inquire of others who ``might
reasonably be expected to have information'' is similar to a
requirement in AU sec. 316 for making inquiries of others about the
existence or suspicion of fraud, and it establishes a principle to
guide the auditor in determining those other persons to whom the
inquiries should be addressed.\286\
---------------------------------------------------------------------------
\285\ Paragraph 54 of Auditing Standard No. 12.
\286\ AU sec. 316.24.
---------------------------------------------------------------------------
(i). Inquiries Regarding Fraud Risks
The reproposed standard also required the auditor to make inquiries
of the audit committee (or its chair), management, the internal audit
function, and others within the company about the risks of fraud.
Commenters suggested that the requirements for identifying other
individuals within the company to whom inquiries should be directed
should include determining the extent of such inquiries. Auditing
Standard No. 12 reflects the suggested revision to that requirement
because inquiries of other individuals should be designed to obtain
information relevant to identifying and assessing fraud risks.\287\
---------------------------------------------------------------------------
\287\ Paragraph 57 of Auditing Standard No. 12.
---------------------------------------------------------------------------
The reproposed standard included a requirement to take into account
the fact that management is often in the best position to commit fraud
when evaluating management's responses to inquiries about fraud risks
and determining when it is necessary to corroborate management's
responses. One commenter stated that the requirement was unclear and
the use of the term ``take into account'' did not seem consistent with
the Board's explanation in the release accompanying the reproposed
standards. This requirement has been revised to clarify the requirement
and to use ``take into account'' in a manner that is consistent with
the other PCAOB standards.\288\
---------------------------------------------------------------------------
\288\ Paragraph 58 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Auditing Standard No. 12 requires that the auditor use his or her
[[Page 59384]]
knowledge of the company and its environment, as well as information
from other risk assessment procedures, to determine the nature of the
inquiries about risks of material misstatement. This requirement
carries forward and builds upon a requirement in AU sec. 316.\289\
---------------------------------------------------------------------------
\289\ AU sec. 316.24.
---------------------------------------------------------------------------
Auditing Standard No. 12 includes an additional required inquiry of
the internal auditor about whether he or she is aware of instances of
management override of controls and the nature and circumstances of
such overrides. Also, Auditing Standard No. 12 requires the auditor to
make inquiries of management and the audit committee, or equivalent
regarding tips or complaints about the company's financial
reporting.\290\ These required inquiries were added in light of
research indicating that many incidents of fraud are uncovered through
tips.\291\ These inquiries can provide important evidence about fraud
risks.
---------------------------------------------------------------------------
\290\ Paragraph 56 of Auditing Standard No. 12.
\291\ See, e.g., Association of Certified Fraud Examiners, 2008
Report to the Nation on Occupational Fraud & Abuse (2008).
---------------------------------------------------------------------------
Auditing Standard No. 12 requires the auditor, when evaluating
management's responses to inquiries about fraud risks and determining
when it is necessary to corroborate management's responses, to take
into account the fact that management is often in the best position to
commit fraud. The standard also requires the auditor to obtain evidence
to address inconsistencies in responses to inquiries. This requirement
carries forward and builds upon a requirement in AU sec. 316.\292\
---------------------------------------------------------------------------
\292\ AU sec. 316.27.
---------------------------------------------------------------------------
j. Identifying and Assessing the Risks of Material Misstatement
Auditing Standard No. 12 sets forth a process for identifying and
assessing the risks of material misstatement using the information
obtained from the risk assessment procedures and other relevant
knowledge possessed by the auditor.\293\ This process involves:
---------------------------------------------------------------------------
\293\ Under Auditing Standard No. 12, the auditor has a
responsibility to perform risk assessment procedures that provide an
appropriate basis for his or her risk assessment. Auditing Standard
No. 12 does not include the provision in the prior interim standards
that allowed the auditor to assess risk at the maximum solely for
efficiency reasons. Rather, the auditor needs to have a sufficient
understanding of the company and its environment, including its
internal control, in order to determine the risks of material
misstatement and, in turn, to design effective tests of controls and
substantive procedures.
---------------------------------------------------------------------------
Identifying risks of misstatement using information
obtained from risk assessment procedures and considering the
characteristics of the accounts and disclosures in the financial
statements.
Evaluating whether the identified risks relate pervasively
to the financial statements as a whole and potentially affect many
assertions.
Evaluating the types of potential misstatements that could
result from the identified risks and the accounts, disclosures, and
assertions that could be affected. This includes evaluating how risks
at the financial statement level could affect risks at the assertion
level.
Assessing the likelihood of misstatement, including the
possibility of multiple misstatements, and the magnitude of potential
misstatement to assess the possibility that the risk could result in
material misstatement of the financial statements. In making this
assessment, the auditor may take into account the planned degree of
reliance on controls that the auditor plans to test, if the auditor
performs tests of controls in accordance with PCAOB standards.
Identifying significant accounts and disclosures and their
relevant assertions.
Determining whether any of the identified and assessed
risks of material misstatement are significant risks.\294\
---------------------------------------------------------------------------
\294\ Paragraph 59 of Auditing Standard No. 12.
---------------------------------------------------------------------------
One commenter suggested that the word ``material'' should be
inserted before the word ``misstatement'' in paragraph 56.a. of the
reproposed standard. No change was made to Auditing Standard No. 12
because inserting the word ``material'' would inappropriately narrow
the auditor's focus on only material risks too early in the process of
identifying and assessing risks of misstatement, i.e., before assessing
the likelihood and magnitude of potential misstatements related to the
risks.
Commenters suggested that the standard should clarify that the
likelihood and magnitude of potential misstatements should be
considered in determining which risks are significant risks. Auditing
Standard No. 12 includes an additional requirement that states, ``To
determine whether an identified and assessed risk is a significant
risk, the auditor should evaluate whether the risk requires special
audit consideration because of the nature of the risk or the likelihood
and potential magnitude of misstatement related to the risk.'' \295\
Also, the list of factors that should be evaluated in determining which
risks are significant risks was expanded to include ``the effect of the
quantitative and qualitative risk factors discussed in paragraph 60 of
the standard [on identifying significant accounts and disclosures and
their relevant assertions] on the likelihood and potential magnitude of
misstatements.'' \296\ Including this new factor highlights the
relationship between the identification of significant accounts and
disclosures and their relevant assertions and the identification of
significant risks. Specifically, risk factors that form the basis for
identifying significant accounts and disclosures and their relevant
assertions also inform the identification of significant risks, and
significant risks affect one or more relevant assertions of significant
accounts or disclosures.
---------------------------------------------------------------------------
\295\ Paragraph 70 of Auditing Standard No. 12.
\296\ Paragraph 71 of Auditing Standard No. 12.
---------------------------------------------------------------------------
Another commenter on the reproposed standard suggested that the
term ``likelihood'' be defined more in terms of reasonable possibility
as that term is used in Auditing Standard No. 5. However, that change
would be inconsistent with the requirement to assess the likelihood of
misstatements, i.e., the possibility that the risk would result in
misstatement of the financial statements.
One commenter indicated that the requirement in the note to
paragraph 59.c. of the reproposed standard ``inappropriately infers
that the auditor should, and can, associate the risks at the financial
statement level with particular assertions in order to assess risks at
the assertion level.'' Auditing Standard No. 8 states that risks of
material misstatement at the financial statement level have a pervasive
effect on the financial statements as a whole and potentially affect
many assertions, and the standard provides examples of how risks at the
financial statement level can result in misstatements.\297\ It is
important for the auditor to take into account risks of material
misstatement at the financial statement level in order to evaluate
types of misstatements that could occur.
---------------------------------------------------------------------------
\297\ Paragraph 6 of Auditing Standard No. 8.
---------------------------------------------------------------------------
Under PCAOB standards, significant accounts and disclosures and
their relevant assertions are identified based upon their risk
characteristics. Thus, the auditor needs to identify and assess the
risks in order to identify the relevant assertions of significant
accounts and disclosures in accordance with PCAOB standards. For
example, Auditing Standard No. 5 requires the auditor to identify
significant accounts and disclosures and their relevant assertions in
integrated audits.\298\ Also, AU sec. 319 required the auditor to
perform substantive procedures for the relevant assertions of
significant accounts and
[[Page 59385]]
disclosures for all audits of financial statements, which implicitly
required the auditor to identify those accounts, disclosures, and
assertions.\299\ Auditing Standard No. 12 imposes a more explicit
requirement on the auditor to identify significant accounts and
disclosures and their relevant assertions in all audits.
---------------------------------------------------------------------------
\298\ Paragraph 28 of Auditing Standard No. 5.
\299\ Ibid.
---------------------------------------------------------------------------
(i). Factors Relevant To Identifying Fraud Risks
Auditing Standard No. 12 requires that the auditor evaluate whether
the information gathered from the risk assessment procedures indicates
that one or more fraud risk factors are present and should be taken
into account in identifying and assessing fraud risks.\300\ The
reproposed standard included a paragraph that stated that the auditor
should not assume that all of the fraud risk factors discussed in must
be observed to conclude that a fraud risk exists. Commenters suggested
that the language was not clear as to the action that auditors would
need to take to ``not assume.'' The paragraph has been revised to
clarify that all of the conditions are not required to be observed or
evident to conclude that a fraud risk exists.\301\
---------------------------------------------------------------------------
\300\ Paragraph 65 of Auditing Standard No. 12.
\301\ Paragraph 66 of Auditing Standard No. 12.
---------------------------------------------------------------------------
(ii). Consideration of the Risk of Omitted or Incomplete
Disclosures
The reproposed standard stated that the auditor's evaluation of
fraud risk factors should include an evaluation of how fraud could be
perpetrated or concealed by omitting required disclosures or by
presenting incomplete disclosures. One commenter stated that the
requirement should also include consideration of the possibility of
presenting inaccurate disclosures. Other commenters stated that the
requirement should be revised to refer to disclosures required by the
applicable financial reporting framework. The requirement has been
revised to encompass inaccurate disclosures and to refer to disclosures
required for the fair presentation of the financial statements in
conformity with the applicable financial reporting framework.\302\
---------------------------------------------------------------------------
\302\ Paragraph 67 of Auditing Standard No. 12.
---------------------------------------------------------------------------
(iii). Presumption of Fraud Risk Involving Improper Revenue Recognition
Like the reproposed standard, Auditing Standard No. 12 contains a
requirement that the auditor should presume that there is a fraud risk
involving improper revenue recognition and evaluate which types of
revenue, revenue transactions, or assertions may give rise to such
risks.\303\ One commenter recommended rewording this paragraph to state
that while revenue recognition should be presumed to be a higher level
of risk, there are exceptions. The requirement was retained as stated
in the reproposed standard because a significant number of financial
reporting frauds relate to revenue recognition.\304\
---------------------------------------------------------------------------
\303\ Paragraph 68 of Auditing Standard No. 12.
\304\ See, e.g., Committee of Sponsoring Organizations of the
Treadway Commission, Fraudulent Financial Reporting: 1998-2007 (May
2010).
---------------------------------------------------------------------------
k. Definition of Significant Risk
The reproposed standard defined significant risk as a risk of
material misstatement that requires special audit consideration. Some
commenters stated that the definition of ``significant risk'' in the
reproposed standard should be revised to indicate that significant
risks are ``identified risks'' and that they are determined using the
``auditor's judgment'' or risks that the auditor ``determines.'' Adding
a reference to the auditor's determination or auditor's judgment is
unnecessary because those points are inherent in the requirements for
identifying significant risks, e.g., in the required evaluation of the
likelihood and potential magnitude of misstatements related to the
risk. Similarly, the reference to ``identified risks'' is unnecessary
because it is already mentioned in the requirement for determining
significant risks. Accordingly, the definition of significant risk
included in the reproposed standard is retained.
8. Auditing Standard No. 13--The Auditor's Responses to the Risks of
Material Misstatement
a. Background
Auditing Standard No. 13 establishes requirements for responding to
the risks of material misstatement, including responses regarding the
general conduct of the audit and responses involving audit procedures.
Auditing Standard No. 13 applies to integrated audits and audits of
financial statements only.
b. Linking Assessed Risks and Auditor's Responses
The reproposed standard included a requirement for the auditor to
design and implement appropriate responses to the ``assessed risks of
material misstatement'' to address comments received on the original
proposed standard for improving the linkage between the auditor's
responses and the identification and assessment of risks of material
misstatement. Acknowledging the improvements in the reproposed
standard, some commenters continued to suggest that the objective also
should state that the auditor is to address the assessed risks of
material misstatement.
In the Board's view, obtaining sufficient appropriate evidence to
support the auditor's opinion requires the auditor to adequately
respond to the risks of material misstatement. Accordingly, the title
and objective of the standard continue to refer to responding to the
risks of material misstatement. However, the Board recognizes that the
appropriate identification and assessment of the risks of material
misstatement in accordance with Auditing Standard No. 12 enable the
auditor to effectively respond to the risks of material misstatement.
Auditing Standard No. 13 continues to impose on auditors an
unconditional responsibility to design and implement responses that
address the risks of material misstatement identified and assessed in
accordance with Auditing Standard No. 12.\305\ As with the reproposed
standard, noncompliance with the requirements in Auditing Standard No.
12 that leads to a failure to identify or appropriately assess a risk
of material misstatement also could result in a failure to
appropriately respond to the risk of material misstatement in
accordance with this standard.\306\
---------------------------------------------------------------------------
\305\ Paragraph 3 of Auditing Standard No. 13.
\306\ Failure to address a risk of material misstatement also
might indicate a failure to comply with Auditing Standard No. 12.
---------------------------------------------------------------------------
c. Overall Responses to Risks
The reproposed standard included a requirement for the auditor to
respond to the risks of material misstatement through overall responses
and responses involving the nature, timing, and extent of audit
procedures. Overall responses relate to the general conduct of the
audit, e.g., appropriately assigning and properly supervising
engagement team members, incorporating an element of unpredictability
into the audit, evaluating the company's selection and application of
significant accounting principles, and making pervasive changes to the
audit. Such responses are required by AU sec. 316 in response to fraud
risks, but the reproposed standard extended the requirement to apply to
risks of material misstatement due to error or fraud. These responses,
by their nature, are appropriate for addressing risks of material
misstatement due to error or fraud.
Some commenters expressed concerns regarding the expansion of the
requirement for incorporating an
[[Page 59386]]
element of unpredictability to apply to risks of material misstatement
other than fraud risks.
In the Board's view, although incorporating an element of
unpredictability is intended primarily to address fraud risks, it also
can enable the auditor to detect errors or control deficiencies that
could otherwise remain undetected. In addition, the requirement to
incorporate an element of unpredictability when testing controls
already exists in Auditing Standard No. 5. Auditing Standard No. 13
continues to indicate that the auditor should incorporate an element of
unpredictability as part of the response to the risks of material
misstatement, including fraud risks.\307\
---------------------------------------------------------------------------
\307\ Paragraph 5.c. of Auditing Standard No. 13.
---------------------------------------------------------------------------
One commenter requested clarification regarding the differences
between the first and third examples used to illustrate ways to
incorporate an element of unpredictability in paragraph 5.c. of the
reproposed standard. The first example in Auditing Standard No. 13 is
intended to illustrate that the auditor may decide to perform audit
procedures for a particular account, disclosure, or assertion even
though the auditor's risk assessment did not identify specific risks
associated with those accounts.\308\ The third example is intended to
illustrate that when sampling a particular financial statement amount,
the auditor may consider selecting items with amounts lower than the
threshold that the auditor had used in the past, or expanding the
selection to other sections of the population that the auditor had not
tested in the past.\309\
---------------------------------------------------------------------------
\308\ Paragraph 5.c. (1) of Auditing Standard No. 13.
\309\ Paragraph 5.c. (3) of Auditing Standard No. 13.
---------------------------------------------------------------------------
The reproposed standard required the auditor to evaluate whether it
is necessary to make pervasive changes to the audit to adequately
address the assessed risks of material misstatement. The reproposed
standard did not require that pervasive changes be made in every audit.
Instead, it required the auditor to evaluate whether pervasive changes
that affect many aspects of the audit are needed to address the
assessed risks of material misstatement. Commenters questioned the use
of the term ``pervasive'' in the requirement. Auditing Standard No. 13
provides additional explanation of the types of circumstances in which
pervasive changes might be necessary.\310\
---------------------------------------------------------------------------
\310\ Paragraph 6 of Auditing Standard No. 13.
---------------------------------------------------------------------------
Existing PCAOB standards require the auditor to apply professional
skepticism as part of due care,\311\ and Auditing Standard No. 13
states that the auditor's response to fraud risks involves the
application of professional skepticism in gathering and evaluating
audit evidence.\312\ The requirement is intended to emphasize the
importance of professional skepticism in responding to risks of
material misstatement without limiting its application to the auditor's
responses.
---------------------------------------------------------------------------
\311\ AU secs. 230.07-.09.
\312\ Paragraph 7 of Auditing Standard No. 13.
---------------------------------------------------------------------------
One commenter expressed concern that the reproposed standard did
not explicitly require the auditor to implement overall responses to
risks at the financial statement level. Such an explicit requirement
would inappropriately limit the auditor's overall responses to risks at
the financial statement level. Many of the overall responses also apply
to risks at the assertion level, e.g., assigning more experienced
personnel or applying a greater extent of supervision to accounts or
disclosures with higher risk.
d. Responses Involving the Nature, Timing, and Extent of Audit
Procedures
The reproposed standard required the auditor to design and perform
audit procedures in a manner that addresses the assessed risks of
material misstatement for each relevant assertion of each significant
account and disclosure. Auditing Standard No. 13 retained this
requirement as reproposed. The requirement emphasizes that the auditor
should focus on each relevant assertion of each significant account and
disclosure and the risks of material misstatement associated with the
relevant assertion when designing and performing audit procedures.
The reproposed standard also included requirements for the auditor
to design the testing of controls to accomplish the objectives of both
the audit of financial statements and the audit of internal control in
an integrated audit. This requirement is aligned with Auditing Standard
No. 5. One commenter suggested that that the requirement be removed
because it relates only to integrated audits. The requirement was
retained as reproposed because Auditing Standard No. 13 applies to
integrated audits as well as audits of financial statements only, and
tests of controls are a necessary response in the audit of internal
control.\313\
---------------------------------------------------------------------------
\313\ Paragraph 9.c. of Auditing Standard No. 13.
---------------------------------------------------------------------------
e. Tests of Controls in an Audit of Internal Control
Auditing Standard No. 13 includes requirements for performing tests
of controls in the audit of financial statements.\314\
---------------------------------------------------------------------------
\314\ Paragraphs 16-35 of Auditing Standard No. 13.
---------------------------------------------------------------------------
In an integrated audit, the tests of controls performed in the
audit of internal control are part of the auditor's responses to the
risks of material misstatement, as indicated in paragraph 9-10 of
Auditing Standard No. 13.\315\ To help facilitate the integration of
tests of controls in an integrated audit, the standard continues to use
language similar to that of Auditing Standard No. 5 when describing
analogous terms and concepts relating to the testing of controls.
---------------------------------------------------------------------------
\315\ Paragraph 39 of Auditing Standard No. 5 states, ``The
auditor should test those controls that are important to the
auditor's conclusion about whether the company's controls
sufficiently address the assessed risk of misstatement to each
relevant assertion.''
---------------------------------------------------------------------------
f. Tests of Controls and Control Risk Assessment in the Audit of
Financial Statements
(i). Requirements on When to Test Controls
AU sec. 319 required auditors to obtain evidence about the design
effectiveness and operating effectiveness of controls (a) when the
auditor plans to rely on selected controls to reduce his or her
substantive procedures and (b) in those limited circumstances in which
the auditor cannot obtain sufficient appropriate evidence through
substantive procedures alone.\316\ Thus, except in those limited
circumstances, AU sec. 319 provided auditors with flexibility to decide
when or whether to test controls.
---------------------------------------------------------------------------
\316\ AU sec. 319.66.
---------------------------------------------------------------------------
Auditing Standard No. 13 does not change the requirements in AU
sec. 319 regarding when testing controls is necessary in audits of
financial statements only.\317\ In those audits, auditors continue to
have the same flexibility in deciding when or whether to test controls
to reduce their substantive procedures.\318\ Auditing Standard No. 13
includes additional statements that emphasize the flexibility that
auditors have in making these decisions and provides additional
examples, adapted from AU sec. 319.68, of situations in which auditors
cannot obtain sufficient appropriate audit evidence through substantive
procedures alone.\319\
---------------------------------------------------------------------------
\317\ Certain clarifying revisions were made to the discussion
of relying on controls to modify the auditor's substantive
procedures, in response to comments on the reproposed standard. See
footnote 12 to paragraph 16 of Auditing Standard No. 13.
\318\ Paragraph 16 of Auditing Standard No. 13.
\319\ Paragraph 17 of Auditing Standard No. 13.
---------------------------------------------------------------------------
[[Page 59387]]
(ii). Period of Reliance
Auditing Standard No. 13 states that when the auditor relies on
controls to assess control risk at less than the maximum, the auditor
must obtain evidence that the controls selected for testing are
designed effectively and operated effectively during the entire period
of reliance.\320\ The concept of the period of reliance was introduced
in Auditing Standard No. 5 and discussed further in the PCAOB staff
guidance, Staff Views: An Audit of Internal Control Over Financial
Reporting That Is Integrated with an Audit of Financial Statements--
Guidance for Auditors of Smaller Public Companies. Auditing Standard
No. 13 provides a definition of ``period of reliance'' that parallels
the language in paragraph B4 of Auditing Standard No. 5.\321\
---------------------------------------------------------------------------
\320\ Paragraph 16 of Auditing Standard No. 13.
\321\ Paragraph A.3 of Auditing Standard No. 13.
---------------------------------------------------------------------------
(iii). Evidence About the Effectiveness of Controls
Auditing Standard No. 13 describes the principle, adapted from AU
sec. 319,\322\ that the evidence necessary to support the auditor's
control risk assessment depends on the degree of reliance the auditor
plans to place on the effectiveness of a control. In applying that
principle, Auditing Standard No. 13 requires the auditor to obtain more
persuasive audit evidence from tests of controls the greater the
reliance the auditor places on the effectiveness of a control. In
addition, Auditing Standard No. 13 requires the auditor to obtain more
persuasive evidence about the effectiveness of controls for each
relevant assertion for which the audit approach consists primarily of
tests of controls, including situations in which substantive procedures
alone cannot provide sufficient appropriate audit evidence.\323\
---------------------------------------------------------------------------
\322\ AU sec. 319.90.
\323\ Paragraph 18 of Auditing Standard No. 13.
---------------------------------------------------------------------------
(iv). Testing Operating Effectiveness
Auditing Standard No. 13 requires the auditor to determine, among
other things, whether the person performing the control possesses the
necessary authority and competence to perform the control
effectively.\324\ This requirement is intended to call to the auditor's
attention that whether he or she possesses the appropriate level of
authority and the knowledge and skills necessary to perform the control
function is essential to whether a person can effectively perform the
control. Thus, the auditor is required to make such determination
before he or she can conclude about the effectiveness of the control.
---------------------------------------------------------------------------
\324\ Paragraph 21 of Auditing Standard No. 13.
---------------------------------------------------------------------------
(v). Timing of Tests of Controls--Evidence Obtained During an Interim
Period
The reproposed standard stated that the auditor must obtain
evidence about the effectiveness of controls selected for testing for
the entire period of reliance. When the auditor tests controls during
an interim period, additional evidence that is necessary concerning the
operation of those controls for the remaining period of reliance
depends on a series of factors listed in the reproposed standard,
including, among other factors, the possibility of significant changes
in internal control over financial reporting occurring subsequent to
the interim date.
One commenter suggested adding ``control environment'' to the list
of factors that could affect the auditor's determination of what
additional evidence is necessary. The control environment has an
important, but indirect, effect on the likelihood that a misstatement
will be prevented or detected on a timely basis. Also, unlike
monitoring controls, the control environment is not designed to
identify possible breakdowns in other controls. Accordingly, the
control environment, by itself, does not reduce the amount of evidence
needed concerning controls over specific relevant assertions for the
remaining period. The control environment is not included in the list
of factors in Auditing Standard No. 13.
Another commenter suggested adding a requirement for the auditor to
obtain, when applicable, audit evidence about subsequent changes to the
controls tested during the interim period. A note has been added to
Auditing Standard No. 13 requiring the auditor to obtain evidence about
such subsequent changes, if significant.\325\
---------------------------------------------------------------------------
\325\ Paragraph 30 of Auditing Standard No. 13.
---------------------------------------------------------------------------
(vi). Timing of Tests of Controls--Evidence from Past Audits
Auditing Standard No. 13 states that the auditor should obtain
evidence during the current year audit about the design and operating
effectiveness of controls upon which the auditor relies.\326\ This
requirement is based on the principle that auditors should support
their control risk assessments each year with current evidence.
However, when the auditor has tested the controls in the past and plans
to rely on the same controls for the current year audit, the amount of
evidence needed will vary based on the relevant factors listed in the
standard.\327\ These additional factors generally relate to the degree
of reliance on the control, the risk that the control will fail to
operate as designed, and the nature and amount of evidence that the
auditor has already obtained regarding the effectiveness of the
controls. These requirements are consistent with Auditing Standard No.
5. Also, the standard allows the auditor to use a benchmarking
strategy, when appropriate, for automated application controls for
subsequent years' audits, as do the provisions of Auditing Standard No.
5. However, the standard does not permit testing controls once every
third year because the standard requires evidence regarding the
effectiveness of controls to be obtained each year.
---------------------------------------------------------------------------
\326\ Paragraph 31 of Auditing Standard No. 13.
\327\ Ibid.
---------------------------------------------------------------------------
Some commenters expressed concern that the requirements in the
reproposed standard for determining the amount of evidence needed in
the current year could be interpreted as requiring the auditor to
consider each factor listed for each of the controls that the auditor
tested in the past, regardless of whether or not the auditor plans to
rely on those controls for purposes of the current year audit. The
requirement was intended to apply when the auditor tested the controls
in the past audits and plans to rely on those controls and use evidence
about the effectiveness of those controls obtained in prior years for
purposes of the current year audit. That requirement is clarified in
Auditing Standard No. 13.\328\
---------------------------------------------------------------------------
\328\ Ibid.
---------------------------------------------------------------------------
(vii). Assessing Control Risk
Auditing Standard No. 13 requires the auditor to assess control
risk for relevant assertions.\329\ This requirement is not new. AU sec.
319 established requirements for the auditor to assess control risk,
and Auditing Standard No. 5 discusses control risk assessment in the
financial statement audit portion of the integrated audit.\330\
---------------------------------------------------------------------------
\329\ Paragraphs 32-34 of Auditing Standard No. 13.
\330\ AU secs. 319.70, .83-.90 and paragraphs B4-B5 of Auditing
Standards No. 5.
---------------------------------------------------------------------------
Auditing Standard No. 13 requires the auditor to assess the control
risk at the maximum level for relevant assertions when the controls
necessary to sufficiently address the assessed risk of material
misstatement in those assertions are missing or ineffective or when the
auditor has not obtained sufficient appropriate evidence to support a
control risk assessment below the maximum level.\331\
---------------------------------------------------------------------------
\331\ Paragraph 33 of Auditing Standard No. 13.
---------------------------------------------------------------------------
One commenter expressed a concern that the reproposed standard
seemed to
[[Page 59388]]
indicate that no reduction of the control risk assessment should occur
based on understanding the design effectiveness of controls. The
commenter suggested that a control that does not exist or is not
designed effectively should have a different impact on the auditor's
testing than a control that is designed effectively but not tested by
the auditor.
The risk assessment standards already address the points raised by
the commenter regarding the effect of control deficiencies on the
auditor's testing. Auditing Standard No. 12 requires the auditor to
obtain an understanding of the design of the company's controls as part
of his or her risk assessment procedures.\332\ If the auditor
identifies design deficiencies in the company's controls, the auditor
would take that into account in identifying and assessing the risks of
material misstatement, and Auditing Standard No. 13 requires the
auditor to implement responses to address those risks of material
misstatement. When deficiencies are detected during the auditor's
testing of controls that the auditor plans to rely on, Auditing
Standard No. 13 requires the auditor to (1) perform tests of other
controls related to the same assertion as the ineffective controls, or
(2) revise the control risk assessment and modify the planned
substantive procedures as necessary in light of the increased
assessment of risk.\333\
---------------------------------------------------------------------------
\332\ Paragraph 20 of Auditing Standard No. 12.
\333\ Paragraph 34 of Auditing Standard No. 13.
---------------------------------------------------------------------------
Another commenter suggested that the reproposed standard provide
more direction about evaluating control deviations by adding a
paragraph from Auditing Standard No. 5 regarding evaluating control
deficiencies. The referenced paragraph does not apply specifically to
assessing control risk in a financial statement audit, and Auditing
Standard No. 13 requires the auditor to evaluate the evidence from all
sources, including the results of test of controls, when assessing
control risk for relevant assertions.\334\
---------------------------------------------------------------------------
\334\ Paragraph 32 of Auditing Standard No. 13.
---------------------------------------------------------------------------
g. Substantive Procedures
Auditing Standard No. 13 requires the auditor to perform
substantive procedures for each relevant assertion of each significant
account and disclosure, regardless of the assessed level of control
risk.\335\ By definition, a relevant assertion of a significant account
and disclosure has a reasonable possibility of containing a
misstatement or misstatements that would cause the financial statements
to be materially misstated.\336\ The requirement to obtain evidence
from substantive procedures for each relevant assertion of each
significant account and disclosure reflects the principle that the
auditors need to implement appropriate responses to address the
assessed risks of material misstatement.
---------------------------------------------------------------------------
\335\ Paragraph 36 of Auditing Standard No. 13.
\336\ Paragraph A9 of Auditing Standard No. 5.
---------------------------------------------------------------------------
Existing PCAOB standards indicate that some risks of material
misstatement might require more evidence from substantive procedures
because of certain inherent limitations of internal control.\337\ For
example, more evidence from substantive procedures ordinarily is needed
for relevant assertions that have a higher susceptibility to management
override or to lapses in judgment or breakdowns resulting from human
failures. Observations from the Board's oversight activities have
underscored the importance of this principle. Auditing Standard No. 13
includes this principle because it is particularly relevant to the
determination of the nature, timing, and extent of substantive
procedures. It is also consistent with the principles regarding
detection risk discussed in Auditing Standard No. 8.
---------------------------------------------------------------------------
\337\ See, e.g., paragraph .14 of AU sec. 328, Auditing Fair
Value Measurements and Disclosures.
---------------------------------------------------------------------------
h. Timing of Substantive Procedures
The reproposed standard included a requirement for the auditor to
take into account certain factors in determining whether it is
appropriate to perform substantive procedures at an interim date. One
commenter suggested that another point be added to the standard to
require the auditor to review ``the internal control changes that have
been made to date and the nature and extent of monitoring such changes
by the client staff.'' Auditing Standard No. 13 requires the auditor to
consider the effect of known or expected changes in the company, its
environment, and its internal control over financial reporting during
the remaining period on its risk assessments when determining whether
to perform substantive procedures at an interim date.\338\ This
additional requirement recognizes that both changes in controls and
other changes to the company and its environment can affect the risks
of material misstatement and, thus, the effectiveness of interim
substantive procedures. For example, significant changes in industry or
market conditions near year end could increase the risk of material
misstatement regarding the valuation of assets at year end, which, in
turn, would require significant audit attention during the remaining
period.
---------------------------------------------------------------------------
\338\ Paragraph 44.a.(3) of Auditing Standard No. 13.
---------------------------------------------------------------------------
The reproposed standard stated that when an auditor performs
substantive procedures as of an interim date, the auditor should
perform substantive procedures, or substantive procedures combined with
tests of controls, that provide a reasonable basis for extending the
audit conclusions from the interim date to the period end. The
reproposed standard also required that the auditor perform certain
procedures that were adapted from AU sec. 313.
Some commenters suggested that the Board remove the mandatory
procedures in the reproposed standard, arguing that the procedures
should be determined by the auditor based on professional judgment.
Removing those requirements as suggested by the commenters would weaken
PCAOB standards. Observations from the Board's oversight activities
have included instances in which inadequate audit work was performed
when extending the conclusion reached at the interim date to the end of
the period covered by the financial statements. Therefore, retaining
the mandatory procedures in this standard continues to be
appropriate.\339\
---------------------------------------------------------------------------
\339\ Paragraph 45 of Auditing Standard No. 13.
---------------------------------------------------------------------------
i. Substantive Procedures Responsive to Significant Risks
Like the original proposed standard, the reproposed standard stated
that the auditor should perform substantive procedures, including tests
of details, that are specifically responsive to the significant risks.
AU sec. 329 indicates that tests of details should be performed in
response to significant risks.\340\
---------------------------------------------------------------------------
\340\ AU sec. 329.09.
---------------------------------------------------------------------------
One commenter continued to express concern about imposing a
presumptively mandatory responsibility for auditors to perform tests of
details in response to significant risks. Auditing Standard No. 13
retains the requirement as reproposed.\341\ The nature and importance
of significant risks warrant a high level of assurance from substantive
procedures to adequately address the risk. Also, analytical procedures
alone are not well suited to detecting certain types of misstatements
related to significant risks, including, in particular, fraud risks.
For example, when fraud risks are present, management might be able to
override controls to allow adjustments that result in artificial
changes to the financial statement relationships being analyzed,
[[Page 59389]]
causing the auditor to draw erroneous conclusions.
---------------------------------------------------------------------------
\341\ Paragraph 11 of Auditing Standard No. 13.
---------------------------------------------------------------------------
j. Dual-purpose Test
Auditing Standard No. 13 recognized that, in certain situations,
the auditor might perform a substantive test of a transaction
concurrently with a test of a control relevant to that transaction,
i.e., a dual-purpose test. The auditor is required to design the dual-
purpose test to achieve the objectives of both the test of the control
and the substantive test. In addition, the auditor is required to
evaluate the results of the test in forming conclusions about both the
assertion and the effectiveness of the control being tested.\342\ The
standard refers the auditors to the relevant requirements in AU sec.
350, Audit Sampling, for determining the proper sample size in a dual-
purpose test.
---------------------------------------------------------------------------
\342\ Paragraph 47 of Auditing Standard No. 13.
---------------------------------------------------------------------------
9. Auditing Standard No. 14--Evaluating Audit Results
a. Background
Auditing Standard No. 14 describes the auditor's responsibilities
regarding the process of evaluating the results of the audit and
determining whether sufficient appropriate audit evidence has been
obtained in order to form the opinion to be expressed in the auditor's
report. This standard consolidates into one auditing standard the
requirements that were previously included in five separate auditing
standards.\343\ The standard highlights matters that are important to
the auditor's conclusions about the financial statements and the
effectiveness of internal control.
---------------------------------------------------------------------------
\343\ AU sec. 312, regarding evaluating audit results, including
uncorrected misstatements; AU sec. 316, regarding fraud
considerations that are relevant to evaluating audit results; AU
sec. 329, regarding performing the overall review; AU sec. 326,
regarding determining whether sufficient appropriate audit evidence
has been obtained; and AU sec. 431, regarding the evaluation of
disclosures.
---------------------------------------------------------------------------
b. Definition of Misstatement
The reproposed standard defined the term ``misstatement'' as
follows:
A misstatement, if material individually or in combination with
other misstatements, causes the financial statements not to be
presented fairly in conformity with the applicable financial
reporting framework.\344\ A misstatement may relate to a difference
between the amount, classification, presentation, or disclosure of a
reported financial statement item and the amount, classification,
presentation, or disclosure that should be reported in conformity
with the applicable financial reporting framework. Misstatements can
arise from error (i.e., unintentional misstatement) or fraud.
---------------------------------------------------------------------------
\344\ The auditor should look to the requirements of the
Securities and Exchange Commission for the company under audit with
respect to accounting principles applicable to that company.
Some commenters indicated that the definition applied to ``material
misstatement'' rather than ``misstatement'' and suggested revisions to
the definition, e.g., moving the second sentence to the beginning of
the definition.
Auditing Standard No. 14 carries forward the definition of
``misstatement'' as reproposed.\345\ This definition is not a
definition of the term ``material misstatement.'' Rather, the
definition emphasizes that misstatements prevent financial statements
from being fairly presented in conformity with the applicable financial
reporting framework, as discussed in AU sec. 411, The Meaning of
Present Fairly in Conformity With Generally Accepted Accounting
Principles. The phrase used in the definition, ``if material
individually or in combination with other misstatements,'' is
equivalent to the phrase ``In the absence of materiality
considerations,'' which was used in the description of the term
``misstatement'' in an auditing interpretation of AU sec. 312.\346\ The
second sentence of the definition in Auditing Standard No. 14 describes
the most common types of misstatements.\347\
---------------------------------------------------------------------------
\345\ Paragraph A2 of Appendix A to Auditing Standard No. 14.
\346\ Paragraph .02 of AU sec. 9312, Audit Risk and Materiality
in Conducting an Audit: Auditing Interpretations of Section 312,
which is superseded by the risk assessment standards, stated ``In
the absence of materiality considerations, a misstatement causes the
financial statements not to be in conformity with generally accepted
accounting principles.''
\347\ See also paragraph A2 of Auditing Standard No. 14.
---------------------------------------------------------------------------
c. Performing Analytical Procedures in the Overall Review
Auditing Standard No. 14 adapted the requirements that were
previously included in AU secs. 316 and 329 to read the financial
statements and disclosures and perform analytical procedures in the
overall review. The standard imposes on auditors a responsibility to
read the financial statements and disclosures and perform analytical
procedures to (a) evaluate the auditor's conclusions formed regarding
significant accounts and disclosures and (b) assist in forming an
opinion on whether the financial statements as a whole are free of
material misstatement.\348\ In particular, Auditing Standard No. 14
requires the auditor to evaluate whether (a) evidence gathered in
response to unusual or unexpected transactions, events, amounts, or
relationships previously identified during the audit is sufficient and
(b) unusual or unexpected transactions, events, amounts, or
relationships indicate risks of material misstatement that were not
identified previously.\349\ Performing analytical procedures in the
overall review assists the auditor in assessing the conclusions reached
and in evaluating the overall financial statement presentation.
---------------------------------------------------------------------------
\348\ Paragraph 5 of Auditing Standard No. 14.
\349\ Paragraph 6 of Auditing Standard No. 14.
---------------------------------------------------------------------------
Auditing Standard No. 14 adapted a requirement, which previously
existed in AU sec. 316, for the auditor to perform analytical
procedures relating to revenue through the end of the period.\350\
These procedures are intended to identify unusual or unexpected
relationships involving revenue accounts that might indicate a material
misstatement, including a material misstatement due to fraud.
Performing analytical procedures relating to revenue is important in
light of the generally higher risk of financial statement fraud
involving revenue accounts.
---------------------------------------------------------------------------
\350\ Paragraph 7 of Auditing Standard No. 14.
---------------------------------------------------------------------------
Auditing Standard No. 14 requires the auditor to corroborate
management's explanations regarding significant unusual or unexpected
transactions, events, amounts, or relationships. The standard also
states that if management's responses to the auditor's inquiries appear
to be implausible, inconsistent with other audit evidence, imprecise,
or not at a sufficient level of detail to be useful, the auditor should
perform procedures to address the matter.\351\ Auditing Standard No.
15, Audit Evidence, states that inquiry of company personnel, by
itself, does not provide sufficient audit evidence to reduce audit risk
to an appropriately low level.\352\ Therefore, obtaining corroboration
of management's responses is important in obtaining sufficient
appropriate audit evidence.
---------------------------------------------------------------------------
\351\ Paragraph 8 of Auditing Standard No. 14.
\352\ Paragraph 17 of Auditing Standard No. 15.
---------------------------------------------------------------------------
d. Clearly Trivial
Auditing Standard No. 14 requires the auditor to accumulate
misstatements identified during the audit, other than those that are
clearly trivial.\353\ Like AU sec. 312, the standard allows the auditor
to set a threshold for accumulating misstatements, provided that the
threshold is set at a de minimis level that could not result in
material misstatement of the financial statements, individually or in
combination with other misstatements, after considering the possibility
of
[[Page 59390]]
further undetected misstatement.\354\ The specific limitation on
setting a threshold for accumulating misstatements is important to
assure a proper evaluation of the effect of uncorrected misstatements
on the financial statements.
---------------------------------------------------------------------------
\353\ Paragraph 10 of Auditing Standard No. 14.
\354\ Paragraph 11 of Auditing Standard No. 14.
---------------------------------------------------------------------------
e. Accumulating Misstatements
The reproposed standard required the auditor to accumulate
identified misstatements other than those that are clearly trivial. The
reproposed standard also required the auditor to use his or her best
estimate of the total misstatement in the accounts and disclosures that
the auditor has tested, not just the amount of misstatements
specifically identified. This includes misstatements related to
accounting estimates and projected misstatements from substantive
procedures that involve audit sampling.\355\
---------------------------------------------------------------------------
\355\ Paragraphs 10-12 of Auditing Standard No. 14.
---------------------------------------------------------------------------
Commenters suggested that the standard should use terms such as
``known and likely misstatement'' or other terms to categorize the
misstatements. Auditing Standard No. 14 uses the term ``identified
misstatement'' to refer to misstatements that are identified during the
audit and the term ``accumulated misstatements'' to refer to
misstatements that are more than clearly trivial and, thus, should be
accumulated by the auditor. Because Auditing Standard No. 14 requires
the auditor to use his or her best estimate of the misstatements (which
is how AU sec. 312 described ``likely misstatements''), it is not
necessary to use the term ``known and likely misstatements.''
f. Correction of Misstatements
Auditing Standard No. 14 requires that if management made
corrections to accounts or disclosures in response to misstatements
detected by the auditor, the auditor should evaluate management's work
to determine whether the corrections have been recorded properly and to
determine whether uncorrected misstatements remain.\356\ The standard
imposes on auditors a responsibility to determine whether misstatements
identified by the auditor and communicated to management are correctly
recorded in the accounting records.
---------------------------------------------------------------------------
\356\ Paragraph 16 of Auditing Standard No. 14.
---------------------------------------------------------------------------
g. Considerations When Accumulated Misstatements Approach the
Materiality Level or Levels Used in Planning and Performing Audit
Procedures
Auditing Standard No. 14 requires the auditor to determine whether
the overall strategy needs to be revised when the aggregate of
misstatements accumulated during the audit approaches the materiality
level or levels used in planning and performing the audit. When the
aggregate of misstatements approaches the materiality level or levels
used in planning and performing an audit, there likely will be greater
than an appropriately low level of risk that possible undetected
misstatements, combined with uncorrected misstatements accumulated
during the audit, could be material to the financial statements. If the
auditor assesses this risk to be unacceptably high, he or she should
perform additional audit procedures or determine that management has
adjusted the financial statements so that the risk that the financial
statements are materially misstated has been reduced to an
appropriately low level.\357\
---------------------------------------------------------------------------
\357\ Paragraph 14 of Auditing Standard No. 14.
---------------------------------------------------------------------------
The reproposed standard stated that when the aggregate of
accumulated misstatements approaches the materiality used in planning
and performing the audit, the auditor should perform additional
procedures or determine that management has adjusted the financial
statements so that the risk of material misstatement has been reduced
to an appropriately low level. One commenter suggested that it is not
clear what the additional procedures are and that more work is not
always the answer. The additional procedures that are necessary depend
upon, among other things, the procedures performed by the auditor to
date and the nature of the misstatements that were detected.
h. Requirement to Reevaluate the Materiality Level
Auditing Standard No. 11 includes a requirement to reevaluate the
established materiality level or levels in certain circumstances.
Auditing Standard No. 14 states that if the reevaluation of the
materiality level or levels established in accordance with Auditing
Standard No. 11 results in a lower amount for the materiality level or
levels, the auditor should take into account that lower materiality
level in the evaluation of uncorrected misstatements.\358\ The
requirements are intended to prevent the auditor from incorrectly
concluding that uncorrected misstatements are immaterial because he or
she used outdated financial statement information. However, the
standard does not allow the auditor to establish a higher level or
levels of materiality when uncorrected misstatements exceed the
initially established level or levels of materiality.
---------------------------------------------------------------------------
\358\ Paragraph 17 of Auditing Standard No. 14.
---------------------------------------------------------------------------
Reevaluating the established materiality level or levels prior to
evaluating the effect of uncorrected misstatements will cause audit
results to be evaluated based on the latest financial information.
i. Evaluating Uncorrected Misstatements
The reproposed standard stated that the auditor should evaluate the
uncorrected misstatements in relation to accounts and disclosures and
to the financial statements as a whole, taking into account relevant
quantitative and qualitative factors. The reproposed standard retained
the provisions regarding qualitative factors that were included in an
auditing interpretation to AU sec. 312,\359\ with some minor revisions
to align the factors more closely to the terminology in the reproposed
standard and to omit qualitative factors that apply only to nonissuers.
A commenter indicated that the term ``profitability,'' which is
included in the qualitative factors in Appendix B, is not defined, and
the commenter suggested including examples of profitability in the
reproposed standard. Although this term is not explicitly defined in
Auditing Standard No. 14, it should be familiar to auditors because the
related auditing interpretation was issued in 2000. Auditing Standard
No. 14 carries forward the requirements and the related list of
qualitative factors that are substantially the same as those in the
auditing interpretation.\360\
---------------------------------------------------------------------------
\359\ AU sec. 9312.15-17.
\360\ AU sec. 9312 and paragraph 17 and Appendix B of Auditing
Standard No. 14.
---------------------------------------------------------------------------
Auditing Standard No. 14 requires an evaluation of the effects of
both uncorrected misstatements detected in prior years and
misstatements detected in the current year that relate to prior
years.\361\ The standard does not address how to evaluate the effects
of prior period misstatements because that is an accounting and
financial reporting matter. For example, the SEC staff has provided
guidance in SEC Staff Accounting Bulletin (``SAB'') Topic 1.N,
Considering the Effects of Prior Year Misstatements when Quantifying
Misstatements in Current Year Financial Statements, on the effects of
prior year misstatements when quantifying
[[Page 59391]]
misstatements in the current year financial statements. This SAB
provides the SEC staff's views regarding evaluating the quantitative
and qualitative factors regarding the materiality of uncorrected
misstatements and evaluating the effects of prior year misstatements.
---------------------------------------------------------------------------
\361\ Paragraph 18 of Auditing Standard No. 14.
---------------------------------------------------------------------------
Auditing Standard No. 14 states that the auditor cannot assume that
an instance of error or fraud is an isolated occurrence and that the
auditor should evaluate the nature and effects of the individual
misstatements accumulated during the audit on the assessed risks of
material misstatement.\362\ This procedure is important to inform the
auditor's conclusions about whether the auditor's risk assessments
remain appropriate and whether he or she has obtained sufficient
appropriate evidence to support his or her opinion.
---------------------------------------------------------------------------
\362\ Paragraph 19 of Auditing Standard No. 14.
---------------------------------------------------------------------------
The reproposed standard included a requirement to evaluate the
nature and effects of the individual misstatements accumulated during
the audit on the assessed risks of material misstatement. A commenter
suggested that this evaluation should be performed at the time the
misstatement is identified. In the Board's view, it is not necessary to
prescribe the timing for the evaluation of the nature and effects of
misstatements on the risk assessments. However, performing this
evaluation during the course of the audit could allow the auditor to
make the necessary modifications to his or her planned audit procedures
on a more timely basis.
The reproposed standard required the auditor to evaluate whether
identified misstatements might be indicative of fraud and, in turn, how
they affect the auditor's evaluation of materiality and the related
audit responses. This requirement is adapted from AU sec. 316.\363\ One
commenter suggested that when there is an indicator of fraud, the
requirement should make clear that clearly trivial misstatements may
need to be evaluated to determine if they should be included in the
accumulated misstatements. Like AU sec. 316, the requirement in the
reproposed standard was phrased in terms of identified misstatements
rather than accumulated misstatements because fraud of relatively small
amounts can be material to the financial statements.
---------------------------------------------------------------------------
\363\ AU sec. 316.75.
---------------------------------------------------------------------------
Auditing Standard No. 14 retains the requirement as
reproposed.\364\ If an auditor detects a misstatement, he or she should
evaluate whether the misstatement is indicative of fraud when deciding
whether a misstatement is clearly trivial and thus does not warrant
being included with accumulated misstatements. Additionally, in
situations in which the auditor believes that a misstatement is or
might be intentional and the effect on the financial statements could
be material or cannot be readily determined, Auditing Standard No. 14
requires that the auditor perform procedures to obtain additional audit
evidence to determine whether the fraud has occurred or is likely to
have occurred. If the fraud has occurred or is likely to have occurred,
the auditor is required to determine its effect on the financial
statements and the auditor's report thereon.
---------------------------------------------------------------------------
\364\ Paragraph 20 of Auditing Standard No. 14.
---------------------------------------------------------------------------
j. Communication of Accumulated Misstatements to Management
The reproposed standard required the auditor to communicate
accumulated misstatements to management on a timely basis to provide
management with an opportunity to correct them. The reproposed standard
also required the auditor to obtain an understanding of the reasons
that management decided not to correct misstatements communicated by
the auditor.
Some commenters suggested that the standard should specifically
require the auditor to request management to correct the misstatements.
Auditing Standard No. 14 retains the requirement as
reproposed.\365\ It is not necessary to specifically require the
auditor to request that management correct the misstatements because
management has its own legal responsibilities in relation to the
preparation and maintenance of the company's books, records, and
financial statements. Section 13(i) of the Securities and Exchange Act
of 1934, 15 U.S.C. 78m(i), requires the financial statements filed with
the SEC to reflect all material correcting adjustments identified by
the auditor.
---------------------------------------------------------------------------
\365\ Paragraphs 15 and 25 of Auditing Standard No. 14.
---------------------------------------------------------------------------
k. Communication of Illegal Acts
Auditing Standard No. 14 requires the auditor to determine his or
her responsibility under AU secs. 316.79-.82A, AU sec. 317, and Section
10A of the Securities and Exchange Act of 1934, 15 U.S.C. 78j-1, if the
auditor becomes aware of information indicating that fraud or another
illegal act has occurred or might have occurred.\366\
---------------------------------------------------------------------------
\366\ Paragraph 23 of Auditing Standard No. 14.
---------------------------------------------------------------------------
l. Evaluating the Qualitative Aspects of the Company's Accounting
Practices
Auditing Standard No. 14 requires the auditor to evaluate the
qualitative aspects of the company's accounting practices, including
potential bias in management's judgments regarding the amounts and
disclosures in the financial statements.\367\
---------------------------------------------------------------------------
\367\ Paragraph 24 of Auditing Standard No. 14.
---------------------------------------------------------------------------
Auditing Standard No. 14 also states that if the auditor identifies
bias in management's judgments about the amounts and disclosures in the
financial statements, the auditor should evaluate whether the effect of
that bias, together with the effect of uncorrected misstatements,
results in material misstatement of the financial statements. Also, the
standard states that the auditor should evaluate whether the auditor's
risk assessments, including, in particular, the assessment of fraud
risks, and the related audit responses remain appropriate.\368\
---------------------------------------------------------------------------
\368\ Paragraph 26 of Auditing Standard No. 14.
---------------------------------------------------------------------------
The reproposed standard included an example of management bias,
which was based on observations from the Board's oversight activities.
This example indicated that when management identifies adjusting
entries that offset misstatements identified by the auditor, the
auditor should perform procedures to determine why the underlying
misstatement was not identified previously. The auditor also should
evaluate the implications on the integrity of management, and the
auditor's risk assessments, including fraud risk assessments, and
perform additional procedures as necessary to address the risk of
further undetected misstatements. A commenter suggested using the
phrase ``identified misstatements other than those that are * * *
clearly trivial'' instead of ``identified misstatements.'' The
requirement has been revised to refer to misstatements accumulated by
the auditor as required by paragraph 10 of Auditing Standard No.
14.\369\
---------------------------------------------------------------------------
\369\ Paragraph 25 of Auditing Standard No. 14.
---------------------------------------------------------------------------
m. Assessment of Fraud Risks
The reproposed standard required the auditor to evaluate whether
the accumulated results of auditing procedures and other observations
affect the auditor's assessment of fraud risks made throughout the
audit and whether the audit procedures need to be modified to respond
to those risks.\370\ The reproposed standard included a reference to
Appendix C, which listed matters that might affect the assessment of
fraud risks. Appendix C stated that if
[[Page 59392]]
the matters listed in the appendix are identified during the audit, the
auditor should determine whether the assessment of fraud risks remains
appropriate or needs to be revised. This requirement was included
because the evaluation provides additional insight regarding the fraud
risks and the potential need to perform additional procedures to
support the opinion to be expressed in the auditor's report.
---------------------------------------------------------------------------
\370\ Paragraph 28 of Auditing Standard No. 14.
---------------------------------------------------------------------------
Some commenters indicated that the requirement in Appendix C seems
to indicate that the auditor is required to determine if each item
identified during the audit individually affects the assessment of
fraud risks, which appears to be inconsistent with paragraph 28. Those
commenters suggested revisions to the first sentence of Appendix C.
After considering these comments, the first sentence of Appendix C has
been revised to state that if the matters listed in the appendix are
identified during the audit, the auditor should take into account these
matters in the evaluation of the assessment of fraud risks, as
discussed in paragraph 28.\371\
---------------------------------------------------------------------------
\371\ Paragraph C1 of Appendix C to Auditing Standard No. 14.
---------------------------------------------------------------------------
One commenter suggested including in Appendix C specific procedures
that the auditor could perform to evaluate fraud risk, such as
evaluating journal entries with round numbers or amounts slightly below
a specified threshold. This type of procedure could be appropriate for
selecting journal entries for testing, but it is different in nature
from the matters listed in Appendix C.
Auditing Standard No. 14 includes a requirement for the engagement
partner to determine whether there has been appropriate communication
with the other engagement team members throughout the audit regarding
information or conditions that are indicative of fraud risks.\372\ This
requirement is adapted from the existing PCAOB standards.\373\
---------------------------------------------------------------------------
\372\ Paragraph 29 of Auditing Standard No. 14.
\373\ AU sec. 316.18.
---------------------------------------------------------------------------
n. Evaluating Financial Statement Disclosures
The reproposed standard included a requirement, adapted from AU
sec. 431, for the auditor to evaluate whether the financial statements
contain the required disclosures and, if the required disclosures are
not included in the financial statements, to express a qualified or
adverse opinion in accordance with AU sec. 508, Reports on Audited
Financial Statements. The reproposed standard also stated that
evaluation of disclosures includes consideration of the form,
arrangement, and content of the financial statements (including the
accompanying notes), encompassing matters such as the terminology used,
the amount of detail given, the classification of items in the
statements, and the bases of amounts set forth. These requirements were
included in the reproposed standard because of the importance of
disclosures to the fair presentation of financial statements.
Some commenters stated that the requirements regarding evaluation
of disclosures should be qualified based on materiality considerations.
Auditing Standard No. 14 states that the auditor should evaluate
whether the financial statements contain the information essential for
a fair presentation of the financial statements in conformity with the
applicable financial reporting framework, which is aligned with an
analogous requirement in AU sec. 508.41.\374\ AU sec. 411 discusses the
concept of materiality regarding the auditor's opinion that financial
statements are presented fairly.\375\
---------------------------------------------------------------------------
\374\ Paragraph 31 of Auditing Standard No. 14.
\375\ AU sec. 411.04.
---------------------------------------------------------------------------
Another commenter questioned whether the statement that
``Evaluation of disclosures includes consideration of the form,
arrangement, and content of the financial statements (including the
accompanying notes), encompassing matters such as the terminology used,
the amount of detail given, the classification of items in the
statements, and the bases of amounts set forth'' is a requirement. The
statement in the reproposed standard, which is retained in Auditing
Standard No. 14, explains that the scope of the auditor's required
evaluation of the information disclosed in the financial statements
includes matters such as the form, arrangement, and content of the
financial statements.\376\
---------------------------------------------------------------------------
\376\ Paragraph 31 of Auditing Standard No. 14.
---------------------------------------------------------------------------
o. Evaluating the Sufficiency and Appropriateness of Audit Evidence
The reproposed standard required the auditor to conclude whether
sufficient appropriate audit evidence has been obtained to support his
or her opinion on the financial statements. The reproposed standard
also presented a list of factors that are relevant to the auditor's
conclusion on whether sufficient appropriate audit evidence has been
obtained. Consideration of the listed factors is essential to reaching
an informed conclusion about whether sufficient appropriate audit
evidence has been obtained. Accordingly, both the requirement and the
list of factors contained in the reproposed standard have been
retained.\377\
---------------------------------------------------------------------------
\377\ Paragraphs 33-34 of Auditing Standard No. 14.
---------------------------------------------------------------------------
A commenter suggested that corrected adjustments also should be
considered in concluding whether sufficient appropriate audit evidence
has been obtained. Auditing Standard No. 14 already requires the
auditor to evaluate the results of audit procedures in evaluating
whether sufficient appropriate evidence has been obtained, and this
would include misstatements identified by the auditor, regardless of
whether they were corrected by management.\378\
---------------------------------------------------------------------------
\378\ Paragraph 34 of Auditing Standard No. 14.
---------------------------------------------------------------------------
The reproposed standard expanded the requirements regarding
situations in which the auditor has not obtained sufficient appropriate
audit evidence to include situations in which the auditor has
substantial doubt about a relevant assertion. This additional provision
was adapted from AU sec. 326. A commenter suggested that the
requirement be revised to state that the auditor should attempt to
obtain additional evidence if the auditor has not obtained sufficient
appropriate evidence about a relevant assertion. The requirement has
been retained as stated in the reproposed standard because it covers
situations in which the evidence is inadequate and situations in which
the auditor has concerns about whether an assertion is misstated.\379\
---------------------------------------------------------------------------
\379\ Paragraph 35 of Auditing Standard No. 14.
---------------------------------------------------------------------------
p. Evaluating the Results of the Audit of Internal Control
The reproposed standard included a section relating to evaluating
audit results in the audit of internal control, which references
Auditing Standard No. 5 for the requirements on evaluating the results
of the audit of internal control.\380\ A commenter suggested removing
this paragraph from the reproposed standard. Auditing Standard No. 14
retains this paragraph, although it does not impose additional
requirements. Including this paragraph emphasizes that, in integrated
audits, the evaluation of audit results is an integrated process that
affects both audits.
---------------------------------------------------------------------------
\380\ Paragraph 37 of Auditing Standard No. 14.
---------------------------------------------------------------------------
10. Auditing Standard No. 15--Audit Evidence
a. Background
Auditing Standard No. 15 explains what constitutes audit evidence,
establishes requirements regarding designing and performing audit
procedures to obtain sufficient
[[Page 59393]]
appropriate audit evidence to support the opinion in the auditor's
report, and discusses methods for selecting items for testing.
b. Nature of Audit Evidence
The reproposed standard stated that audit evidence is all the
information, whether obtained from audit procedures or other sources,
that is used by the auditor in arriving at the conclusions on which the
auditor's opinion is based. Audit evidence consists of both information
that supports and corroborates management's assertions regarding the
financial statements or internal control over financial reporting and
any information that contradicts such assertions.
One commenter indicated that the meaning of the phrase ``and any
information that contradicts such assertions'' was unclear. The
commenter suggested that the Board clarify whether the requirement
meant the auditor should look for such contradictory information, or if
the requirement should apply only when such information comes to the
auditor's attention.
PCAOB standards require the auditor to plan and perform the audit
to obtain sufficient appropriate evidence to support an opinion about
whether the financial statements are free of material misstatement and,
in the audit of internal control, whether material weaknesses
exist.\381\ Thus, the auditor is required to perform the audit
procedures necessary to test the accounts and controls, regardless of
whether the results of those procedures support or contradict the
assertions. The requirement in Auditing Standard No. 15 means that when
contradictory evidence is obtained, the auditor should evaluate it when
forming a conclusion on the financial statements and, in integrated
audits, on internal control over financial reporting. To clarify the
requirement, Auditing Standard No. 15 omits the word ``any.'' \382\
---------------------------------------------------------------------------
\381\ Paragraph 3 of Auditing Standard No. 8 and paragraph 3 of
Auditing Standard No. 5, respectively.
\382\ Paragraph 2 of Auditing Standard No. 15.
---------------------------------------------------------------------------
c. Objective
The objective in the reproposed standard acknowledged the auditor's
responsibility to plan and perform the audit to obtain sufficient
appropriate audit evidence to support the opinion expressed in the
auditor's report. Commenters suggested revising the wording in
paragraph 4 of the reproposed standard to be consistent with the
objective in paragraph 3 of the reproposed standard. The requirement in
paragraph 4 of Auditing Standard No. 15 has been revised to be
consistent with the objective of the standard.
d. Sufficient Appropriate Audit Evidence
The reproposed standard explained the meaning of the words
``sufficient'' and ``appropriate'' as used in the phrase ``sufficient
appropriate audit evidence.'' Commenters suggested that the Board
provide formal definitions for terms like ``sufficiency'' and
``appropriate'' so the terms can be easily located within the
standards. Adding definitions is unnecessary because Auditing Standard
No. 15 already describes the terms ``sufficiency'' and
``appropriateness'' and explains the relevant characteristics of
each.\383\
---------------------------------------------------------------------------
\383\ Paragraphs 5-6 of Auditing Standard No. 15.
---------------------------------------------------------------------------
Commenters stated that the term ``persuasive'' was used in the
reproposed standard, The Auditor's Responses to the Risks of Material
Misstatement, and recommended that the Board clarify in the reproposed
audit evidence standard the manner in which the persuasiveness of
evidence affects the evaluation of audit evidence. The concept of
``persuasiveness of evidence'' is discussed in Auditing Standard No.
13.\384\
---------------------------------------------------------------------------
\384\ Paragraph 39 of Auditing Standard No. 13.
---------------------------------------------------------------------------
e. Relevance and Reliability
The reproposed standard contained a discussion about the relevance
and reliability of audit evidence. The reproposed standard stated that
the audit evidence must be both relevant and reliable to support the
auditor's conclusions about the subject of the audit procedure. The
reproposed standard stated that ``[e]vidence provided by original
documents is more reliable than evidence provided by photocopies or
facsimiles, or documents that have been filmed, digitized, or otherwise
converted into electronic form, the reliability of which depends on the
controls over the conversion and maintenance of those documents.''
One commenter suggested that the standard be revised to indicate
that electronic information, subject to proper controls, is in many
ways more reliable than physical documentation. The language from the
reproposed standard was retained in Auditing Standard No. 15.\385\
Although evidence sometimes is available only in electronic form and
the reliability of electronic evidence depends on the controls over
that information, an authentic original document generally is more
reliable than an electronic form of that document.
---------------------------------------------------------------------------
\385\ Paragraph 8 of Auditing Standard No. 15.
---------------------------------------------------------------------------
The reproposed standard stated that the relevance of audit evidence
refers to its relationship to the assertion or to the objective of the
control being tested. The relevance of audit evidence depends on (a)
the design of the audit procedure used to test the assertion or
control, and (b) the timing of the audit procedure used to test the
assertion or control. One commenter recommended the description of the
term ``relevance'' should be expanded to include the following
statements:
Relevance deals with the logical connection with, or bearing
upon, the purpose of the audit procedure and, when appropriate, the
assertion under consideration. The relevance of information to be
used as audit evidence may be affected by the direction of testing.
Auditing Standard No. 15 retains the description included in the
reproposed standard because it is clearer than the suggested
revision.\386\
---------------------------------------------------------------------------
\386\ Paragraph 7 of Auditing Standard No. 15.
---------------------------------------------------------------------------
The reproposed standard indicated that ``[t]he auditor is not
expected to be an expert in document authentication. However, if
conditions indicate that a document may not be authentic or that the
terms in a document have been modified but that the modifications have
not been disclosed to the auditor, the auditor should modify the
planned audit procedures or perform additional audit procedures to
respond to those conditions and should evaluate the effect, if any, on
the other aspects of the audit.''
One commenter suggested that the requirement for the auditor to
modify the planned audit procedures or perform additional audit
procedures in response to concerns about the authenticity of documents
should be linked to professional skepticism. The commenter also stated
that many modifications are routine. The requirement was not meant to
require the auditor to perform unlimited procedures but, rather, to
perform the procedures necessary to address the issue in the
circumstances. Auditing Standard No. 15 retains this requirement as
reproposed.\387\Although professional skepticism is important in these
situations, it is not the only factor that determines the procedures
necessary to address the matter.
---------------------------------------------------------------------------
\387\ Paragraph 9 of Auditing Standard No. 15.
---------------------------------------------------------------------------
f. Financial Statement Assertions
In representing that the financial statements are presented fairly
in conformity with the applicable financial reporting framework,
management
[[Page 59394]]
implicitly or explicitly makes assertions regarding the recognition,
measurement, presentation, and disclosure of the various elements of
financial statements and related disclosures. Financial statement
assertions are an important consideration for audits performed in
accordance with PCAOB standards. For example, AU sec. 319 required
auditors to perform substantive procedures for relevant assertions in
audits of financial statements. Auditing Standard No. 5 requires
auditors to obtain evidence about the design and operating
effectiveness of controls over relevant assertions in audits of
internal control.
The reproposed standard retained the five categories of financial
statement assertions in AU sec. 326 and Auditing Standard No. 5. Two
commenters suggested that the Board use different descriptions for
financial statement assertions. One commenter suggested using other
standard-setters' descriptions of financial statement assertions. The
other commenter suggested using a different description of assertions.
Auditing Standard No. 15 retains the categories of assertions as
reproposed.\388\ Like Auditing Standard No. 5,\389\Auditing Standard
No. 15 allows auditors the flexibility to use categories of assertions
that differ from the assertions listed in the standard under specified
conditions.\390\
---------------------------------------------------------------------------
\388\ Paragraph 11 of Auditing Standard No. 15.
\389\ See the note to paragraph 28 of Auditing Standard No. 5.
\390\ Paragraph 12 of Auditing Standard No. 15.
---------------------------------------------------------------------------
g. Inquiry
The reproposed standard stated that inquiry of company personnel,
by itself, does not provide sufficient audit evidence to reduce audit
risk to an appropriately low level for a relevant assertion or to
support a conclusion about the effectiveness of a control. One
commenter suggested that the note to paragraph 17 of the reproposed
standard be revised to include ``design and operating effectiveness of
a control'' and that the auditor should perform audit procedures in
addition to the use of inquiry to obtain sufficient appropriate audit
evidence. Auditing Standard No. 15 retains the language from the
reproposed standard. The phrase ``effectiveness of a control''
encompasses both design and operating effectiveness. It is not
considered necessary to add that the auditor should perform additional
procedures, since Auditing Standard No. 15 states that inquiry, by
itself, does not provide sufficient audit evidence.\391\
---------------------------------------------------------------------------
\391\ Paragraph 17 of Auditing Standard No. 15.
---------------------------------------------------------------------------
h. Confirmation
The reproposed standard stated that a confirmation represents audit
evidence obtained by the auditor as a direct response to the auditor
from a third party. Some commenters suggested that the reproposed
standard clarify that a confirmation be written. Auditing Standard No.
15 has been revised to state that a confirmation response represents a
particular form of audit evidence obtained by the auditor from a third
party in accordance with PCAOB standards.\392\ The Board has a separate
standards-setting project on confirmations that, among other things,
will address the use of written confirmation or other alternative forms
of confirmation.\393\
---------------------------------------------------------------------------
\392\ Paragraph 18 of Auditing Standard No. 15.
\393\ PCAOB Release No. 2010-003, Proposed Auditing Standard
Related to Confirmation and Related Amendments to PCAOB Standards
(July 13, 2010).
---------------------------------------------------------------------------
i. Analytical Procedures
The reproposed standard described analytical procedures as an audit
procedure for obtaining evidence. One commenter suggested adding
``scanning'' as part of analytical procedures. Scanning is a means for
selecting items for testing, not a separate audit procedure. The
description of analytical procedures in Auditing Standard No. 15 is
retained as reproposed.\394\
---------------------------------------------------------------------------
\394\ Paragraph 21 of Auditing Standard No. 15.
---------------------------------------------------------------------------
j. Selecting Items for Testing To Obtain Audit Evidence
Auditing Standard No. 15 contains a section on selecting items for
testing that is adapted from an auditing interpretation of AU sec.
350.\395\ The standard also states that the auditor should determine
the means of selecting items for testing to obtain evidence that, in
combination with other relevant evidence, is sufficient to meet the
objective of the audit procedure.\396\
---------------------------------------------------------------------------
\395\ AU sec. 9350, Audit Sampling: Auditing Interpretations of
AU sec. 350.
\396\ Paragraph 22 of Auditing Standard No. 15.
---------------------------------------------------------------------------
The reproposed standard defined audit sampling as the application
of an audit procedure to less than 100 percent of the occurrences of a
control or items comprising an account for the purpose of evaluating
some characteristic of the control or account. One commenter stated
that the definition in the standard should be conformed to AU sec. 350.
Auditing Standard No. 15 reflects revisions that align the standard
with AU sec. 350.
k. Other Changes
As noted in the reproposing release, certain topics that were
included in AU sec. 326 were not carried forward to the reproposed
standard and Auditing Standard No. 15. AU sec. 326 discussed the use of
audit objectives, and an appendix to that standard illustrated how
auditors might use assertions to develop audit objectives and
substantive tests of inventory. Such a discussion is not necessary
because the auditing standards do not require auditors to establish
audit objectives to link assertions to substantive procedures. However,
omission of this discussion would not preclude auditors from using
audit objectives in designing their audit procedures.
11. Amendments to PCAOB Standards
a. Amendments to Auditing Standard No. 3
In the release accompanying the original proposed standards, the
Board sought comment on the need for specific documentation
requirements regarding the risk assessment procedures. Responses from
commenters were mixed. Some commenters supported adding specific
documentation requirements, other commenters stated that the
requirements in Auditing Standard No. 3, Audit Documentation, were
adequate, and one commenter was ambivalent.
After consideration of these comments and additional analysis, the
amendments accompanying the reproposed standards included certain
amendments to Auditing Standard No. 3 to (a) specify certain required
documentation regarding the auditor's risk assessments and related
responses, (b) align certain terms and provisions of Auditing Standard
No. 3 with the risk assessment standards, and (c) incorporate the
principles for documentation of disagreements among engagement team
members. For example, the amendments indicated that the auditor's
documentation should include the following:
A summary of the identified risks of misstatement and the
auditor's assessment of risks of material misstatement at the financial
statement and assertion levels; and
The auditor's responses to the risks of material
misstatement, including linkage of the responses to those risks.
Also, the requirements regarding documentation of significant
findings or issues and related matters were expanded to require
documentation regarding the significant risks identified and the
results of the auditing procedures performed in response to those
risks.
A commenter indicated that the additional documentation requirement
[[Page 59395]]
will result in ``unnecessary linkage'' and ``a matrix-like mentality''
to the audit documentation. The documentation requirements are intended
to enhance the auditor's ability to link identified and assessed risks
to appropriate responses and could help reviewers understand the areas
of greatest risk and the auditor's responses to those risks. In
addition to these documentation requirements, the auditor would
continue to be responsible for preparing documentation as required by
other provisions of Auditing Standard No. 3, e.g., to demonstrate that
the engagement complied with the standards of the PCAOB.\397\
---------------------------------------------------------------------------
\397\ Paragraph 5.a. of Auditing Standard No. 3.
---------------------------------------------------------------------------
Some commenters suggested placing the documentation requirements in
the respective risk assessment standards rather than amending Auditing
Standard No. 3. The risk assessment standards are foundational
standards; therefore, the required documentation related to the risk
assessment standards is included in Auditing Standard No. 3.\398\
Future decisions about the placement of new documentation requirements
will be made during the course of the respective standards-setting
projects.
---------------------------------------------------------------------------
\398\ Paragraphs 9, 12, and 19 of Auditing Standard No. 3, as
amended.
---------------------------------------------------------------------------
b. Amendments to Auditing Standard No. 4
The amendment to Auditing Standard No. 4, Reporting on Whether a
Previously Reported Material Weakness Continues To Exist, is limited to
changing the word ``competent'' to ``appropriate'' when that word is
used in reference to audit evidence.
c. Amendments to Auditing Standard No. 5
The amendments to Auditing Standard No. 5 that accompanied the
reproposed standards were limited to changing the phrase ``any
assistants'' to ``the members of the engagement team,'' changing the
word ``competent'' to ``appropriate'' when that word is used in
reference to audit evidence, and updating references to auditing
standards that are being superseded or amended. These amendments are
retained as reproposed.
One commenter suggested a series of additional amendments to
Auditing Standard No. 5, which primarily involved removing certain
paragraphs from Auditing Standard No. 5 that relate to risk assessment
procedures or other requirements that are included in the risk
assessment standards. The Board is not removing the requirements
regarding risk assessment procedures from Auditing Standard No. 5
because those requirements are important to understanding the other
provisions of Auditing Standard No. 5 for performing an audit of
internal control.
d. Amendments to Auditing Standard No. 6
The amendments to Auditing Standard No. 6, Evaluating Consistency
of Financial Statements, are limited to removing a footnote stating
that the term ``error'' as used in Statement of Financial Accounting
Standards No. 154, Accounting Changes and Error Corrections (``SFAS No.
154''), is equivalent to ``misstatement'' as used in the auditing
standards and updating a reference to a standard that is being
superseded. This technical change is made because the footnote
regarding misstatements in Auditing Standard No. 6 refers to SFAS No.
154, whereas the definition of ``misstatement'' in Auditing Standard
No. 14 on evaluating audit results is neutral regarding the financial
reporting framework. However, this technical change does not alter the
fact that an error under accounting standards generally accepted in the
United States is a misstatement under Auditing Standard No. 14.
e. Amendments to Auditing Standard No. 7
The amendments to Auditing Standard No. 7, Engagement Quality
Review, update footnote 3 and the note to paragraph 10 to replace a
reference to an interim standard that is superseded and to update the
definitions of the terms ``engagement partner'' and ``significant
risk'' to conform to the definitions in the risk assessment standards.
f. Amendments to Interim Auditing Standards
(i). Superseded Sections
The risk assessment standards supersede the following sections of
PCAOB interim auditing standards:
AU sec. 311, Planning and Supervision
AU sec. 312, Audit Risk and Materiality in Conducting an
Audit
AU sec. 313, Substantive Tests Prior to the Balance Sheet
Date
AU sec. 319, Consideration of Internal Control in a
Financial Statement Audit
AU sec. 326, Evidential Matter
AU sec. 431, Adequacy of Disclosure in Financial
Statements
Similarly, the auditing interpretations of AU secs. 311, 312, and
350 have been incorporated into the risk assessment standards and thus
are superseded. The auditing interpretations of AU sec. 326, except for
Interpretation No. 2 (AU secs. 9326.06-.23), also are superseded.\399\
---------------------------------------------------------------------------
\399\ Interpretation No. 2 relates in part to AU sec. 336 and AU
sec. 337, Inquiry of a Client's Lawyer Concerning Litigation,
Claims, and Assessments, and it will be evaluated in connection with
standards-setting projects related to those standards.
---------------------------------------------------------------------------
(ii). AU sec. 316, Consideration of Fraud in a Financial Statement
Audit
The relevant requirements regarding identifying and assessing fraud
risks, principally AU secs. 316.14-.45; responding to fraud risks,
principally AU secs. 316.46-.50; and evaluating audit results,
principally AU secs. 316.68-.78, have been incorporated into Auditing
Standard Nos. 12, 13, and 14, respectively. The remaining portions of
AU sec. 316 describe important principles regarding the auditor's
responsibility with respect to fraud and more detailed requirements
regarding the auditor's responses to fraud risks. Topics covered in the
remaining portions of AU sec. 316, as amended, include the following:
A description of fraud and its characteristics,
The importance of exercising professional skepticism,
Examples of fraud risk factors,
Examples of audit procedures performed to respond to fraud
risks involving fraudulent financial reporting and misappropriation of
assets, and
Requirements regarding procedures to further address the
risk of material misstatement due to fraud involving management
override of controls, including examining journal entries and other
adjustments for evidence of possible material misstatement due to
fraud; reviewing accounting estimates for biases that could result in
material misstatement due to fraud; and evaluating the business
rationale for significant unusual transactions.
(iii). AU sec. 329, Analytical Procedures
The discussion in AU sec. 329 regarding analytical procedures
performed during audit planning, principally AU secs. 329.03 and
329.06-.08, is incorporated into Auditing Standard No. 12. Similarly,
the requirements regarding analytical procedures in the overall review,
principally AU secs. 329.23-.24, are incorporated into Auditing
Standard No. 14. The remaining portion of AU sec. 329 relates to
analytical procedures performed as substantive procedures. Therefore,
AU sec. 329 is retitled, Substantive Analytical Procedures,
[[Page 59396]]
which more accurately reflects the content of the amended standard.
A standard that focuses solely on substantive analytical procedures
highlights more clearly the requirements that apply to analytical
procedures performed for that purpose, including the higher degree of
precision in substantive analytical procedures needed to provide the
necessary level of assurance. The Board has observed instances in which
auditors performed substantive procedures to test accounts without
meeting the requirements in AU sec. 329 for substantive analytical
procedures.\400\
---------------------------------------------------------------------------
\400\ See, e.g., PCAOB Release 2007-010, Report on the PCAOB's
2004, 2005, and 2006 Inspections of Domestic Triennially Inspected
Firms (October 22, 2007).
---------------------------------------------------------------------------
(iv). AU sec. 336, Using the Work of a Specialist
The text of footnote 1 to paragraph .01 and of paragraph .05 were
amended to clarify that AU sec. 336 does not apply to situations in
which persons who participate in the audit have specialized skills or
knowledge in accounting or auditing (e.g., IT specialists and income
tax specialists) and to specialists employed by the firm. Auditing
Standard No. 10 applies to those situations. Those clarifications were
previously included in the reproposed standard on audit planning and
supervision.
(v). AU sec. 350, Audit Sampling
The discussion in AU sec. 350 regarding audit risk and tolerable
misstatement has been amended to align more closely with the
terminology used in the risk assessment standards.
The reproposed standards included amendments to AU secs. 350.23 and
350.38, which explained more specifically the principles in the
standard for determining sample sizes when nonstatistical sampling
approaches are used. Some commenters expressed concern that the
reproposed amendments would have required auditors who use
nonstatistical sampling methods to compute sample sizes under both
statistical and nonstatistical methods to demonstrate that the sample
size under the nonstatistical method equaled or exceeded the sample
size determined using a statistical method.
Commenters suggested that the standard should state that it is not
necessary to compute sample sizes using statistical methods. Including
such a sentence in the standard might be misunderstood by auditors and
weaken the requirement of the amended standard. The reproposed
amendments do not require auditors to compute sample sizes using
statistical methods in all instances to demonstrate compliance with the
requirements. For example, the use of a nonstatistical sampling
methodology that is adapted appropriately from a statistical sampling
method also could demonstrate compliance. However, calculating a sample
size that is not based on the relevant factors in AU sec. 350 is not in
compliance with the standard. Accordingly, the amendments are retained
as reproposed.
(vi). AU sec. 543, Part of Audit Performed by Other Independent
Auditors, and Interpretations
A note was added to paragraph .01 to clarify that Auditing Standard
No. 10 applies to situations not covered by AU sec. 543 in which the
auditor engages other accounting firms or other accountants to
participate in the audit. Paragraph .12 was amended to align AU sec.
543 with related amendments to Auditing Standard No. 3. Footnote 4 to
paragraph .16 of AU sec. 9543, Part of Audit Performed by Other
Independent Auditors: Auditing Interpretations of Section 543, is
deleted because it refers to an interim standard that is being
superseded.
(vii). Other Amendments to the Interim Auditing Standards
For the following interim auditing standards, the amendments are
limited to conforming terminology to the risk assessment standards and
updating references to auditing standards that are being superseded or
amended:
AU sec. 110, Responsibilities and Functions of the
Independent Auditor
AU sec. 150, Generally Accepted Auditing Standards
AU sec. 210, Training and Proficiency of the Independent
Auditor
AU sec. 230, Due Professional Care in the Performance of
Work
AU sec. 310, Appointment of the Independent Auditor
AU sec. 315, Communications Between Predecessor and
Successor Auditors
AU sec. 317, Illegal Acts by Clients
AU sec. 322, The Auditor's Consideration of the Internal
Audit Function in an Audit of Financial Statements.
AU sec. 324, Service Organizations
AU sec. 328, Auditing Fair Value Measurements and
Disclosures
AU sec. 330, The Confirmation Process