5.01 AU-C section 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards (AICPA, Professional Standards), addresses the independent auditor’s overall responsibilities when conducting an audit of financial statements in accordance with generally accepted auditing standards (GAAS). Specifically, it sets out the overall objectives of the independent auditor (the auditor) and explains the nature and scope of an audit designed to enable the auditor to meet those objectives. It also explains the scope, authority, and structure of GAAS and includes requirements establishing the general responsibilities of the auditor applicable in all audits, including the obligation to comply with GAAS.
5.02 Paragraph .12 of AU-C section 200 states that the overall objectives of the auditor, in conducting an audit of financial statements, are to
5.03 Depository and lending institutions are subject to certain risks as a result of the regulatory environment and the current economic climate in which these entities operate as well as the complex nature of these entities and the transactions in which these entities are engaged. This chapter provides guidance on the application of the auditor’s overall objectives, including the risk assessment process and general auditing considerations for depository and lending institutions.
5.04 Consistent with the guidance presented in paragraph .04 of AU-C section 200, the purpose of an audit of a deposit and lending institution’s financial statements is to provide financial statement users with an opinion by the auditor on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework, which enhances the degree of confidence that intended users can place in the financial statements. An audit conducted in accordance with GAAS and relevant ethical requirements enables the auditor to form that opinion. As the basis for the auditor’s opinion, paragraph .06 of AU-C section 200 states that GAAS require the auditor to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance is a high, but not absolute, level of assurance. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (for purposes of GAAS, that is, the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated) to an acceptably low level.
5.05 Paragraphs .08 and .10 of AU-C section 200 state that GAAS contain objectives, requirements, and application and other explanatory material that are designed to support the auditor in obtaining reasonable assurance. GAAS require that the auditor exercise professional judgment and maintain professional skepticism throughout the planning and performance of the audit and, among other things,
The auditor also may have certain other communication and reporting responsibilities to users, management, those charged with governance, or parties outside the entity, regarding matters arising from the audit. These responsibilities may be established by GAAS or by applicable law or regulation.
Considerations for Audits Performed in Accordance With PCAOB Standards2
PCAOB Staff Audit Practice Alert No. 10, Maintaining and Applying Professional Skepticism in Audits (AICPA, PCAOB Standards and Related Rules, PCAOB Staff Guidance, sec. 400.10), reminds auditors of the requirement to appropriately apply professional skepticism throughout their audits, which includes an attitude of a questioning mind and a critical assessment of audit evidence. This practice alert highlights: (1) professional skepticism and due professional care; (2) impediments to the application of professional skepticism; (3) promoting professional skepticism via an appropriate system of quality control; (4) the importance of supervision to the application of professional skepticism; and (5) the appropriate application of professional skepticism.
5.06 Paragraph .A36 of AU-C section 200 explains that audit risk is a function of the risks of material misstatement and detection risk. The assessment of risks is based on audit procedures to obtain information necessary for that purpose and evidence obtained throughout the audit. The assessment of risks is a matter of professional judgment, rather than a matter capable of precise measurement.
5.07 Paragraphs .A38–.A40 of AU-C section 200 provide further explanation on the two levels of the risks of material misstatement. The risks of material misstatement exist at the overall financial statement level and the assertion level for classes of transactions, account balances, and disclosures. Risks of material misstatement at the overall financial statement level refer to risks of material misstatement that relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of material misstatement at the assertion level are assessed in order to determine the nature, timing, and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. This evidence enables the auditor to express an opinion on the financial statements at an acceptably low level of audit risk.
5.08 Paragraph .A44 of AU-C section 200 states that GAAS do not ordinarily refer to inherent risk and control risk separately but rather to a combined assessment of the risks of material misstatement. However, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations. The assessment of the risks of material misstatement may be expressed in quantitative terms, such as in percentages or in nonquantitative terms. In any case, the need for the auditor to make appropriate risk assessments is more important than the different approaches by which they may be made.
5.09 Paragraphs .A41–.A44 and .A46–.A47 of AU-C section 200 provide further guidance on the two components of the risk of material misstatement (inherent risk and control risk) and characteristics of detection risk.
5.10 The scope of services rendered by auditors generally depends on the types of reports to be issued as a result of the engagement. Paragraphs .09–.10 of AU-C section 210, Terms of Engagement (AICPA, Professional Standards), states that the auditor should agree upon the terms of the audit engagement with management or those charged with governance, as appropriate. The agreed-upon terms of the audit engagement should be documented in an audit engagement letter or other suitable form of written agreement (see paragraph .10 of AU-C section 210 for a listing of agreed-upon terms that should be included). Both management and the auditor have an interest in documenting the agreed-upon terms of the audit engagement before the commencement of the audit to help avoid misunderstandings with respect to the audit as stated in paragraph .A22 of AU-C section 210.
5.11 In accordance with paragraphs .A23–.A24 of AU-C section 210, the form and content of the audit engagement letter may vary for each entity. When relevant, additional services to be provided, such as those relating to regulatory requirements (see further discussion on these engagements in the section “Annual Independent Audits and Reporting Requirements” beginning in paragraph 1.86 of this guide), could be included in the audit engagement letter. In addition, the engagement letter may also include any additional legal or contractual requirements, such as the following:
5.12 In February 2006, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Federal Reserve), the FDIC, the Office of Thrift Supervision (prior to its transfer of powers to the OCC, the Federal Reserve, and the FDIC),5 and the National Credit Union Administration (NCUA) published the Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters. The advisory was issued because the federal agencies had observed an increase in the types and frequency of provisions in financial institutions’ external audit engagement letters limiting the auditor’s liability. Examples of these provisions included, but were not limited to, indemnifying the external auditor against claims made by third parties, releasing the external auditor from liability for claims or potential claims that might be asserted by the client financial institution, or limiting the remedies available to the client financial institution. The federal agencies believe that when financial institutions agree to limit their external auditors’ liability, either in provisions in engagement letters or in provisions that accompany alternative dispute resolution agreements, such provisions may weaken the external auditor’s objectivity, impartiality, and performance. In this regard, the Professional Ethics Executive Committee issued Interpretation No. 501-8, “Failure to Follow Requirements of Governmental Bodies, Commissions, or Other Regulatory Agencies on Indemnification of Liability Provisions in Connection With Audit and Other Attest Services” (AICPA, Professional Standards, ET sec. 501 par. .09). This interpretation provides that including prohibited limitation of liability provisions in engagement letters is an act discreditable to the profession.
5.13 The advisory informs financial institutions’ boards of directors, audit committees, and management that they should not enter into agreements that incorporate unsafe and unsound external auditor limitation of liability provisions with respect to engagements for financial statement audits, audits of internal control over financial reporting, and attestations on management’s assessment of internal control over financial reporting. It applies to all audits of financial institutions, regardless of whether an institution is public or a nonpublic company. However, the advisory does not apply to non-audit services; audits of financial institutions’ 401K plans, pension plans, and other similar audits; services performed by accountants who are not engaged to perform financial institutions’ audits; and other service providers. Readers may access the full text of this advisory from any of the federal agencies’ websites.
5.14 AU-C section 300, Planning an Audit (AICPA, Professional Standards), addresses the auditor’s responsibilities to plan an audit of financial statements. AU-C section 300 is written in the context of recurring audits. Matters related to planning audits of group financial statements are addressed in AU-C section 600, Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors) (AICPA, Professional Standards). Planning activities involve performing preliminary engagement activities; establishing an overall audit strategy and communicating with those charged with governance an overview of the planned scope and timing of the audit; developing a detailed, written audit plan; determining direction and supervision of engagement team members and review of their work; and determining the extent of involvement of professionals with specialized skills. Adequate planning benefits the audit of financial statements in several ways, including the following:
Paragraph .A1 of AU-C section 300 further explains that the nature, timing, and extent of planning activities will vary according to the size and complexity of the entity, the key engagement team members’ previous experience with the entity, and changes in circumstances that occur during the audit.
5.15 In accordance with paragraph .09 of AU-C section 300, the auditor should develop an audit plan that includes a description of the nature and extent of planned risk assessment procedures, as determined under AU-C section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (AICPA, Professional Standards) (see discussion of risk assessment procedures in paragraphs 5.23–.75); the nature, timing, and extent of planned further audit procedures at the relevant assertion level, as determined under AU-C section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (AICPA, Professional Standards) (see discussion of planned further audit procedures in paragraphs 5.82–.98); and, other planned audit procedures that are required to be carried out so that the engagement complies with GAAS. Paragraph .A2 of AU-C section 300 explains that planning is not a discrete phase of an audit, but rather a continual and iterative process that often begins shortly after (or in connection with) the completion of the previous audit and continues until the completion of the current audit engagement.
5.16 AU-C section 320, Materiality in Planning and Performing an Audit (AICPA, Professional Standards), addresses the auditor’s responsibility to apply the concept of materiality in planning and performing an audit of financial statements. AU-C section 450, Evaluation of Misstatements Identified During the Audit (AICPA, Professional Standards), explains how materiality is applied in evaluating the effect of identified misstatements on the audit and the effect of uncorrected misstatements, if any, on the financial statements (see paragraphs 5.99–.101 for a discussion of evaluation of misstatements).
5.17 Paragraphs .04 and .06 of AU-C section 320 state that the auditor's determination of materiality is a matter of professional judgment and is influenced by the auditor’s perception of the financial information needs of users of financial statements. In planning the audit, the auditor makes judgments about the size of misstatements that will be considered material. Although it is not practicable to design audit procedures to detect misstatements that could be material solely because of their nature (that is, qualitative considerations), the auditor considers not only the size but also the nature of uncorrected misstatements, and the particular circumstances of their occurrence, when evaluating their effect on the financial statements.
5.18 In accordance with paragraphs .10 and .A5 of AU-C section 320, the auditor should determine materiality for the financial statements as a whole when establishing the overall audit strategy. Determining materiality involves the exercise of professional judgment. A percentage is often applied to a chosen benchmark as a starting point in determining materiality for the financial statements as a whole. If, in the specific circumstances of the entity, one or more particular classes of transactions, account balance, or disclosures exist for which misstatements of lesser amounts than materiality for the financial statements as a whole could reasonably be expected to influence the economic decisions of users, then, taken on the basis of the financial statements, the auditor also should determine the materiality level or levels to be applied to those particular classes of transactions, account balances, or disclosures. See paragraphs .A12–.A13 of AU-C section 320 for further application guidance on materiality level or levels for particular classes of transactions, account balances, or disclosures.
5.19 Paragraph .A14 of AU-C section 320 explains that planning the audit solely to detect individual material misstatements overlooks the fact that the aggregate of individually immaterial misstatements may cause the financial statements to be materially misstated and leaves no margin for possible undetected misstatements. Therefore, in accordance with paragraph .11 of AU-C section 320, the auditor should determine performance materiality for purposes of assessing the risks of material misstatement and determining the nature, timing, and extent of further audit procedures. Performance materiality, for purposes of GAAS, is defined in AU-C section 320 as the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. If applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances, or disclosures. Performance materiality is to be distinguished from tolerable misstatement, which is the application of performance materiality to a particular sampling procedure.6
5.20 Paragraph .A14 of AU-C section 320 goes on to explain that the determination of performance materiality is not a simple mechanical calculation and involves the exercise of professional judgment. It is affected by the auditor’s understanding of the entity, updated during the performance of the risk assessment procedures, and the nature and extent of misstatements identified in previous audits and, thereby, the auditor’s expectations regarding misstatements in the current period.
5.21 Paragraphs .A113–.A118 of AU-C section 315 discuss the use of assertions in assessment of risks of material misstatement. In representing that the financial statements are in accordance with the applicable financial reporting framework, management implicitly or explicitly makes assertions regarding the recognition, measurement, presentation, and disclosure of the various elements of financial statements and related disclosures. Assertions used by the auditor to consider the different types of potential misstatements that may occur fall into the following categories and may take the following forms.
Categories of Assertions
Description of Assertions | |||
Classes of Transactions and Events During the Period | Account Balances at the End of the Period | Presentation and Disclosure | |
Occurrence/Existence | Transactions and events that have been recorded have occurred and pertain to the entity. | Assets, liabilities, and equity interests exist. | Disclosed events and transactions have occurred. |
Rights and Obligations | — | The entity holds or controls the rights to assets, and liabilities are the obligations of the entity. | Disclosed events and transactions pertain to the entity. |
Completeness | All transactions and events that should have been recorded have been recorded. | All assets, liabilities, and equity interests that should have been recorded have been recorded. | All disclosures that should have been included in the financial statements have been included. |
Accuracy/Valuation and Allocation | Amounts and other data relating to recorded transactions and events have been recorded appropriately. | Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are recorded appropriately. | Financial and other information is disclosed fairly and at appropriate amounts. |
Cut-off | Transactions and events have been recorded in the correct accounting period. | — | — |
Classification and Understandability | Transactions and events have been recorded in the proper accounts. | — | Financial information is appropriately presented and described and information in disclosures is expressed clearly. |
5.22 According to paragraph .A116 of AU-C section 315, the auditor should use relevant assertions for classes of transactions, account balances, and disclosures in sufficient detail to form a basis for the assessment of risks of material misstatement and the design and performance of further audit procedures. The auditor should use relevant assertions in assessing risks by relating the identified risks to what can go wrong at the relevant assertion, taking account of relevant controls that the auditor intends to test, and designing further audit procedures that are responsive to the assessed risks.
5.23 AU-C section 315 addresses the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements through understanding the entity and its environment, including the entity’s internal control.
5.24 Obtaining an understanding of the entity and its environment, including the entity’s internal control (referred to hereafter as an understanding of the entity), is a continuous, dynamic process of gathering, updating, and analyzing information throughout the audit. As stated in paragraph .A1 of AU-C section 315, the understanding of the entity establishes a frame of reference within which the auditor plans the audit and exercises professional judgment throughout the audit when, for example
5.25 In accordance with paragraph .05 of AU-C section 315, the auditor should perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and relevant assertion levels. Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion. For purposes of GAAS, risk assessment procedures are defined in AU-C section 315 as audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels.
5.26 The auditor is required to exercise professional judgment7 to determine the extent of the required understanding of the entity. Paragraph .A3 of AU-C section 315 states that the auditor’s primary consideration is whether the understanding of the entity that has been obtained is sufficient to meet the objectives of AU-C section 315. The depth of the overall understanding that is required by the auditor is less than that possessed by management in managing the entity.
5.27 Paragraph .06 of AU-C section 315 states that the risk assessment procedures should include the following:
5.28 Paragraphs .A7–.A10 of AU-C section 315 provide additional explanation for analytical procedures performed during the risk assessment process. Analytical procedures performed as risk assessment procedures may identify aspects of the entity of which the auditor was unaware and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks. Analytical procedures may enhance the auditor's understanding of the institution's business and the significant transactions and events that have occurred since the prior audit and help to identify the existence of unusual transactions or events and amounts, ratios, and trends that might indicate matters that have audit implications.
5.29 Ratios, operating statistics, and other analytical information that may be useful in assessing an institution's position relative to other similar institutions and to industry norms, as well as in identifying unusual relationships between data about the institution itself, are generally readily available. Ratios and statistics developed for use by management or regulators often can be effectively used by the auditor in performing analytical procedures for risk assessment purposes. Many institutions disclose analytical information in their annual and quarterly reports. Other sources of information that may be useful for risk assessment purposes are the institution's Call Reports and the disclosures made by publicly held institutions in accordance with the SEC’s Industry Guide No. 3, Statistical Disclosures by Bank Holding Companies. The Uniform Bank Performance Reports, published by the Federal Financial Institutions Examination Council (FFIEC), and various reports published by the FDIC contain industry data and statistics. There are also several sources of industry data published by private companies. Many of these reports use a peer group format. It is important to understand the relevance of any peer group data to the client institution before making any judgments.
5.30 A number of the ratios that may be useful to the auditor in an audit of the financial statements of an institution are listed here with a brief description of the information they provide:
5.31 In accordance with paragraph .11 of AU-C section 315, the engagement partner and other key engagement team members should discuss the susceptibility of the entity’s financial statements to material misstatement and the application of the applicable financial reporting framework to the entity’s facts and circumstances. The engagement partner should determine which matters are to be communicated to engagement team members not involved in the discussion. Paragraph .A14 of AU-C section 315 states this discussion may be held concurrently with the discussion among the engagement team that is required by AU-C section 240, Consideration of Fraud in a Financial Statement Audit (AICPA, Professional Standards), to discuss the susceptibility of the entity’s financial statements to fraud. Paragraphs 5.129–.132 further address the discussion among the engagement team about the risks of fraud.
5.32 In addition to the requirements discussed previously, paragraphs .07–.10 of AU-C section 315 address additional requirements on risk assessment procedures and related activities. Additional application and explanatory material regarding risk assessment requirements can be found in paragraphs .A1–.A16 of AU-C section 315.
5.33 Paragraph .12 of AU-C section 315 states that the auditor should obtain an understanding of the following:
i. its operations;
ii. its ownership and governance structures;
iii. the types of investments that the entity is making and plans to make, including investments in entities formed to accomplish specific objectives; and
iv. the way that the entity is structured and how it is financed,
to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements.
Appendix A, "Understanding the Entity and Its Environment," of AU-C section 315 contains examples of matters that the auditor may consider in obtaining an understanding of the entity and its environment. Appendix B, "Internal Control Components," of AU-C section 315 contains a detailed explanation of the internal control components.
5.34 As previously discussed in paragraph 5.33, in addition to an understanding of the industry, including matters such as those described in chapter 1, chapter 2, chapter 3, "Industry Overview—Finance Companies," and chapter 4 of this guide, the auditor should obtain an understanding of the nature of an entity and the entity’s objectives and strategies and those related business risks that may result in risks of material misstatement. With regard to financial institutions, such matters include risk management strategies, organizational structure, product lines and services, capital structure, locations, and other operating characteristics. Paragraph .A32 of AU-C section 315 identifies examples of matters that the auditor may consider when obtaining an understanding of the entity’s objectives, strategies, and related business risks that may result in a risk of material misstatement of the financial statements. For entities subject to the oversight authority of the PCAOB, the auditor should also obtain an understanding of the operating segments of the business, as defined by FASB Accounting Standards Codification (ASC) 280-10-50.
5.35 An understanding of the entity may also be obtained or supplemented by reading documents such as the following:
5.36 Related parties. Obtaining an understanding of a client's business should also include performing the procedures set forth in AU-C section 550, Related Parties (AICPA, Professional Standards), to determine the existence of related-party relationships and transactions with such parties. The FASB ASC glossary defines related parties as
5.37 Paragraph .A2 of AU-C section 550 states that the substance of a particular transaction may be significantly different from its form. Accordingly, financial statements prepared in accordance with U.S. generally accepted accounting principles (GAAP) generally recognize the substance of particular transactions rather than merely their legal form. Paragraph .A45 of AU-C section 550 explains that it will generally not be possible to determine whether a particular transaction would have taken place if the parties had not been related, or assuming it would have taken place, what the terms and manner of settlement would have been. Accordingly, it is difficult to substantiate representations that a transaction was consummated on terms equivalent to those that prevail in arm's length transactions.8 Paragraphs .A47 and .A49 of AU-C section 550 further state that the preparation and fair presentation of the financial statements requires management to substantiate an assertion included in financial statements that a related party transaction was conducted on terms equivalent to those prevailing in an arm’s length transaction. If the auditor believes that management’s assertions are unsubstantiated or the auditor cannot obtain sufficient appropriate audit evidence to support the assertions, the auditor, in accordance with AU-C section 705, Modifications to the Opinion in the Independent Auditor’s Report (AICPA, Professional Standards), considers the implications for the audit, including the opinion in the auditor’s report. AU-C section 705 addresses the auditor’s responsibility to issue an appropriate report in circumstances when, in forming an opinion in accordance with AU-C section 700, Forming an Opinion and Reporting on Financial Statements (AICPA, Professional Standards), the auditor concludes that a modification to the auditor’s opinion on the financial statements is necessary. Chapter 23 of this guide provides additional discussion on auditor reports.
5.38 Regulation O loans. Part 215, "Loans to Executive Officers, Directors, and Principal Shareholders of Member Banks," of the U.S. Code of Federal Regulations (CFR), commonly referred to as Regulation O, governs any extension of credit made by a member bank to an executive officer, director, or principal shareholder of the member bank, of any company of which the member bank is a subsidiary, and of any other subsidiary of that company. It also applies to any extension of credit made by a member bank to a company controlled by such a person, or to a political or campaign committee that benefits or is controlled by such a person. In general, Part 215.4 states that no member bank may extend credit to any insider of the bank or insider of its affiliates unless the extension of credit
5.39 Management of a financial institution would generally be expected to be able to support that their related party loans were conducted on terms equivalent to those prevailing in an arm’s length transaction. In instances where a bank has made such a related party loan, the auditor should perform procedures to verify this assertion, including reviewing management’s documentation as well as the regulatory examination report, which would identify instances where there are possible Regulation O violations.
5.40 As previously discussed in paragraph 5.33a, auditors should obtain an understanding of the relevant industry risk factors as a part of the evaluation of the entity and its environment. No list of risk factors covers all of the complex characteristics that affect transactions in the industry.9 However, some of those risk factors are competition for business, innovations in financial instruments, and the role of regulatory policy. Emerging regulatory and accounting guidance is discussed throughout this guide. Other primary risk factors (discussion to follow) involve the sensitivity of an institution’s earnings to changes in interest rates, liquidity, asset quality, fiduciary, and processing risk. Auditors should obtain an understanding of such risk factors when planning the audit of an institution's financial statements. Practical considerations of these risk factors for certain transactions are provided in each chapter where appropriate.
5.41 Interest rate risk (IRR).10,11 In general, financial institutions derive their income primarily from the excess of interest collected over interest paid. The rates of interest an institution earns on its assets and owes on its liabilities generally are established contractually for a period of time. Market interest rates change over time. Accordingly, an institution is exposed to lower profit margins (or losses) if it cannot adapt to interest rate changes.
5.42 For example, assume an institution's assets carry intermediate or long term fixed rates. Assume those assets were funded with short term liabilities. Also assume that interest rates rise by the time the short term liabilities are refinanced. The increase in the institution's interest expense on the new liabilities—which carry new, higher rates—will not be offset if assets continue to earn at the long term fixed rates. Accordingly, the institution's profits would decrease on the transaction because the institution will either have lower net interest income or, possibly, net interest expense. Similar risks exist if assets are subject to contractual interest rate ceilings, or rate sensitive assets are funded by longer term, fixed rate liabilities in a decreasing rate environment.
5.43 Several techniques might be used by an institution to minimize interest-rate risk. One approach is for the institution to continually analyze and manage assets and liabilities based on their payment streams and interest rates, the timing of their maturities, and their sensitivity to actual or potential changes in market interest rates. Such activities fall under the broad definition of asset/liability management.
5.44 One technique used in asset/liability management is measurement of an institution's asset/liability gap—that is, the difference between the cash flow amounts of interest-sensitive assets and liabilities that will be refinanced (or repriced) during a given period. For example, if the asset amount to be repriced exceeds the corresponding liability amount for a certain day, month, year, or longer period, the institution is in an asset-sensitive gap position. In this situation, net interest income would increase if market interest rates rose and decrease if market interest rates fell. If, alternatively, more liabilities than assets will reprice, the institution is in a liability-sensitive position. Accordingly, net interest income would decline when rates rose and increase when rates fell. Such gap analysis assumes that assets and liabilities will be repriced only when they mature—it does not consider opportunities to reprice principal or interest cash flows before maturity. Also, these examples assume that interest rate changes for assets and liabilities are of the same magnitude, whereas actual interest rate changes generally differ in magnitude for assets and liabilities.
5.45 Duration analysis is a technique that builds on gap analysis by adding consideration of the average life of a stream of cash flows. The duration of an asset or liability is measured by weighting cash flow amounts based on their timing. Accordingly, duration analysis adds a measure of the effect of the timing of interest rate changes on earnings.
5.46 Another technique used to analyze IRR involves simulation models. These models measure the effect of changes in interest rates on either net interest income or on the economic value of equity. Net interest income models measure the sensitivity of changes in net interest income as a result of different interest rate scenarios. The economic value of equity measures the difference in the market value of an institution’s financial assets, liabilities, and off-balance-sheet instruments as a result of change in the interest rate environment. Simulation analysis involves the projection of various interest rate scenarios over future periods. To determine market value, the estimated cash flows for each rate scenario are discounted to arrive at a present value calculation for each rate scenario. The resulting range of probable risk exposures reflects both current and expected IRR. The rate scenarios often reflect variations of factors such as the mix of assets and liabilities and related pricing strategies. As with gap and duration analyses, if the assumptions are not valid, the results may not provide an accurate reflection of the institution's IRR.
5.47 Several ways an institution can affect IRR includes the following:
5.48 An institution might also invest in more complex financial instruments intended to hedge or otherwise change IRR. Interest rate swaps, futures contracts, options on futures, and other such derivative instruments often are used for this purpose. Because these instruments are sensitive to interest rate changes, they generally require management expertise to be effective. Accounting and regulatory guidance for these instruments continue to evolve. Chapter 18, "Derivative Instruments: Futures, Forwards, Options, Swaps, and Other Derivative Instruments," of this guide discusses specific accounting and regulatory guidance in this area, as well as related audit considerations.
5.49 Financial institutions are subject to a related risk—prepayment risk—in falling rate environments. For example, mortgage loans and other receivables may be prepaid by a debtor so that the debtor may refund its obligations at new, lower rates. Prepayments of assets carrying the old, higher rates reduce the institution's interest income and overall asset yields. Prepayment risk is discussed further in chapter 7, "Investments in Debt and Equity Securities," of this guide.
5.50 Liquidity risk.12, 13, 14 A large portion of an institution's liabilities may be short term or due on demand, although most of its assets may be invested in long term loans or investments. Accordingly, the institution needs to have in place sources of cash to meet short term demands. These funds can be obtained in cash markets, by borrowing, or by selling assets. Also, the secondary mortgage, repurchase agreement, and Euro-markets have become increasingly important sources of liquidity for banks and savings institutions. However, if an institution resorts to sales of assets or loans to obtain liquidity, immediate losses will be incurred when the effective rates those assets carry are below market rates at the time of sale. Related audit considerations are addressed in chapter 7 of this guide.
5.51 The composition of an institution's deposits also affects liquidity and IRR because large volumes of deposits can be withdrawn over a short period of time. For example, institutions are also subject to reputation risk. If an institution receives adverse publicity, it may have difficulty retaining deposits and, therefore, become dependent on other forms of borrowing at a higher cost of funds. (Chapter 13 of this guide addresses audit considerations for deposits.)
5.52 Asset-quality risk. Financial institutions have generally suffered their most severe losses as a result of the loss of expected cash flows due to loan defaults and inadequate collateral. For example, significant credit losses on real estate loans have occurred, due largely to downturns in regional and national real estate markets, but also because of other general economic conditions and higher-risk lending activities. Chapter 9, "Credit Losses," of this guide addresses credit losses.
5.53 Other financial assets are subject to other impairment issues—similar to credit quality—that involve subjective determinations. For example, increased prepayments of principal during periods of falling interest rates have a significant impact on the economic value of assets such as mortgage servicing rights.
5.54 Auditors who audit financial statements of financial institutions should give particular attention to the assessment of impairment of financial assets. The auditor should focus on the methods used, assumptions made, and conclusions reached by management (and outside specialists relied on by management, such as appraisers) in assessing impairment of financial assets. Practical guidance is provided in subsequent chapters.
5.55 Fiduciary risk. Many financial institutions activities involve custody of financial assets, management of such assets, or both. Fiduciary responsibilities are the focus of activities such as servicing the collateral behind asset-backed securities, managing mutual funds, and administering trusts. These activities expose the institution to the risk of loss arising from failure to properly process transactions or handle the related assets on behalf of third parties. Related audit considerations are addressed in subsequent chapters.
5.56 Processing risk. Large volumes of transactions must be processed by most financial institutions, generally over short periods of time. Demands placed on both computerized and manual systems can be great. These demands increase the risk that the accuracy and timeliness of related information could be impaired.
5.57 Financial institutions utilize information systems to process large volumes of transactions (for example, arising from banks’ electronic funds transfer and check processing operations) on an accurate and timely basis. Related considerations are discussed in subsequent chapters.
5.58 As explained in paragraph .A44 of AU-C section 315, the way in which internal control is designed, implemented, and maintained varies with an entity’s size and complexity. The assets of financial institutions generally are more negotiable and more liquid than those of other entities. As a result, they may be subject to greater risk of loss. In addition, the operations of financial institutions are characterized by a high volume of transactions; as a result, the effectiveness of internal control is a significant audit consideration.
5.59 Paragraphs .13–.14 of AU-C section 315 states that the auditor should obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit. When obtaining an understanding of controls that are relevant to the audit, the auditor should evaluate the design of those controls and determine whether they have been implemented by performing procedures in addition to inquiry of the entity’s personnel. Paragraph .A42 of AU-C section 315 further explains that an understanding of internal control assists the auditor in identifying types of potential misstatements and factors that affect the risks of material misstatement and in designing the nature, timing, and extent of further audit procedures.
5.60 Purpose of internal control. Paragraph .A44 of AU-C section 315 explains that internal control is designed, implemented, and maintained to address identified business risks that threaten the achievement of any of the entity's objectives that concern (a) the reliability of the entity’s financial reporting, (b) the effectiveness and efficiency of its operations, and (c) its compliance with applicable laws and regulations.
5.61 Division of internal control. For purposes of GAAS, internal control is divided into the following five components:
i. initiate, authorize, record, process, and report entity transactions (as well as events and conditions) and maintain accountability for the related assets, liabilities, and equity;
ii. resolve incorrect processing of transactions (for example, automated suspense files and procedures followed to clear suspense items out on a timely basis);
iii. process and account for system overrides or bypasses to controls;
iv. transfer information from transaction processing systems to the general ledger;
v. capture information relevant to financial reporting for events and conditions other than transactions, such as the depreciation and amortization of assets and changes in the recoverability of accounts receivables; and
vi. ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarized, and appropriately reported in the financial statements.
Audit requirements and application guidance related to the preceding components can be found in paragraphs .15–.25 and .A71–.A107, respectively, of AU-C section 315.
5.62 Controls relevant to the audit. Paragraphs .A61–.A62 of AU-C section 315 state a direct relationship exists between an entity’s objectives and the controls it implements to provide reasonable assurance about their achievement. The entity’s objectives and, therefore, controls relate to financial reporting, operations, and compliance; however, not all of these objectives and controls are relevant to the auditor’s risk assessment. Factors relevant to the auditor’s professional judgment about whether a control, individually or in combination with others, is relevant to the audit may include such matters as the following:
5.63 Paragraph .A64 of AU-C section 315 states that the controls relating to operations and compliance objectives also may be relevant to an audit if they relate to data the auditor evaluates or uses in applying audit procedures. For example, controls pertaining to nonfinancial data that the auditor may use in analytical procedures, such as production statistics, or controls pertaining to detecting noncompliance with laws and regulations that may have a direct effect on the determination of material amounts and disclosures in the financial statements, such as compliance with income tax laws and regulations used to determine the income tax provision, may be relevant to an audit.
5.64 IT considerations. Financial institutions’ operations are characterized by large volumes of transactions and, therefore, generally rely heavily on computers. AU-C section 315 establish standards and provide guidance for auditors who have been engaged to audit an entity's financial statements when significant information is transmitted, processed, maintained, or accessed electronically.
Considerations for Audits Performed in Accordance With PCAOB Standards17
PCAOB Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control Over Financial Reporting (AICPA, PCAOB Standards and Related Rules, PCAOB Staff Guidance, sec. 400.11), highlights certain requirements of the auditing standards of the PCAOB in aspects of audits of internal control over financial reporting in which significant auditing deficiencies have been cited frequently in PCAOB inspection reports. Among other topics, the alert specifically addresses PCAOB standards regarding the consideration of IT in audits of internal control, including when testing controls that use system-generated data and reports and evaluating deficiencies in IT general controls.
5.65 Paragraph .A54 of AU-C section 315 states that an entity’s use of IT may affect any of the five components of internal control relevant to the achievement of the entity’s financial reporting, operations, or compliance objectives, and its operating units or business functions. The auditor might consider matters such as
5.66 Some of the accounting data and corroborating audit evidence may be available only in electronic form. For example, entities may use electronic data interchange or image processing systems. In image processing systems, documents are scanned and converted into electronic images to facilitate storage and reference, and the source documents may not be retained after conversion. Certain electronic evidence may exist at a certain point in time. However, such evidence may not be retrievable after a specified period of time if files are changed and if backup files do not exist. Therefore, the auditor might consider the time during which information exists or is available in determining the nature, timing, and extent of his or her substantive tests and, if applicable, tests of controls.
5.67 Information technology may be performed solely by the institution, shared with others, or provided by an independent organization supplying specific data processing services for a fee. AU-C section 402, Audit Considerations Relating to an Entity Using a Service Organization (AICPA, Professional Standards), addresses the user auditor’s responsibility when auditing the financial statements of entities that obtain services that are part of its information system from another organization (see further discussion in paragraphs 5.120–.122).
5.68 The auditor should consider whether specialized skills are needed to consider the effect of information technology on the audit, to understand the internal control, or to design and perform audit procedures. If specialized skills are needed, the auditor should seek the assistance of someone possessing such skills who may be either on the audit staff or an outside professional. If the use of such a professional is planned, the auditor should have sufficient information technology related knowledge to communicate the desired objectives to the information technology professional, to evaluate whether the specific procedures will meet the auditor's objectives, and to evaluate the results of the procedures applied as they relate to the nature, timing, and extent of other planned audit procedures.18
5.69 System upgrades, conversions, and changes in technology have occurred with increasing frequency in the industry to accommodate the many changes in the nature and complexity of products and services offered, ongoing changes in accounting rules, continually evolving regulations, and mergers and acquisitions. A number of system changes may affect internal control. For example, merging institutions with incompatible computer systems can have a significant negative impact on the surviving institution's internal control. In addition to obtaining the understanding of ongoing or planned changes in processing controls that is necessary to plan the audit, the auditor may find it necessary to consider the effect of system changes on
5.70 Communication with those charged with governance. AU-C section 260, The Auditor’s Communication With Those Charged With Governance (AICPA, Professional Standards), addresses the auditor’s responsibility to communicate with those charged with governance in an audit of financial statements. Although this section applies regardless of an entity’s governance structure or size, particular considerations apply when all of those charged with governance are involved in managing an entity. This section does not establish requirements regarding the auditor’s communication with an entity’s management or owners unless they are also charged with a governance role.
5.71 AU-C section 265, Communicating Internal Control Related Matters Identified in an Audit (AICPA, Professional Standards), addresses the auditor’s responsibility to appropriately communicate to those charged with governance and management deficiencies in internal control that the auditor has identified in an audit of financial statements. In particular, AU-C section 265
5.72 Paragraphs .11–.13 of AU-C section 265 state that the auditor should communicate in writing to those charged with governance on a timely basis significant deficiencies and material weaknesses identified during the audit, including those that were remediated during the audit. The auditor also should communicate to management at an appropriate level of responsibility, on a timely basis
The communication referred to should be made no later than 60 days following the report release date. However, paragraph .A15 of AU-C section 265 further explains that the communication is best made by the report release date because receipt of such communication may be an important factor in enabling those charged with governance to discharge their oversight responsibilities.
5.73 In accordance with paragraph .03 of AU-C section 265, nothing in AU-C section 265 precludes the auditor from communicating to those charged with governance or management other internal control matters that auditor has identified during the audit.
5.74 The appendix, "Examples of Circumstances That May Be Deficiencies, Significant Deficiencies, or Material Weaknesses," of AU-C section 265 includes examples of circumstances that may be deficiencies, significant deficiencies, or material weaknesses.
5.75 AU-C section 265 is not applicable if the auditor is engaged to perform an audit of internal control over financial reporting that is integrated with an audit of financial statements. In such circumstances, AU-C section 940, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements (AICPA, Professional Standards), applies.
5.76 As discussed in paragraph 5.25, risk assessment procedures allow the auditor to gather the information necessary to obtain an understanding of the entity and its environment including its internal control. This knowledge provides a basis for assessing the risks of material misstatement of the financial statements. These risk assessments are then used to design further audit procedures, such as tests of controls and substantive tests. This section provides guidance on assessing the risks of material misstatement and how to design further audit procedures that effectively respond to those risks.
5.77 To provide a basis for designing and performing further audit procedures, paragraphs .26–.27 of AU-C section 315 state that the auditor should identify and assess the risks of material misstatement at the financial statement level and at the relevant assertion level for classes of transactions, account balances, and disclosures. For this purpose, the auditor should
5.78 Paragraph .A108 of AU-C section 315 explains that the risks of material misstatement at the financial statement level refer to risks that relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of this nature are not necessarily risks identifiable with specific assertions at the class of transactions, account balance, or disclosure level. Rather, they represent circumstances that may increase the risks of material misstatement at the assertion level (for example, through management override of internal control). Financial statement level risks may be especially relevant to the auditor’s consideration of the risks of material misstatement arising from fraud.
5.79 Process of identifying risks of material misstatement. Paragraph .A120 of AU-C section 315 explains that information gathered by performing risk assessment procedures, including the audit evidence obtained in evaluating the design of controls and determining whether they have been implemented, is used as audit evidence to support the risk assessment. The risk assessment determines the nature, timing, and extent of further audit procedures to be performed.
5.80 Paragraphs .28–.29 of AU-C section 315 state that as part of the risk assessment described in paragraph .26 of AU-C section 315 (see paragraph 5.77), the auditor should determine whether any of the risks identified are, in the auditor’s professional judgment, a significant risk. In exercising this judgment, the auditor should exclude the effects of identified controls related to the risk. In addition, the auditor should consider at least
5.81 If the auditor has determined that a significant risk exists, paragraph .30 of AU-C section 315 states that the auditor should obtain an understanding of the entity’s controls, including control activities, relevant to that risk and, based on that understanding, evaluate whether such controls have been suitably designed and implemented to mitigate such risks. See paragraphs 5.90 and 5.93 for discussion over further audit procedures pertaining to significant risks.
5.82 AU-C section 330 addresses the auditor’s responsibility to design and implement responses to the risks of material misstatement identified and assessed by the auditor in accordance with AU-C section 315 and to evaluate the audit evidence obtained in an audit of financial statements.
5.83 Paragraph .05 of AU-C section 330 states that the auditor should design and implement overall responses to address the assessed risks of material misstatement at the financial statement level. Paragraph .A1 of AU-C section 330 states that overall responses to address the assessed risks of material misstatement at the financial statement level may include emphasizing to the audit team the need to maintain professional skepticism, assigning more experienced staff or those with specialized skills or using specialists, providing more supervision, incorporating additional elements of unpredictability in the selection of further audit procedures to be performed, or making general changes to the nature, timing, or extent of further audit procedures (for example, performing substantive procedures at period end instead of at an interim date or modifying the nature of audit procedures to obtain more persuasive audit evidence). Financial institutions are subject to certain risks that are less prevalent in commercial, industrial, and other nonfinancial businesses, and they operate in a particularly volatile and highly regulated environment. Accordingly, the auditor might design appropriate overall responses to that higher risk with personnel who have appropriate relevant experience and provide more extensive supervision. See paragraphs 5.06–.09 for more guidance regarding the auditor’s overall responses to audit risk.
5.84 Paragraphs .A2–.A3 of AU-C section 330 go on to explain that the assessment of the risks of material misstatement at the financial statement level and, thereby, the auditor’s overall responses are affected by the auditor’s understanding of the control environment. An effective control environment may allow the auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity and, thus, for example, allow the auditor to conduct some audit procedures at an interim date rather than at the period-end. Deficiencies in the control environment, however, have the opposite effect (for example, the auditor may respond to an ineffective control environment by
Such considerations, therefore, have a significant bearing on the auditor’s general approach (for example, an emphasis on substantive procedures [substantive approach] or an approach that uses tests of controls as well as substantive procedures [combined approach]).
5.85 Further audit procedures provide important audit evidence to support an audit opinion. These procedures consist of tests of controls and substantive tests. Paragraph .06 of AU-C section 330 states that the auditor should design and perform further audit procedures whose nature, timing, and extent are based on, and are responsive to, the assessed risks of material misstatement at the relevant assertion level.
5.86 In designing the further audit procedures to be performed, paragraph .07 of AU-C section 330 states that the auditor should
i. the likelihood of material misstatement due to the particular characteristics of the relevant class of transactions, account balance, or disclosure (the inherent risk) and
ii. whether the risk assessment takes account of relevant controls (the control risk), thereby requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing, and extent of substantive procedures), and
5.87 Tests of controls. In accordance with paragraph .08 of AU-C section 330, the auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if (a) the auditor’s assessment of risks of material misstatement at the relevant assertion level includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing, and extent of substantive procedures)19 or (b) when substantive procedures alone cannot provide sufficient appropriate audit evidence at the relevant assertion level. In accordance with paragraph .A21 of AU-C section 330, tests of controls are performed only on those controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement in a relevant assertion. If substantially different controls were used at different times during the period under audit, each is considered separately.
5.88 Paragraph .A22 of AU-C section 330 states that the testing the operating effectiveness of controls is different from obtaining an understanding of and evaluating the design and implementation of controls. However, the same types of audit procedures are used. The auditor may, therefore, decide it is efficient to test the operating effectiveness of controls at the same time the auditor is evaluating their design and determining that they have been implemented.
5.89 Paragraph .A23 of AU-C section 330 states that although some risk assessment procedures may not have been specifically designed as tests of controls, they may nevertheless provide audit evidence about the operating effectiveness of the controls and, consequently, serve as tests of controls.
5.90 Timing of tests of controls over significant risks. One or more significant risks normally arise on most audits.20 Paragraph .15 of AU-C section 330 states that if the auditor plans to rely on controls over a risk the auditor has determined to be a significant risk, the auditor should test the operating effectiveness of those controls in the current period.
5.91 Substantive procedures. Irrespective of the assessed risks of material misstatement, the auditor should design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure, in accordance with paragraph .18 of AU-C section 330.
5.92 Paragraph .21 of AU-C section 330 states that the auditor’s substantive procedures should include audit procedures related to the financial statement closing process, such as
Paragraph .A57 of AU-C section 330 states that the nature and extent of the auditor’s examination of journal entries and other adjustments depends on the nature and complexity of the entity’s financial reporting process and the related risks of material misstatement.
5.93 Substantive procedures responsive to significant risks. If the auditor has determined that an assessed risk of material misstatement at the relevant assertion level is a significant risk, paragraph .22 of AU-C section 330 states that the auditor should perform substantive procedures that are specifically responsive to that risk. When the approach to a significant risk consists only of substantive procedures, those procedures should include tests of details.
5.94 Substantive analytical procedures. AU-C section 520, Analytical Procedures (AICPA, Professional Standards), addresses the auditor’s use of analytical procedures as substantive procedures (substantive analytical procedures). It also addresses the auditor’s responsibility to perform analytical procedures near the end of the audit that assist the auditor when forming an overall conclusion on the financial statements.
5.95 As explained in paragraphs .A2–.A3 of AU-C section 520, analytical procedures include the consideration of comparisons of the entity’s financial information with, for example, comparable information for prior periods, anticipated results of the entity (such as, budgets or forecasts) or expectations of the auditor, or similar industry information. Analytical procedures also include consideration of relationships, like elements of financial information that would be expected to conform to a predictable pattern based on recent history of the entity and industry or between financial information and relevant nonfinancial information (such as, payroll costs to number of employees). When designing and performing analytical procedures, either alone or in combination with tests of details, as substantive procedures, paragraph .05 of AU-C section 520 states that the auditor should
5.96 Paragraphs .A13–.A14 of AU-C section 520 explain that different types of analytical procedures provide different levels of assurance. The determination of the suitability of particular substantive analytical procedures is influenced by the nature of the assertion and the auditor’s assessment of the risk of material misstatement. Paragraph .A8 of AU-C section 520 states that the effectiveness and efficiency of a substantive analytical procedure in addressing risks of material misstatement depends on, among other things, (a) the nature of the assertion, (b) the plausibility and predictability of the relationship, (c) the availability and reliability of the data used to develop the expectation, and (d) the precision of the expectation. For this reason, substantive analytical procedures alone are not well suited to detecting fraud. In addition, paragraph .A19 of AU-C section 520 notes that the auditor may consider testing the operating effectiveness of controls, if any, over the entity’s preparation of information used by the auditor in performing the substantive analytical procedures in response to assessed risks. When such controls are effective, the auditor may have greater confidence in the reliability of the information and, therefore, in the results of analytical procedures. The operating effectiveness of controls over nonfinancial information may often be tested in conjunction with other tests of controls.
5.97 Paragraph .08 of AU-C section 520 states that when substantive analytical procedures have been performed, the auditor should include in the audit document the following:
5.98 Paragraph .28 of AU-C section 330 states the auditor should conclude whether sufficient appropriate audit evidence has been obtained. In forming a conclusion, the auditor should consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the relevant assertions in the financial statements.
5.99 Based on the results of substantive procedures, the auditor may identify misstatements in accounts or notes to the financial statements. AU-C section 450 addresses the auditor’s responsibility to evaluate the effect of identified misstatements on the audit and the effect of uncorrected misstatements, if any, on the financial statements. Paragraphs .05–.12 of AU-C section 450 address specific requirements the auditor should perform in relation to accumulation of identified misstatements, consideration of identified misstatements as the audit progresses, communication and correction of misstatements, evaluating the effect of uncorrected misstatements,21 and documentation.
5.100 The circumstances related to some misstatements may cause the auditor to evaluate them as material, individually or when considered together with other misstatements accumulated during the audit, even if they are below the materiality threshold for the financial statements as a whole. For example, a loan made to a related party of an otherwise immaterial amount could be material if there is a reasonable possibility that it could lead to a material contingent liability or a material loss of revenue. Paragraph .A23 of AU-C section 450 provides circumstances that the auditor may consider relevant in determining whether misstatements are material.
5.101 AU-C section 700 addresses the auditor’s responsibility in forming an opinion on the financial statements based on the evaluation of the audit evidence obtained. The auditor’s conclusion, required by AU-C section 700, takes into account the auditor’s evaluation of uncorrected misstatements, if any, on the financial statements, in accordance with AU-C section 450.
5.102 AU-C section 230, Audit Documentation (AICPA, Professional Standards), addresses the auditor’s responsibility to prepare audit documentation for an audit of financial statements. The exhibit, "Audit Documentation Requirements in Other AU-C Sections," (see paragraph .A30 of AU-C section 230) lists other AU-C sections that contain specific documentation requirements and guidance. The specific documentation requirements of other AU-C sections do not limit the application of AU-C section 230. Law, regulation, or other standards may establish additional documentation requirements.
5.103 Paragraph .02 of AU-C section 230 states that audit documentation that meets the requirements of AU-C section 230 and the specific documentation requirements of other relevant AU-C sections provides
5.104 For purposes of GAAS, audit documentation, as defined in paragraph .06 of AU-C section 230, is the record of audit procedures performed, relevant audit evidence obtained, and conclusions the auditor reached (terms such as working papers or workpapers are also sometimes used).
5.105 Paragraph .07 of AU-C section 230 states that the auditor should prepare audit documentation on a timely basis. Paragraph .A3 of AU-C section 230 further explains that preparing sufficient and appropriate audit documentation on a timely basis throughout the audit helps to enhance the quality of the audit and facilitates the effective review and evaluation of the audit evidence obtained and conclusions reached before the auditor’s report is finalized. Documentation prepared at the time such work is performed or shortly thereafter is likely to be more accurate than documentation prepared at a much later time.23
5.106 Paragraphs .08–.12 of AU-C section 230 address the auditor’s responsibilities regarding documentation of the audit procedures performed and audit evidence obtained including form, content, and extent of audit documentation. In accordance with paragraph .08 of AU-C section 230, the auditor should prepare audit documentation that is sufficient to enable an experienced auditor, having no previous connection with the audit, to understand
As stated in paragraph .A5 of AU-C section 230, examples of audit documentation include audit plans, analyses, issues memorandums, summaries of significant findings or issues, letters of confirmation and representation, checklists, and correspondence (including e-mail) concerning significant findings or issues.
5.107 For audit procedures related to the inspection of significant contracts or agreements, paragraph .10 of AU-C section 230 states that the auditor should include abstracts or copies of those contracts or agreements in the audit documentation.
5.108 In addition to the requirements discussed previously, paragraphs .13–.14 of AU-C section 230 address further documentation requirements about departures from relevant requirements and matters arising after the date of the auditor’s report.
5.109 Paragraphs .15–.19 of AU-C section 230 address an auditor’s responsibilities regarding assembly and retention of the final audit file. Paragraph .16 of AU-C section 230 states that the auditor should assemble the audit documentation in an audit file and complete the administrative process of assembling the final audit file on a timely basis, no later than 60 days following the report release date. After the documentation completion date, paragraph .17 of AU-C section 230 prohibits the auditor from deleting or discarding audit documentation of any nature before the end of the specified retention period. If it is necessary to modify existing audit documentation or add new audit documentation after the documentation date, paragraph .18 of AU-C section 230 requires the auditor to document the specific reasons for making the changes and when and by whom the changes were made and reviewed.
5.110 AU-C section 620, Using the Work of an Auditor’s Specialist (AICPA, Professional Standards), addresses the auditor’s responsibilities relating to the work of an individual or organization possessing expertise in a field other than accounting or auditing when that work is used to assist the auditor in obtaining sufficient appropriate audit evidence (defined as an auditor’s specialist for purposes of GAAS). An auditor’s specialist may be either an internal specialist (who is a partner or staff, including temporary staff, of the auditor’s firm or a network firm) or an external specialist.
5.111 AU-C section 620 does not address
5.112 In accordance with AU-C section 620, the objectives of the auditor are (a) to determine whether to use the work of an auditor’s specialist and (b) if using the work of an auditor’s specialist, to determine whether that work is adequate for the auditor’s purposes. In reaching these objectives, the auditor should
5.113 Paragraph .09 of AU-C section 620 states that the auditor should evaluate whether the auditor’s specialist has the necessary competence, capabilities, and objectivity for the auditor’s purposes.
5.114 AU-C section 620 does not preclude the auditor from using a specialist who has a relationship with the client, including situations where the client has the ability to directly or indirectly control or significantly influence the specialist. However, paragraph .09 of AU-C section 620 states that, in the case of an auditor’s external specialist, the evaluation of objectivity should include inquiry regarding interests and relationships that may create a threat to the objectivity of the auditor’s specialist. If the auditor believes that a relationship between the entity and the auditor’s specialist might impair the objectivity of the auditor’s specialist, paragraph .A22 of AU-C section 620 states that the auditor may perform additional procedures with respect to some or all of the assumptions, methods, or findings of the auditor’s specialist to determine that the findings are reasonable or may engage another specialist for that purpose.
5.115 Paragraph .10 of AU-C section 620 states that the auditor should obtain a sufficient understanding of the field of expertise of the auditor’s specialist to enable the auditor to
5.116 AU-C section 500 addresses the auditor’s use of the work of an individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the entity to assist the entity in preparing the financial statements (defined as a management’s specialist).
5.117 Information regarding the competence, capabilities, and objectivity of a management’s specialist may come from a variety of sources, such as knowledge of that specialist’s qualifications, membership in a professional body or industry association, license to practice, or other forms of external recognition (a listing of additional sources is addressed in paragraph .A39 of AU-C section 500). For example, if the auditor is using an appraisal of commercial real estate values in connection with the audit of financial statements, he or she should evaluate the appraiser's professional qualifications and his or her experience with commercial real estate. Further application and explanatory material regarding the reliability of information produced by a management’s specialist is addressed in paragraphs .A35–.A49 of AU-C section 500.
5.118 In a number of cases, the specialist's work may have been prepared for another purpose (such as, an appraiser's report prepared for a loan origination). If information to be used as audit evidence has been prepared using the work of a management’s specialist, paragraph .08 of AU-C section 500 states that the auditor should, to the extent necessary, taking into account the significance of that specialist’s work for the auditor’s purposes,
Furthermore, paragraph .17 of Interpretation No. 1, "The Use of Legal Interpretations As Audit Evidence to Support Management’s Assertion That a Transfer of Financial Assets Has Met the Isolation Criterion in Paragraphs 7–14 of Financial Accounting Standards Board Accounting Standards Codification 860-10-40" (AICPA, Professional Standards, AU-C sec. 9620 par. .01–.21), of AU-C section 620 states that, in some cases, the auditor may decide it necessary to contact the specialist to determine that the specialist is aware that his or her work will be used for evaluating the assertions in the financial statements.
5.119 The Audit Issues Task Force of the Auditing Standards Board issued Interpretation No. 1 of AU-C section 620.27 The guidance relates to examples of legal opinions that auditors will need to obtain and review with regard to transfers of financial assets by banks subject to receivership or conservatorship under provisions of the Federal Deposit Insurance Act (FDI Act). This interpretation is for auditing procedures related to transfers of financial assets that are accounted for under FASB ASC 860, Transfers and Servicing.
5.120 AU-C section 402 addresses the user auditor’s responsibility for obtaining sufficient appropriate audit evidence in an audit of the financial statements of a user entity that uses one or more service organizations (for example, using a mortgage banker to service mortgages). Specifically, it expands on how the user auditor applies AU-C sections 315 and 330 in obtaining an understanding of the user entity, including internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement and in designing and performing further audit procedures responsive to those risks.
5.121 Paragraphs .03–.05 of AU-C section 402 state that services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services and the controls over them affect the user entity’s information system, including related business processes, relevant to financial reporting. Although most controls at the service organization are likely to relate to financial reporting, other controls also may be relevant to the audit, such as controls over the safeguarding of assets. A service organization’s services are part of a user entity’s information system, including related business processes, relevant to financial reporting if these services affect any of the following:
The nature and extent of work to be performed by the user auditor regarding the services provided by a service organization depend on the nature and significance of those services to the user entity and the relevance of those services to the audit.
5.122 AU-C section 402 does not apply to services that are limited to processing an entity’s transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker (that is, when the user entity retains responsibility for authorizing the transactions and maintaining the related accountability). In addition, AU-C section 402 does not apply to the audit of transactions arising from an entity that holds a proprietary financial interest in another entity, such as a partnership, corporation, or joint venture, when the partnership, corporation, or joint venture performs no processing on behalf of the entity.
5.123 AU-C section 240 addresses the auditor’s responsibilities relating to fraud in an audit of financial statements. Specifically, it expands on how AU-C sections 315 and 330 are to be applied regarding risks of material misstatement due to fraud.
5.124 Although fraud is a broad legal concept, for the purposes of GAAS, the auditor is primarily concerned with fraud that causes a material misstatement in the financial statements. In accordance with paragraph .03 of AU-C section 240, two types of intentional misstatements are relevant to the auditor:
Although the auditor may suspect or, in rare cases, identify the occurrence of fraud, the auditor does not make legal determinations of whether fraud has actually occurred.
5.125 Paragraph .A1 of AU-C section 240 states that fraud, whether fraudulent financial reporting or misappropriation of assets, involves incentive or pressure to commit fraud, a perceived opportunity to do so, and some rationalization of the act.
5.126 Consistent with paragraph .15 of AU-C section 200, paragraph .12 of AU-C section 240 states that the auditor should maintain professional skepticism throughout the audit, recognizing the possibility that a material misstatement due to fraud could exist, notwithstanding the auditor’s past experience of the honesty and integrity of the entity’s management and those charged with governance.
5.127 Paragraphs .A9–.A10 of AU-C section 240 states that maintaining professional skepticism requires an ongoing questioning of whether the information and evidence obtained suggests that a material misstatement due to fraud may exist. It includes considering the reliability of the information to be used as audit evidence and the controls over its preparation and maintenance when relevant. Although the auditor cannot be expected to disregard past experience of the honesty and integrity of the entity’s management and those charged with governance, the auditor’s professional skepticism is particularly important in considering the risk of material misstatement due to fraud because there may have been changes in circumstances.
5.128 When responses to inquiries of management, those charged with governance, or others are inconsistent or otherwise unsatisfactory (for example, vague or implausible), paragraph .14 of AU-C section 240 states that the auditor should further investigate the inconsistencies or unsatisfactory responses.
5.129 AU-C section 315 requires a discussion among the key engagement team members (see detailed discussion at paragraph 5.31). Paragraph .15 of AU-C section 240 states this discussion should include an exchange of ideas or brainstorming among the engagement team members about how and where the entity’s financial statements might be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated. The discussion should occur setting aside beliefs that the engagement team members may have that management and those charged with governance are honest and have integrity, and should, in particular, also address
Communication among the engagement team members about the risks of material misstatement due to fraud should continue throughout the audit, particularly upon discovery of new facts during the audit.
5.130 Paragraph .A12 of AU-C section 240 states that discussing the susceptibility of the entity’s financial statements to material misstatement due to fraud with the engagement team
5.131 In addition, paragraph .A13 of AU-C section 240 states the discussion may include the following matters:
A number of factors may influence the extent of the discussion and how it may occur. For example, if the audit involves more than one location, there could be multiple discussions with team members in differing locations. Another factor in planning the discussions is whether to include specialists assigned to the audit team.
5.132 Exhibit 5-1, "Fraud Risk Factors," which appears at the end of this chapter, contains a list of fraud risk factors that auditors may consider as part of their planning and audit procedures. The purpose is for audit team members to communicate and share information obtained throughout the audit that may affect the assessment of the risks of material misstatement due to fraud or error or the audit procedures performed to address the risks.
5.133 When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, including the entity’s internal control, required by AU-C section 315, paragraph .16 of AU-C section 240 states that the auditor should perform the procedures in paragraphs .17–.24 of AU-C section 240 to obtain information for use in identifying the risk of material misstatement due to fraud. As part of this work, the auditor should perform the following procedures:
5.134 As indicated in paragraph 5.133e, the auditor may identify events or conditions that indicate incentives and pressures to perpetrate fraud, opportunities to carry out the fraud, or attitudes and rationalizations to justify a fraudulent action. Such events or conditions are referred to as fraud risk factors. Although fraud risk factors may not necessarily indicate the existence of fraud, paragraph .24 of AU-C section 240 states that they have often been present in circumstances in which frauds have occurred and, therefore, may indicate risks of material misstatement due to fraud.
5.135 Paragraph .A31 of AU-C section 240 states that the size, complexity, and ownership characteristics of the entity have a significant influence on the consideration of relevant fraud risk factors. Additional fraud risk factor considerations on large and smaller, less complex entities can be found in paragraphs .A31–.A32 of AU-C section 240.
5.136 Appendix A, "Examples of Fraud Risk Factors," of AU-C section 240 identifies examples of fraud risk factors that may be faced by auditors in a broad range of situations. Exhibit 5-1 at the end of this chapter contains a list of fraud risk factors specific to financial institutions. Remember that fraud risk factors are only one of several sources of information an auditor considers when identifying and assessing risks of material misstatement due to fraud.
5.137 In accordance with AU-C section 315, paragraph .25 of AU-C section 240 states that the auditor should identify and assess the risks of material misstatement due to fraud at the financial statement level, and at the assertion level for classes of transactions, account balances, and disclosures.29 The auditor’s risk assessment should be ongoing throughout the audit, following the initial assessment.
5.138 Paragraph .26 of AU-C section 240 states that when identifying and assessing the risks of material misstatement due to fraud, the auditor should, based on a presumption that risks of fraud exist in revenue recognition, evaluate which types of revenue, revenue transactions, or assertions give rise to such risks. Paragraph .46 of AU-C section 240 specifies the documentation required when the auditor concludes that the presumption is not applicable in the circumstances of the engagement and, accordingly, has not identified revenue recognition as a risk of material misstatement due to fraud. (See paragraphs .A33–.A35 of AU-C section 240 for application guidance of fraud risks in revenue recognition.30)
Considerations for Audits Performed in Accordance With PCAOB Standards31
PCAOB Staff Audit Practice Alert No. 12, Matters Related to Auditing Revenue in an Audit of Financial Statements (AICPA, PCAOB Standards and Related Rules, PCAOB Staff Guidance, sec. 400.12), highlights certain requirements of PCAOB standards relating to aspects of auditing revenue in which significant auditing deficiencies have been frequently observed by PCAOB Inspections staff. More specifically, the alert addresses, among other topics, responding to the risks of material misstatement due to fraud associated with revenue.
5.139 Paragraph .27 of AU-C section 240 states that the auditor should treat those assessed risks of material misstatement due to fraud as significant risks and, accordingly, to the extent not already done so, the auditor should obtain an understanding of the entity’s related controls, including control activities, relevant to such risks, including the evaluation of whether such controls have been suitably designed and implemented to mitigate such fraud risks. (See paragraphs .A36–.A37 of AU-C section 240 for application guidance on identifying and assessing the risks of material misstatement due to fraud and understanding the entity’s related controls.)
5.140 In accordance with AU-C section 330, paragraphs .28–.29 of AU-C section 240 state that the auditor should determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level. Accordingly, the auditor should
See paragraphs .A38–.A42 of AU-C section 240 for additional application guidance on overall responses to the assessed risks of material misstatement due to fraud.
5.141 In accordance with AU-C section 300, paragraph .30 of AU-C section 240 states that the auditor should design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed risks of material misstatement due to fraud at the assertion level (See paragraphs .A43–.A46 for further application guidance.).
5.142 Even if specific risks of material misstatement due to fraud are not identified by the auditor, paragraph .32 of AU-C section 240 states that a possibility exists that management override of controls could occur. Accordingly, the auditor should address the risk of management override of controls apart from any conclusions regarding the existence of more specifically identifiable risks by designing and performing audit procedures to
5.143 Other audit procedures. Paragraph .33 of AU-C section 240 states that the auditor should determine whether, in order to respond to the identified risks of management override of controls, the auditor needs to perform other audit procedures in addition to those specifically referred to previously (that is, when specific additional risks of management override exist that are not covered as part of the procedures performed to address the requirements in paragraph .32 of AU-C section 240.
5.144 Paragraphs .34–.37 and .A56–.A62 of AU-C section 240 provide requirements and application guidance for evaluating audit evidence. As stated in paragraph .34 of AU-C section 240, the auditor should evaluate, at or near the end of the audit, whether the accumulated results of auditing procedures, including analytical procedures, that were performed as substantive tests or when forming an overall conclusion, affect the assessment of the risks of material misstatement due to fraud made earlier in the audit or indicate a previously unrecognized risk of material misstatement due to fraud.
5.145 Paragraph .35 of AU-C section 240 states that, if the auditor identifies a misstatement, the auditor should evaluate whether such a misstatement is indicative of fraud. If such an indication exists, the auditor should evaluate the implications of the misstatement with regard to other aspects of the audit, particularly the auditor's evaluation of materiality, management and employee integrity, and the reliability of management representations, recognizing that an instance of fraud is unlikely to be an isolated occurrence. Furthermore, paragraph .36 of AU-C section 240 states that, if the auditor identifies a misstatement, whether material or not, and the auditor has reason to believe that it is, or may be, the result of fraud and that management (in particular, senior management) is involved, the auditor should reevaluate the assessment of the risks of material misstatement due to fraud and its resulting effect on the nature, timing, and extent of audit procedures to respond to the assessed risks. The auditor should also consider whether circumstances or conditions indicate possible collusion involving employees, management, or third parties when reconsidering the reliability of evidence previously obtained.
5.146 Paragraph .A60 of AU-C section 240 states that the implications of identified fraud depend on the circumstances. For example, an otherwise insignificant fraud may be significant if it involves senior management. In such circumstances, the reliability of evidence previously obtained may be called into question because there may be doubts about the completeness and truthfulness of representations made and genuineness of accounting records and documentation. There may also be a possibility of collusion involving employees, management, or third parties.
5.147 Paragraph .37 of AU-C section 240 states that if the auditor concludes that, or is unable to conclude whether, the financial statements are materially misstated as a result of fraud, the auditor should evaluate the implications for the audit. AU-C sections 450 and 700 address the evaluation and disposition of misstatements and the effect on the auditor’s opinion in the auditor’s report.
5.148 Paragraph .38 of AU-C section 240 states that, if, as a result of identified fraud or suspected fraud, the auditor encounters circumstances that bring into question the auditor’s ability to continue performing the audit, the auditor should
i. discuss with the appropriate level of management and those charged with governance the auditor’s withdrawal from the engagement and the reasons for the withdrawal, and
ii. determine whether a professional or legal requirement exists to report to the person or persons who engaged the auditor or, in some cases, to regulatory authorities, the auditor’s withdrawal from the engagement and the reasons for the withdrawal.
Given the nature of the circumstances and the need to consider the legal requirements, paragraph .A65 of AU-C section 240 states that the auditor may consider it appropriate to seek legal advice when deciding whether to withdraw from an engagement and in determining an appropriate course of action, including the possibility of reporting to regulators or others.32 For additional application guidance, including examples of circumstances that may arise and bring into question the auditor’s ability to continue performing the audit, see paragraphs .A63–.A65 of AU-C section 240.
5.149 Paragraph .39 of AU-C section 240 states that, if the auditor has identified a fraud or has obtained information that indicates that a fraud may exist, the auditor should communicate these matters on a timely basis to the appropriate level of management in order to inform those with primary responsibility for the prevention and detection of fraud of matters relevant to their responsibilities. As stated in paragraph .A67 of AU-C section 240, this is true even if the matter might be considered inconsequential (for example, a minor defalcation by an employee at a low level in the entity's organization). Unless all of those charged with governance are involved in managing the entity, paragraphs .40–.41 of AU-C section 240 state that, if the auditor has identified or suspects fraud involving (a) management, (b) employees who have significant roles in internal control, or (c) others, when the fraud results in a material misstatement in the financial statements, the auditor should communicate these matters to those charged with governance on a timely basis. If the auditor suspects fraud involving management, the auditor should communicate these suspicions to those charged with governance and discuss with them the nature, timing, and extent of audit procedures necessary to complete the audit. In addition, the auditor should communicate with those charged with governance any other matters related to fraud that are, in the auditor’s professional judgment, relevant to their responsibilities. See paragraphs .A68–.A71 of AU-C section 240 for further application guidance concerning communications with those charged with governance.
5.150 If the auditor has identified or suspects a fraud, paragraph .42 of AU-C section 240 states that the auditor should determine whether the auditor has a responsibility to report the occurrence or suspicion to a party outside the entity. Although the auditor’s professional duty to maintain the confidentiality of client information may preclude such reporting, the auditor’s legal responsibilities may override the duty of confidentiality in some circumstances.
5.151 Paragraphs .43–.46 of AU-C section 240 address requirements on certain items and events to be documented by the auditor in relation to assessed risks of material misstatement due to fraud.
5.152 AU-C section 250, Consideration of Laws and Regulations in an Audit of Financial Statements (AICPA, Professional Standards), addresses the auditor’s responsibility to consider laws and regulations in an audit of financial statements. However, it does not apply to other assurance engagements in which the auditor is specifically engaged to test and report separately on compliance with specific laws and regulations.33
5.153 In accordance with paragraph .03 of AU-C section 250, it is the responsibility of management, with the oversight of those charged with governance, to ensure that the entity’s operations are conducted in accordance with the provisions of laws and regulations, including compliance with the provisions of laws and regulations that determine the reported amounts and disclosures in an entity’s financial statements.
5.154 The requirements in AU-C section 250 are designed to assist the auditor in identifying material misstatement of the financial statements due to noncompliance with laws and regulations. However, paragraph .04 of AU-C section 250 recognizes that the auditor is not responsible for preventing noncompliance and cannot be expected to detect noncompliance with all laws and regulations. For purposes of discussion in AU-C section 250, the term noncompliance is defined as acts of omission or commission by the entity, either intentional or unintentional, which are contrary to the prevailing laws or regulations.
5.155 The auditor is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error.34 In conducting an audit of financial statements, the auditor takes into account the applicable legal and regulatory framework. Because of the inherent limitations of an audit, an unavoidable risk exists that some material misstatements in the financial statements may not be detected, even though the audit is properly planned and performed in accordance with GAAS.35 In the context of laws and regulations, the potential effects of inherent limitations on the auditor’s ability to detect material misstatements are greater for the reasons set forth in paragraph .05 of AU-C section 250. Paragraph .05 of AU-C section 250 further states that the further removed noncompliance is from the events and transactions reflected in the financial statements, the less likely the auditor is to become aware of, or recognize, the noncompliance.
5.156 Paragraph .06 of AU-C section 250 distinguishes the auditor’s responsibilities regarding compliance with the following two categories of laws and regulations:
i. fundamental to the operating aspects of the business,
ii. fundamental to an entity’s ability to continue its business, or
iii. necessary for the entity to avoid material penalties
(for example, compliance with the terms of an operating license, regulatory solvency requirements, or environmental regulations); therefore, noncompliance with such laws and regulations may have a material effect on the financial statements (see paragraphs 5.158–.160).
5.157 Paragraph .A9 of AU-C section 250 states that certain laws and regulations are well established, known to the entity and within the entity’s industry or sector, and relevant to the entity’s financial statements. These laws and regulations generally are directly relevant to the determination of material amounts and disclosures in the financial statements and readily evident to the auditor. They could include those that relate to, for example
For such laws and regulations, paragraph .13 of AU-C section 250 states that the auditor should obtain sufficient appropriate audit evidence regarding material amounts and disclosures in the financial statements that are determined by the provisions of those laws and regulations (see paragraph 5.156a).
5.158 As discussed in paragraphs .A12–.A14 of AU-C section 250, certain other laws and regulations may need particular attention by the auditor because they have a fundamental effect on the operations of the entity. Noncompliance with laws and regulations that have a fundamental effect on the operations of the entity may cause the entity to cease operations or call into question the entity’s continuance as a going concern (for example, noncompliance with capital or investment requirements).
5.159 In addition, many laws and regulations relating principally to an institution's operating aspects do not directly affect the financial statements (their financial statement effect is indirect) and are not captured by the entity’s information systems relevant to financial reporting. Their indirect effect may result from the need to disclose a contingent liability because of the allegation or determination of identified or suspected noncompliance. Those other laws or regulations may include those related to securities trading, occupational safety and health, food and drug administration, environmental protection, equal employment opportunities, and price-fixing or other antitrust violations.
5.160 For these other such laws and regulations, paragraph .14 of AU-C section 250 states that the auditor should perform the following audit procedures that may identify instances of noncompliance with other laws and regulations that may have a material effect on the financial statements (see paragraph 5.156b):
However, even when those procedures are performed, the auditor may not become aware of the existence of noncompliance unless there is evidence of noncompliance in the records, documents, or other information normally inspected in an audit of financial statements.
5.161 During the audit, paragraph .15 of AU-C section 250 states that the auditor should remain alert to the possibility that other audit procedures applied may bring instances of noncompliance or suspected noncompliance with laws and regulations to the auditor's attention. For example, paragraph .A17 of AU-C section 250 states that such audit procedures may include reading minutes; inquiring of the institution's management and in-house or external legal counsel concerning litigation, claims, and assessments; performing substantive tests of details of classes of transactions, account balances, or disclosures.
5.162 Further discussion regarding audit procedures when noncompliance is identified or suspected, reporting of identified or suspected noncompliance, and documentation requirements can be found in paragraphs .17–.28 of AU-C section 250.
5.163 AU-C section 570A, The Auditor's Consideration of an Entity's Ability to Continue as a Going Concern (AICPA, Professional Standards), addresses the auditor’s responsibilities in an audit of financial statements with respect to evaluating whether there is substantial doubt about the entity’s ability to continue as a going concern. This section applies to all audits of financial statements, regardless of whether the financial statements are prepared in accordance with a general purpose or a special purpose framework. This section does not apply to an audit of financial statements based on the assumption of liquidation (for example, when [a] an entity is in the process of liquidation, [b] the owners have decided to commence dissolution or liquidation, or [c] legal proceedings, including bankruptcy, have reached a point at which dissolution or liquidation is probable). The auditor's evaluation of an institution's ability to continue as a going concern may be one of the most complex and important portions of the audit. This section describes the unique issues that an auditor may encounter in evaluating an institution's ability to continue as a going concern.
Considerations for Audits Performed in Accordance With PCAOB Standards37
PCAOB Staff Audit Practice Alert No. 13, Matters Related to the Auditor’s Consideration of a Company’s Ability to Continue as a Going Concern (AICPA, PCAOB Standards and Related Rules, PCAOB Staff Guidance, sec. 400.13), addresses the professional standards applicable to the auditor’s evaluation of a company’s ability to continue as a going concern in light of recent changes to GAAP. The alert specifically highlights that in addition to adhering to the existing requirements in the PCAOB’s interim auditing standard AS 2415, Consideration of an Entity’s Ability to Continue as a Going Concern (AICPA, PCAOB Standards and Related Rules), auditors should assess management’s going concern evaluation in accordance with the requirements of the applicable financial reporting framework.
5.164 Financial institutions operate in a highly regulated environment. As a result, laws and regulations can have a significant effect on their operations. The enactment of the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 and the FDIC Improvement Act of 1991 dramatically changed the regulatory environment in the banking and thrift industries and imposed new regulatory capital requirements that are far more stringent than previous requirements. Chapter 1 of this guide includes a discussion of regulatory capital requirements for banks and savings institutions and such requirements for credit unions are discussed in chapter 2 of this guide.
5.165 In accordance with paragraph .08 of AU-C section 570A, the auditor should evaluate whether there is substantial doubt about an entity's ability to continue as a going concern for a reasonable period of time (defined in AU-C section 570A as a period of time not to exceed one year beyond the date of the financial statements being audited) based on the results of the audit procedures.
5.166 When the applicable financial reporting framework includes a definition of substantial doubt about an entity’s ability to continue as a going concern, Interpretation No. 1, “Definition of Substantial Doubt About an Entity’s Ability to Continue as a Going Concern” (AICPA, Professional Standards, AU-C sec. 9570A par. 01–.02), of AU-C section 570A states that definition would be used by the auditor when applying the requirements of AU-C section 570A. Interpretation No. 2, “Definition of Reasonable Period of Time” (AICPA, Professional Standards, AU-C sec. 9570A par. 03–.05), of AU-C section 570A provides guidance on how an auditor should apply the term reasonable period of time when the applicable financial reporting framework requires management to evaluate whether there are conditions and events that raise substantial doubt for a period of time greater than one year from the date of the financial statements. Specifically, Interpretation No. 2 states that the auditor’s assessment of management’s going concern evaluation would be for the same period of time as required by the applicable financial reporting framework.
5.167 As stated in paragraph .09 of AU-C section 570A, the auditor should consider whether the results of procedures performed during the course of the audit identify conditions and events that, when considered in the aggregate, indicate there could be substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time. The auditor should consider the need to obtain additional information about such conditions and events, as well as the appropriate audit evidence to support information that mitigates the auditor's doubt.
5.168 Paragraph .A1 of AU-C section 570A states that it is not necessary to design audit procedures solely to identify conditions or events that, when considered in the aggregate, indicate there could be substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time. The results of audit procedures designed and performed to identify and assess risk in accordance with AU-C section 315, gather audit evidence in response to assessed risks in accordance with AU-C section 330, and complete the audit are expected to be sufficient for that purpose. The following are examples of procedures normally performed in audits of the financial statements of financial institutions that may identify such conditions and events:
5.169 In performing such audit procedures as noted previously, paragraph .A2 of AU-C section 570A states that the auditor may identify information about certain conditions or events that, when considered in the aggregate, indicate there could be substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time. The significance of such conditions or events will depend on the circumstances, and some conditions or events may have significance only when viewed in conjunction with others. The following are examples of such conditions and events that may be encountered in audits of financial institutions:
5.170 If, after considering the identified conditions or events in the aggregate, the auditor believes that there is substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time, paragraph .10 of AU-C section 570A states that the auditor should obtain information about management's plans that are intended to mitigate the adverse effects of such conditions or events. The auditor should
5.171 When prospective financial information is particularly significant to management’s plans, paragraph .11 of AU-C section 570A states that the auditor should request management to provide that information and should consider the adequacy of support for significant assumptions underlying that information. The auditor should give particular attention to assumptions that are
The auditor’s consideration should be based on knowledge of the entity, its business, and its management and should include (a) reading the prospective financial information and the underlying assumptions and (b) comparing prospective financial information from prior periods with actual results and comparing prospective information for the current period with results achieved to date. If the auditor becomes aware of factors, the effects of which are not reflected in such prospective financial information, the auditor should discuss those factors with management and, if necessary, request revisions of the prospective financial information.
5.172 Paragraph .12 of AU-C section 570A states that when, after considering management's plans, the auditor concludes that there is substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time, the auditor should consider the possible effects on the financial statements and the adequacy of the related disclosures. In considering the adequacy of disclosure, paragraph .A4 of AU-C section 570A states that some of the information that might be disclosed includes the following:
5.173 When the auditor concludes, primarily because of the auditor’s consideration of management’s plans, that substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time has been alleviated, paragraph .13 of AU-C section 570A states that the auditor should consider the need for, and evaluate the adequacy of, disclosure of the principal conditions or events that initially caused the auditor to believe there was substantial doubt. The auditor’s consideration of disclosure should include the possible effects of such conditions and events, and any mitigating factors, including management's plans. The auditor may have to communicate with the regulator to assist with the auditor’s assessment. (Refer to chapter 1 of this guide for a discussion of necessary communications with regulators.) Chapter 23 of this guide includes an illustration of a report that includes such an emphasis-of-matter paragraph.
5.174 When the applicable financial reporting framework provides disclosure requirements related to management’s evaluation of substantial doubt, Interpretation No. 4, “Consideration of Financial Statement Effects” (AICPA, Professional Standards, AU-C sec. 9570A par. 09–.10), of AU-C section 570A states that the auditor’s assessment of the financial statement effects under AU-C section 570A would be based on the disclosure requirements of the applicable financial reporting framework.
5.175 If the auditor believes, before consideration of management’s plans pursuant to paragraph .10 of AU-C section 570A (see paragraph 5.170), there is substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time, paragraph .14 of AU-C section 570A states that the auditor should obtain written representations from management
5.176 Paragraphs .15–.16 of AU-C section 570A state that, if, after considering identified conditions and events and management's plans, the auditor concludes that substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time remains, the auditor should include an emphasis-of-matter paragraph38 in the auditor’s report to reflect that conclusion. The auditor’s conclusion about the entity’s ability to continue as a going concern should be expressed through the use of the phrase "substantial doubt about its (the entity’s) ability to continue as a going concern" or similar wording that includes the terms substantial doubt and going concern. In a going concern emphasis-of-matter paragraph, the auditor should not use conditional language in expressing a conclusion concerning the existence of substantial doubt about the entity’s ability to continue as going concern. Paragraph .A6 of AU-C section 570A provides an illustration of a going-concern emphasis-of-matter paragraph.
5.177 The auditor's decision about whether modification of the standard report is appropriate may depend also on
5.178 Chapter 23 of this guide discusses circumstances that the auditor might disclaim an opinion on.
5.179 If the auditor believes, before consideration of management’s plans pursuant to paragraph .10 of AU-C section 570A (see paragraph 5.170), there is substantial doubt about the ability of the entity to continue as a going concern for a reasonable period of time, paragraph .22 of AU-C section 570A states that the auditor should document the following:
5.180 AU-C section 580, Written Representations (AICPA, Professional Standards), addresses the auditor’s responsibility to obtain written representations from management and, when appropriate, those charged with governance in an audit of financial statements.
5.181 According to paragraphs .03–.04 of AU-C section 580, written representations are necessary information that the auditor requires in connection with the audit of the entity’s financial statements. Accordingly, similar to responses to inquiries, written representations are audit evidence. Although written representations provide necessary audit evidence, they complement other auditing procedures and do not provide sufficient appropriate audit evidence on their own about any of the matters with which they deal. Furthermore, obtaining reliable written representations does not affect the nature or extent of other audit procedures that the auditor applies to obtain audit evidence about the fulfillment of management’s responsibilities or about specific assertions.
5.182 As explained in paragraph .A2 of AU-C section 580, written representations are requested from those with overall responsibility for financial and operating matters whom the auditor believes are responsible for, and knowledgeable about, directly or through others in the organization, the matters covered by the representations, including the preparation and fair presentation of the financial statements. As such, in accordance with paragraph .09 of AU-C section 580, the auditor should request written representations from management with appropriate responsibilities for the financial statements and knowledge of the matters concerned.
5.183 Paragraph .A2 of AU-C section 580 further states that those individuals with overall responsibility may vary depending on the governance structure of the entity; however, management (rather than those charged with governance) is often the responsible party. Written representations may therefore be requested from the entity’s chief executive officer and chief financial officer or other equivalent persons in entities that do not use such titles. In some circumstances, however, other parties, such as those charged with governance, also are responsible for the preparation and fair presentation of the financial statements.
5.184 Paragraphs .10–.18 of AU-C section 580 discuss matters the auditor should request management to provide written representation about such as preparation and fair presentation of the financial statements, information provided and completeness of transactions, fraud, laws and regulations, uncorrected misstatements, litigation an claims, estimates, related party transactions, and subsequent events. If, in addition to such required representations and those addressed in other AU-C sections,43 the auditor determines that it is necessary to obtain one or more written representations to support other audit evidence relevant to the financial statements or one or more specific assertions in the financial statements, paragraph .19 of AU-C section 580 states that the auditor should request such other written representations.
5.185 Additional representations specific to banks and savings institutions, credit unions, or both that may be obtained include the following:
— off-balance-sheet risk and
— individual or group concentrations of credit risk.
5.186 Paragraph .A22 of AU-C section 580 states that management's representations may be limited to matters that are considered either individually or collectively material to the financial statements, provided management and the auditor have reached an understanding on materiality for this purpose. Materiality may be different for different representations. A discussion of materiality may be included explicitly in the representation letter in either qualitative or quantitative terms. Materiality considerations do not apply to those representations that are not directly related to amounts included in the financial statements (for example, management’s representations about the premise underlying the audit). In addition, because of the possible effects of fraud on other aspects of the audit, materiality would not apply to management’s acknowledgment regarding its responsibility for the design, implementation, and maintenance of internal control to prevent and detect fraud.
5.187 Paragraph .20 of AU-C section 580 states that the date of the written representations should be as of the date of the auditor’s report on the financial statements. The written representations should be for all financial statements and period(s) referred to in the auditor’s report.
5.188 In accordance with paragraph .21 of AU-C section 580, the written representations should be in the form of a representation letter addressed to the auditor.
5.189 Paragraph .25 of AU-C section 580 states that the auditor should disclaim an opinion on the financial statements in accordance with AU-C section 705 or withdraw from the engagement if
5.190 An institution may publish various documents that contain information in addition to audited financial statements and the auditor's report thereon. AU-C section 720, Other Information in Documents Containing Audited Financial Statements (AICPA, Professional Standards), addresses the auditor’s responsibility with respect to other information in documents containing audited financial statements and the auditor’s report thereon. In the absence of any separate requirement in the particular circumstances of the engagement, the auditor’s opinion on the financial statements does not cover other information, and the auditor has no responsibility for determining whether such information is properly stated. This section establishes the requirement for the auditor to read the other information of which the auditor is aware because the credibility of the audited financial statements may be undermined by material inconsistencies between the audited financial statements and other information.
5.191 In some circumstances, an auditor submits to the client or others a document that contains information in addition to the client's basic financial statements and the auditor's report thereon. AU-C section 725, Supplementary Information in Relation to the Financial Statements as a Whole (AICPA, Professional Standards), addresses the auditor’s responsibility when engaged to report on whether supplementary information is fairly stated, in all material respects, in relation to the financial statements as a whole. The information covered by this section is presented outside the basic financial statements and is not considered necessary for the financial statements to be fairly presented in accordance with the applicable financial reporting framework. This section also may be applied, with the report wording adapted as necessary, when an auditor has been engaged to report on whether required supplementary information is fairly stated, in all material respects, in relation to the financial statements as a whole.
5.192 AU-C section 730, Required Supplementary Information (AICPA, Professional Standards), addresses the auditor’s responsibility with respect to information that a designated accounting standards setter requires to accompany an entity’s basic financial statements (hereinafter referred to as required supplementary information). In the absence of any separate requirement in the particular circumstances of the engagement, the auditor’s opinion on the basic financial statements does not cover required supplementary information.
5.193 FASB ASC 275-10-50-144 requires institutions to make disclosures in their financial statements about the risks and uncertainties existing as of the date of those statements in the following areas:
5.194 An illustration of the application of these disclosure requirements by a bank or savings institution follows:
Nature of operations. ABC Institution operates seven branches in rural and suburban communities in the United States Midwest. The Institution's primary source of revenue is providing loans to customers that are predominantly small and middle-market businesses and middle-income individuals.
Use of estimates in the preparation of financial statements. The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities and disclosure of contingent assets and liabilities at the date of the financial statements and that affect the reported amounts of revenues and expenses during the reporting period. Actual results could differ from those estimates.
5.195 The application of these disclosure requirements by a bank or savings institution is discussed and illustrated in the following paragraphs.
5.196 As explained in FASB ASC 275-10-50-7, disclosures are required regarding estimates used in the determination of the carrying amounts of assets or liabilities or in disclosure of gain or loss contingencies, as described herein. FASB ASC 275-10-50-8 goes on to state that disclosure regarding an estimate should be made when known information available before the financial statements are issued or are available to be issued (as discussed in FASB ASC 855-10-25) indicates that both of the following criteria are met:
5.197 In accordance with FASB ASC 275-10-50-9, the disclosure should indicate the nature of the uncertainty and include an indication that it is at least reasonably possible that a change in the estimate will occur in the near term. If the estimate involves a loss contingency covered by FASB ASC 450-20, the disclosure also should include an estimate of the possible loss or range of loss, or state that such an estimate cannot be made.45
5.198 Following is an illustrative disclosure about the allowance for loan losses when no uncertainties meet the disclosure criteria established in FASB ASC 275-10-50-8 and FASB ASC 450-20-50-3.
Allowance for loan losses. The allowance for loan losses is established as losses are estimated to have occurred through a provision for loan losses charged to earnings. Loan losses are charged against the allowance when management believes the uncollectibility of a loan balance is confirmed. Subsequent recoveries, if any, are credited to the allowance.
The allowance for loan losses is evaluated on a regular basis by management and is based upon management’s periodic review of the collectibility of the loans in light of historical experience, the nature and volume of the loan portfolio, adverse situations that may affect the borrower’s ability to repay, estimated value of any underlying collateral, and prevailing economic conditions. This evaluation is inherently subjective as it relies on estimates that are susceptible to significant revision as more information becomes available.
5.199 The following illustrates a paragraph that might be added to the illustrative disclosure in paragraph 5.198 to disclose an uncertainty that meets the disclosure criteria of FASB ASC 275-10-50-8, is a loss contingency covered by FASB ASC 450-20, and affects the estimate of loan losses for only some portion of the institution's loan portfolio:
Three of the Institution's seven branches are in communities that were flooded in late 200X. These branches made loans to individuals and businesses affected by the flooding and the Institution considered the flood's effect in determining the adequacy of the allowance for loan losses. No estimate can be made of a range of amounts of loss that are reasonably possible with respect to that event.46
5.200 The following illustrates a paragraph that might be added to the illustration in paragraph 5.198 to disclose an uncertainty that meets the disclosure criteria of FASB ASC 275-10-50-8 and is a loss contingency covered by FASB ASC 450-20:
The Institution lends primarily to individuals employed at ABC Air Force Base and businesses local to the base. On December 19, 20X3, the President of the United States ratified a plan that includes the closing of the base effective November 20X4. It is reasonably possible that a change in estimated loan losses will occur in the near term. No estimate can be made of a range of amounts of loss that are reasonably possible with respect to the base closing.
5.201 FASB ASC 275-10-50-15 gives examples of assets and liabilities and related revenues and expenses, and of disclosure of gain or loss contingencies included in financial statements that, based on facts and circumstances existing at the date of the financial statements, may be based on estimates that are particularly sensitive to change in the near term.
5.202 Besides valuation allowances for loans, examples of similar estimates often included in banks', savings institutions', and credit unions’ financial statements include the following:
5.203 For example, during 20X5, DEF Bank evaluated the profitability of its branch operations. DEF Bank determined that it will significantly change the extent or manner in which it uses a group of long-lived assets related to six of its branches. In applying FASB ASC 360, Property, Plant, and Equipment, DEF Bank determined that the sum of the estimated future cash flows (cash inflows less associated cash outflows) that are directly associated with and that are expected to arise as a direct result of the use and eventual disposition of the asset group, excluding interest charges, exceeds the carrying amount of the long-lived asset group. In addition, the carrying amount of the asset group does not exceed its fair value. Thus, an impairment loss has not been recognized under FASB ASC 360. The significant change in the extent or manner in which the assets are used, however, indicates that the estimate associated with the carrying amounts of those assets may be particularly sensitive in the near term.47 Following is an illustrative disclosure:
Management of DEF Bank has reevaluated and will significantly change its use of a group of long-lived assets associated with six of its branches. It is reasonably possible that the Bank's estimate of the carrying amounts of these assets will change in the near term. No estimate can be made of a range of amounts of loss that are reasonably possible.
5.204 FASB ASC 275-10-50-16 requires institutions to disclose the concentrations described in FASB ASC 275-10-50-18 if, based on information known to management before the financial statements are issued or are available to be issued (as discussed in FASB ASC 855-10-25), all of the following criteria are met:
5.205 FASB ASC 275, Risks and Uncertainties, does not address concentrations of financial instruments. However, as discussed in chapter 7, chapter 8, "Loans," and chapter 18 of this guide, and elsewhere in this guide, FASB ASC 825, Financial Instruments, includes the disclosure provisions about concentrations of credit risk.48
5.206 The following concentrations described in FASB ASC 275-10-50-18 require disclosure if they meet the criteria of FASB ASC 275-10-50-16:
5.207 Examples of concentrations that may fall in one or more of these categories and that may exist at certain financial institutions include
5.208 For example, assume a significant portion of GHI Institution's net income is from sales of originated loans. In 20X5, GHI Institution originated $800 million of loans. GHI Institution sold the loans and servicing rights to a substantial portion of these loans to a single servicer, TCB. TCB has historically purchased a substantial portion of the loans and servicing originated by GHI Institution. Following is an illustrative disclosure:
A substantial portion of GHI Institution's loan and loan-servicing-right originations is sold to a single servicer.
5.209 Assume a significant portion of JKL Bank's revenues is from the origination of loans guaranteed by the Small Business Administration under its Section 7 program and sale of the guaranteed portions of those loans. Funding for the Section 7 program depends on annual appropriations by the U.S. Congress. The customer base for this lending specialization and the resulting profits depend on the continuation of the program. Following is an illustrative disclosure:
A substantial portion of JKL Bank's revenues is from origination of loans guaranteed by the Small Business Administration under its Section 7 program and sale of the guaranteed portions of those loans. Funding for the Section 7 program depends on annual appropriations by the U.S. Congress.
5.210 FASB ASC 280-10 provides guidance to public entities on how to report certain information about operating segments in complete sets of financial statements of the public entity and in condensed financial statements of interim periods issued to shareholders. Refer to FASB ASC 280, Segment Reporting, for further discussion and detail regarding segment reporting requirements.
5.211 Per the FASB ASC glossary, a public entity is defined as a business entity or a not-for-profit entity that meets any of the following conditions:
5.212 Laws and their implementing regulations affect the areas and ways in which certain financial institutions operate while creating standards with which those institutions must comply. Some laws and regulations directly address the responsibilities of auditors.49
5.213 The primary objective of this section is to explain why and how auditors might consider regulatory matters in the audits of certain financial institutions. This chapter also addresses the overall regulatory approach and environment, and the relative responsibilities of those institutions, examiners, and auditors. Considerations auditors might give to specific areas of regulation are highlighted in subsequent chapters.
5.214 Auditors might consider the effect regulations have on various engagements:
5.215 Paragraph .12 of AU-C section 315 indicates that auditors should obtain an understanding of relevant regulatory factors, including the applicable financial reporting framework. In that regard, it is helpful for auditors to be familiar with the nature and purpose of regulatory examinations—including the differences and relationship between examinations and financial statement audits.
5.216 Finally, an understanding of the regulatory environment in which these institutions operate is necessary to complement the auditor's knowledge of existing regulatory requirements. Because the regulatory environment is continually changing, the auditor might consider monitoring relevant regulatory changes and consider their implications in the audit process.
5.217 One primary objective of regulation is to maintain the strength of the financial system, in turn, promoting and enforcing the public role of certain financial institutions as financial intermediaries, protecting depositors, and preserving funds for federal deposit insurance. Regulations are generally associated with one or more of the following objectives: capital adequacy, asset quality, management competence, earnings, liquidity, and sensitivity to market risk.
5.218 Many laws and areas of regulation address the public role of certain financial institutions. For example, laws and regulations exist to ensure the availability of credit to all creditworthy applicants without discrimination and to satisfy the credit needs of low- and moderate-income neighborhoods in institutions' local communities.
5.219 Other regulations address directly these institution's operations and, therefore, have broader financial implications. For example, rules exist that restrict the acceptance and renewal of brokered deposits based on a bank or savings institution's level of capitalization.
5.220 In addition to the specific regulatory matters outlined in subsequent chapters, the three aspects of the regulatory process that are particularly important to auditors are rule making, examinations, and enforcement.
5.221 Regulations are created by the agencies based on their ongoing authority or as specifically mandated by legislation. Proposed rules and regulations are generally published for comment in the Federal Register, a daily publication of the federal government. Final rules also appear in the Federal Register and are codified in Title 12, Banks and Banking, of U.S. CFR. The Federal Register may be accessed at the Government Printing Office website. The rules applicable to a given institution depend on the institution's charter and other factors, such as whether it is federally insured and whether it is a member of the Federal Reserve System. Institutions are informed of new rules, policies, and guidance through publications of the agencies.
5.222 Discussions of specific regulatory matters found throughout this guide should not be substituted for a complete reading of related regulations, rulings, or other documents where appropriate. It is important for auditors to keep apprised of recent changes in regulations, as the regulatory environment is constantly changing.
5.223 As used in this guide, the term audit refers to an audit performed by an auditor for the purpose of expressing an opinion on an institution’s financial statements, unless the context in which the term is used clearly indicates that the reference is to an internal audit. The term examination generally refers to an examination made by a regulatory authority. There are several types of regulatory examinations, including a Safety and Soundness Examination, an Information Systems Examination, a Trust Examination and a Compliance Examination. These examinations may be combined or performed separately. The purpose of the regulatory examination is to determine the safety and soundness of an institution. The term examiner as used in this guide means those individuals—acting on behalf of a regulatory agency—responsible for supervising the performance or preparation of reports of examination and, when appropriate, supervisory personnel at the district and national level.
5.224 Federally insured financial institutions are required to have periodic full-scope, on-site examinations by the appropriate agency. In some cases the OCC and the Federal Reserve will perform off site examinations. In certain cases, an examination by a state regulatory agency is accepted. Full-scope and other examinations are intended primarily to provide early identification of problems at insured institutions rather than as a basis for expressing an opinion on fair presentation of an institution's financial statements.
5.225 The scope of an examination is generally unique to each institution based on risk factors assessed by the examiner; however, general areas that might be covered include the following:
5.226 Examinations are sometimes targeted to a specific area of operations. Separate compliance examination programs also exist to address institutions' compliance with laws and regulations in areas such as consumer protection, insider transactions, and reporting under the Bank Secrecy and USA Patriot Acts.
5.227 An examination generally begins with a review of various background material and information, including practices, policies or procedures established by an institution. The examiner compares these practices, policies, or procedures to regulatory and supervisory requirements and assesses the institution's adherence to sound fundamental principles in its day-to-day operations. Any additional detailed procedures considered necessary are then applied. A written report of procedures and findings is then prepared by the examiner. The relationship between the work of the examiner and that of the auditor is further discussed in the following paragraph.
5.228 Results of examinations are also used in assigning the institution a rating under regulatory rating systems. The FFIEC has adopted the Uniform Financial Institutions Rating System, which bases an institution's composite CAMELS (the rating on component factors addressing capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk). Further, the Federal Reserve assigns BOPEC (the rating stands for the five key areas of supervisory concern: the condition of the BHC's bank subsidiaries, other nonbank subsidiaries, parent company, earnings, and capital adequacy) ratings to bank holding companies based on consideration of the bank's CAMELS rating, operation of significant nonbanking subsidiaries, the parent's strength and operations, earnings of the banking organization, and capital of the banking organization. Both systems involve a five-point rating scale, with one being the highest possible rating.
5.229 Regulatory enforcement is sometimes carried out through a written agreement between the regulator and the institution—ranging from the least severe commitment letter to a cease-and-desist order. Among other actions that can be taken, the agencies may enforce regulations by
5.230 The examination focus has shifted from complete reliance on transaction testing to an assessment of risks and each of the agencies has issued guidance on "supervision by risk," under which examiners identify the risks a bank faces and evaluate how the institution manages those risks. Derivative activities (including the use of credit derivatives), as well as bank trading activities, have also received increased scrutiny. In addition, recent losses involving fraud have led to a reemphasis on the identification of significant internal control weaknesses and other potential indicators of fraud.
5.231 Further, insured financial institutions may be subject to other mandatory and discretionary actions taken by regulators under prompt corrective action (PCA) provisions of the FDI Act and the Federal Credit Union Act (FCUA). As described in chapters 1 and 2 of this guide, possible actions range from the restriction or prohibition of certain activities to appointment of a receiver or conservator of the institution's net assets.
5.232 Many enforcement actions—such as civil money penalties—apply not only to an insured financial institution but also to a broader class of institution-affiliated parties, which could include auditors. For example, regulatory agencies may assess civil money penalties of up to $1 million50 per day against an institution or institution-affiliated party that violates a written agreement or any condition imposed in writing by the agency, breaches a fiduciary duty, or engages in unsafe or unsound practices. Because the term unsafe or unsound is not defined in any law or regulation, the potential liability of institution-affiliated parties is great.
5.233 The FDI Act also authorizes the agencies that regulate banks and savings institutions—on a showing of good cause—to remove, suspend, or bar an auditor from performing engagements required under the FDI Act.
5.234 Due to the passage of Credit Union Membership Access Act of 1998 in 1998, the NCUA adopted stiffer net worth requirements and PCA regulations. Practitioners should understand these regulations and their effect on the credit union.
5.235 The NCUA is required to publicly disclose formal and informal enforcement orders and any modifications to or terminations of such orders. Publication may be delayed for a reasonable time if disclosure would seriously threaten the safety or soundness of the credit union.
5.236 Currently, federal and most state credit union regulators use a letter of understanding and agreement or similar contractual arrangement to formalize the negotiated agreement between the regulatory agency or agencies (the regional director represents the NCUA) and the credit union's board of directors concerning problems, the actions to be taken, and the timetable for completing each action. In dealing with a state-chartered, non-National Credit Union Share Insurance Fund–insured credit union, the state regulator will usually involve the appropriate state or private insurer.
5.237 AU-C section 315 addresses the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements through understanding the entity and its environment, including the entity’s internal control. The auditor should obtain knowledge about regulatory matters and developments as part of the understanding of an institution's business. The auditor might also consider the results of regulatory examinations, as discussed previously.
5.238 AU-C section 240 addresses the auditor’s responsibilities relating to fraud in an audit of financial statements. Specifically, it expands on how AU-C sections 315 and 330 are to be applied regarding risks of material misstatement due to fraud. Noncompliance with laws and regulations (for example, noncompliance with regulatory capital requirements) is one indicator of higher risk that is especially relevant in the industry. Events of noncompliance are often described in
5.239 In accordance with paragraph .A10 of AU-C section 250, the auditor’s responsibility regarding misstatements resulting from noncompliance with laws and regulations having a direct effect on the determination of material amounts and disclosures in the financial statements is the same as that for misstatements caused by fraud or error. For purposes of AU-C section 250, noncompliance is defined as acts of omission or commission by the entity either intentional or unintentional, which are contrary to the prevailing laws or regulations. Such acts include transactions entered into by, or in the name of, the entity or on its behalf by those charged with governance, management, or employees. Noncompliance does not include personal misconduct (unrelated to the business activities of the entity) by those charged with governance, management, or employees of the entity.
5.240 Management's financial statement assertions include those about the completeness, presentation, and disclosure of liabilities. Because some areas of regulation relate more to operations than to financial reporting or accounting, consideration of compliance in those areas would normally be limited to the evaluation of disclosures of any contingent liability based on alleged or actual violation of the law.
5.241 Paragraphs 5.163–.179 address going-concern considerations. In addition to the matters discussed in those paragraphs, the auditor's consideration might include regulatory matters such as the following:
5.242 For example, regulatory changes in 1992 placed new restrictions on the acceptance of brokered deposits by certain banks and savings institutions. This change had two implications. First, it potentially limited sources of liquidity and created a compliance requirement. An auditor auditing the financial statements of an institution subject to those restrictions would have needed to evaluate whether the effect on the institution's liquidity, when considered with other factors, raised substantial doubt about the institution's ability to remain a going concern for a reasonable period of time. The auditor would also have needed to consider the financial statement effects of any known event of noncompliance with the requirement itself. Examples of other events or conditions that would warrant the auditor's consideration include
5.243 General purpose financial statements are prepared in accordance with GAAP. Every national bank and savings and loan association, state member bank and state chartered savings and loan association, and insured state nonmember bank is required to file FFIEC Call Reports. Every federally insured credit union is required to file the NCUA 5300 Call Report. Call Reports (for example, FFIEC and NCUA) present an institution’s financial condition and results of operations on a consolidated basis in accordance with GAAP. These reports are used by regulators as a basis for supervisory action, a source of statistical information, and other such purposes. In 1997, the banking regulators adopted instructions for these reports that follow GAAP.
5.244 FDI Act Section 37(a)(2) requires that reports and other regulatory filings for banks and savings institutions follow accounting principles that are uniform and consistent with GAAP. Regulatory reporting topics noted herein are consistent with acceptable practices under GAAP. The Call Report instructions explain certain specific reporting guidance in greater detail. Information may often be found in the appropriate entries in the "Glossary" section of the Call Report or, in more detail, in the GAAP standards. Financial institutions are encouraged to discuss specific events and transactions not covered by GAAP or the guidance in the regulatory report instructions with their primary supervisory agency for more technical detail on the application of the GAAP accounting standards.
5.245 Appendix B, "Regulatory Reporting Matters—Interpretation and Reporting Related to U.S. GAAP," of this guide serves as an aid in specific selected areas and is not intended to be a comprehensive discussion of the principles of bank accounting or reporting.
5.246 For financial institutions, the allowance for loan and lease losses (ALLL) is an area that requires judgment and is a focus of auditors and examiners. At the same time, the Interagency Policy Statement on the Allowance for Loan and Lease Losses, dated December 13, 2006, emphasizes that the ALLL should be consistent with GAAP. This policy statement reminds institutions that the ALLL generally should not be based solely on a "standard percentage" of loans. To that end, the policy statement no longer references standardized loss estimates for classified loans. Banks should review the entry allowance for loan and lease losses in the “Glossary” section of the FFIEC’s Instructions for Preparation of Consolidated Reports of Condition and Income, and the interagency policy statement on the ALLL.
5.247 Bank examiners will review the reasonableness of the range and management’s best estimate within the range. The agencies find that an ALLL established in accordance with the December 13, 2006, Interagency Policy Statement on the Allowance for Loan and Lease Losses and the Interagency Policy Statement on Allowance for Loan and Lease Losses Methodologies and Documentation for Banks and Savings Institutions, issued July 2001 (2001 Policy Statement) as applicable, falls within the range of acceptable estimates determined in accordance with GAAP. The guidance in the 2001 Policy Statement was substantially adopted by the NCUA through its Interpretive Ruling and Policy Statement 02-3, Allowance for Loan and Lease Losses Methodologies and Documentation for Federally-Insured Credit Unions, in May 2002.
5.248 Banking regulators conduct periodic on-site examinations to address broader regulatory and supervisory issues. There are some objectives shared by examiners and auditors, and coordination in consultation with the institution may be beneficial.
5.249 The primary objective of communicating with examiners is to ensure that auditors consider competent audit evidence produced by examiners before expressing an opinion on audited financial statements. In areas such as the adequacy of credit loss allowances and violations of laws or regulations, for example, information known to or judgments made by examiners generally should be made known to management and the auditor before financial statements are issued or an audit opinion is rendered. Such communication will minimize the possibility that a regulatory agency will subsequently require restatement—based on the examiner's additional knowledge or different judgment—of Call Reports and affect the general purpose financial statements, on which the auditor has already expressed an opinion, dated during or subsequent to the period in which a regulatory examination was being conducted.
5.250 FDI Act Section 36(h) requires that each bank and savings institution provide its auditor with copies of the institution's most recent Call Report and examination report (see 12 CFR 363). According to regulations, the institution must also provide the auditor with any of the following documents related to the period covered by the engagement:
5.251 The auditor might consider reviewing communications from examiners and, when appropriate, make inquiries of examiners. Specifically, the auditor could
5.252 The auditor's attendance at other meetings between examiners and representatives of the institution is based on prior approval by the regulatory agency.
5.253 Auditors may request a meeting with the appropriate regulatory representatives to inquire about supervisory matters relevant to the client institution. The management of the institution would generally be present at such a meeting, and matters discussed would generally be limited to findings already presented to management. Federal regulatory policy also permits meetings between examiners and auditors in the absence of the institution's management.51
5.254 Management refusal to furnish access to reports or correspondence, or to permit the auditor to communicate with the examiner, would ordinarily be a limitation on the scope of a financial statement audit sufficient to preclude an opinion. Refusal by an examiner to communicate with the auditor may create the same scope limitation, depending on the auditor's assessment of the circumstances. AU-C section 705 addresses how the form and content of the auditor’s report is affected when the auditor expresses a modified opinion in the auditor’s report. (For a detailed discussion on reports issued under the guidance of AU-C section 705, along with AU-C sections 700 and 706, Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs in the Independent Auditor’s Report [AICPA, Professional Standards], and related PCAOB requirements when performing integrated audits see chapter 23 of this guide.)
5.255 Examiners might request permission to attend the meeting between the auditor and representatives of the institution (for example, the audit committee of the board of directors) to review the auditor's report on the institution's financial statements. If such a request is made and management concurs, the auditor should be responsive to the request.
5.256 Examiners and others may, from time to time, request auditors of financial statements of banks and savings institutions to provide access to working papers and audit documentation. The FFIEC’s Interagency Policy Statement on External Auditing Programs for Banks and Savings Associations states that the independent public auditor or other auditor of an institution should agree in the engagement letter to grant examiners access to all the auditor’s working papers and other material pertaining to the institution prepared in the course of performing the completed external auditing program. The FDIC issued guidance concerning the review of external auditor’s working papers (Regional Director Memorandum No. 2000-019, Reviews of External Auditors’ Workpapers, dated March 21, 2000.) Auditors who have been requested to provide such access should consider Interpretation No. 1, "Providing Access to or Copies of Audit Documentation to a Regulator" (AICPA, Professional Standards, AU-C sec. 9230 par. .01–.15), of AU-C section 230. The interpretation states when a regulator requests access to audit documentation pursuant to law, regulation, or audit contract, the auditor may take the following steps:
In addition, the interpretation addresses situations in which an auditor has been requested by a regulator to provide access to the audit documentation before the audit has been completed and the report released. Also, the interpretation notes that if a regulator engages an independent party, such as another independent public auditor, to perform the audit documentation review on behalf of the regulatory agency, there are some precautions auditors might consider observing.
5.257 Information in examination reports, inspection reports, and supervisory discussions—including summaries or quotations—is considered confidential. Such information may not be disclosed to any party without the written permission of the appropriate agency, and unauthorized disclosure of such information could subject the auditor to civil and criminal enforcement actions.
Two types of fraud are relevant to the auditor’s consideration, namely, fraudulent financial reporting and the misappropriation of assets. For each of these types of fraud, the risk factors are further classified based on the three conditions generally present when material misstatements due to fraud occur, which are incentives/pressures, opportunities, and attitudes/rationalizations. Although the risk factors cover a broad range of situations, they are only examples and, accordingly, the auditor may identify additional or different risk factors. Also, the order of the examples of risk factors provided is not intended to reflect their relative importance or frequency of occurrence.
Although fraud is a broad legal concept, for the purposes of GAAS, paragraph .03 of AU-C section 240, Considerations of Fraud in a Financial Statement Audit (AICPA, Professional Standards), states that the auditor is primarily concerned with fraud that causes a material misstatement in the financial statements. Some of the following factors and conditions are present in entities in which specific circumstances do not present a risk of material misstatement. Also, specific controls may exist that mitigate the risk of material misstatement due to fraud, even though risk factors or conditions are present. When identifying risk factors and other conditions, the auditors might assess whether those risk factors and conditions, individually and in combination, present a risk of material misstatement of the financial statements.
Fraudulent Financial Reporting
The following are examples of risk factors that might result in misstatements arising from fraudulent financial reporting.
Incentives/Pressures
1. An increase of competitor investment products that are close alternatives for the institution’s deposit products (for example, mutual funds, insurance annuities, and mortgage loans), placing pressure on the institution’s deposit rates
ii. Competitor product pricing that results in loss of customers or market share for such products as loan, deposit, trust, asset management, and brokerage offerings
i. A failure or inability to keep pace with or to afford rapid changes in technology, if the financial stability or profitability of the particular institution is placed at risk due to that failure or inability
ii. Significant unexpected volatility (for example, in interest rates, foreign exchange rates, and commodity prices) in financial markets where the institution has a significant capital market presence and is exposed to loss of revenue or has not appropriately hedged its risk to price changes that effect proprietary positions
iii. Flattening yield curves or extremely high or low market interest rate environments
i. Deteriorating economic conditions (for example, declining corporate earnings, adverse exchange movements, and real estate prices) within industries or geographic regions in which the institution has significant credit concentrations
ii. For credit unions, losing a very substantial portion of the membership base, which places considerable pressure on management insofar as financial projections are often based on gaining new members and offering commercial loans
i. Substantially weak CAMELS (capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk) or, for bank-holding companies, BOPEC (bank’s CAMELS rating, operation of significant nonbanking subsidiaries, parent’s strength and operations, earnings of the banking organization, and capital of the banking organization) ratings.
ii. Regulatory capital requirements
i. Borrowers affected by recessionary declines and layoffs
ii. Issuers affected by recessionary declines and industry factors
i. Relaxation of credit standards
ii. Excessive extension of credit standards with approved deviation from policy
iii. Excessive concentration of lending (particularly new lending)
iv. Excessive lending in new products
v. Excessive pricing concessions not linked to enhanced collateral positions or other business rational (for example, sales of other products or services)
vi. Excessive refinancing at lower rates that may delay the recognition of problem loans
Opportunities
i. Loans and other transactions with directors, officers, significant shareholders, affiliates, and other related parties, particularly those involving favorable terms
ii. Variable interest entities (VIEs)
iii. Certain types of lending practices such as, subprime and predatory lending by banks in an effort to obtain better yields
iv. Transfers of impaired assets
i. Consolidation questions with VIEs
ii. Material amounts of complex financial instruments and derivatives held by the institution that are difficult to value, or the institution’s use of complex collateral disposition schemes
i. Cash and correspondent banks—Reconciliation and review
ii. Intercompany or interbranch cash or suspense accounts and "internal" demand deposit accounts (DDAs)—Monitoring of activity and resolution of aged items
iii. Lending—Lack of credit committee and lack of stringent underwriting procedures
iv. Treasury—Securities/derivatives valuation (selection of models, methodologies, and assumptions)
v. Regulatory compliance—Lack of knowledge of pertinent regulation
vi. Deposits—Lack of monitoring unusual and significant activity
Attitudes and Rationalizations
Misappropriation of Assets
Risk factors that relate to misstatements arising from the misappropriation of assets are also classified according to the three conditions generally present when fraud exists, namely, incentives/pressures, opportunity, and attitudes/rationalizations. Some of the risk factors related to misstatements arising from fraudulent financial reporting also may be present when misstatements arising from misappropriation of assets occur. For example, ineffective monitoring of management and other deficiencies in internal control that are not effective may be present when misstatements due to either fraudulent financial reporting or the misappropriation of assets exist. The following sections show examples of risk factors related to misstatements arising from misappropriation of assets.
Incentives and Pressures
Opportunities
i. Vacant branch manager positions or managers are away on leave without replacements for an inordinate amount of time, causing a considerable lack of management oversight.
ii. The independent risk management function does not have the appropriate level of sophistication or the capability to effectively monitor and measure the risks, such as capital markets trading activities.
iii. Lack of adherence or enforcement of vacation policy.
i. Federal Bureau of Investigation background checks, credit reports, and bonding eligibility screening are not incorporated into the hiring process for employees with access to significant assets susceptible to misappropriation.
ii. A monitoring process does not identify employees who have access to assets susceptible to misappropriation and who are known to have financial difficulties.
i. Lack of independent monitoring of activity in internal DDAs and correspondent bank accounts
ii. No independent monitoring and resolution of customer exceptions/inquiries related to electronic funds transfer (EFT) transactions, loan disbursements/payments, customer deposit accounts, securities and derivatives transactions, and trust/fiduciary accounts
iii. Lack of key periodic independent reconciliations (in addition to reconciliations of subledgers to the general ledger) for wire transfer, treasury, trust, suspense accounts, automated teller machines, and cash
iv. Lack of segregation of duties in the following areas:
(1) EFT—Origination, processing, confirmation, and recordkeeping
(2) Lending—Relationship management, underwriting (including approval), processing, cash collection/disbursement, and recordkeeping; no periodic confirmation of customer loan information or indebtedness by personnel independent of the relationship officer.
(3) Treasury—Trading, processing, settlement, and recordkeeping. (The derivatives positions on the Treasury system are not priced by an independent operations area. The capital markets risk management process is not independent from the trading function. There is no independent confirmation of individual trades.)
(4) Trust—Relationship management, transaction authorization, transaction execution, settlement, custody, and account recordkeeping. (There is no annual review of the activity in trust accounts by an investment committee to ensure compliance with the terms of the trust agreement and bank investment guidelines.)
(5) Fiduciary—Issuance, registration, transfer, cancellation, and recordkeeping
(6) Charged-off loan accounts and recoveries
(7) Dormant and inactive DDAs and the escheatment process.
i. No verification of EFT initiation and authorization, including those instances in which bank employees initiate a transaction on a customer’s behalf
ii. Frequent underwriting exceptions to board-established credit authorization limits
iii. Frequent instances of cash disbursements on loans that have not yet received all approvals or met all preconditions for funding
iv. Lack of board approval for significant loans or unusually high loan-officer approval limits (Be alert to the existence of multiple loans being funded just below a loan officer’s limit.)
i. Lack of adequate physical security over the EFT operations area and customer records
ii. Failure to appropriately limit access to the vault to authorized employees acting within the scope of their job
iii. Lack of dual control over the vault, negotiable instruments (including travelers’ checks and money orders), and blank-check stock
iv. Lack of accountability over negotiable instruments
i. "Knowing your customer"
ii. Recognizing check fraud and kiting activities
iii. Controls over cash, negotiable instruments, and EFT
Attitudes and Rationalization
The final rule provides discussion on the roles and responsibilities of the FICU’s board of directors and management in establishing and implementing the IRR policy and program; risk management systems, methods, and valuation measures; internal control; decision making informed by IRR measurement systems; and guidelines addressing the adequacy and effectiveness of the policy and program.
As stated in FASB ASC 450-20-50-4, the disclosure in FASB ASC 450-20–50–3 should include both of the following:
__________________________
3.145.93.136