An Audit of Financial Statements

5.04 Consistent with the guidance presented in paragraph .04 of AU-C section 200, the purpose of an audit of a deposit and lending institution’s financial statements is to provide financial statement users with an opinion by the auditor on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework, which enhances the degree of confidence that intended users can place in the financial statements. An audit conducted in accordance with GAAS and relevant ethical requirements enables the auditor to form that opinion. As the basis for the auditor’s opinion, paragraph .06 of AU-C section 200 states that GAAS require the auditor to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance is a high, but not absolute, level of assurance. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (for purposes of GAAS, that is, the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated) to an acceptably low level.

5.05 Paragraphs .08 and .10 of AU-C section 200 state that GAAS contain objectives, requirements, and application and other explanatory material that are designed to support the auditor in obtaining reasonable assurance. GAAS require that the auditor exercise professional judgment and maintain professional skepticism throughout the planning and performance of the audit and, among other things,

• identify and assess risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, including the entity’s internal control.
• obtain sufficient appropriate audit evidence about whether material misstatements exist, through designing and implementing appropriate responses to the assessed risks.
• form an opinion on the financial statements, or determine that an opinion cannot be formed, based on an evaluation of the audit evidence obtained.

The auditor also may have certain other communication and reporting responsibilities to users, management, those charged with governance, or parties outside the entity, regarding matters arising from the audit. These responsibilities may be established by GAAS or by applicable law or regulation.

Considerations for Audits Performed in Accordance With PCAOB Standards²

PCAOB Staff Audit Practice Alert No. 10, Maintaining and Applying Professional Skepticism in Audits (AICPA, PCAOB Standards and Related Rules, PCAOB Staff Guidance, sec. 400.10), reminds auditors of the requirement to appropriately apply professional skepticism throughout their audits, which includes an attitude of a questioning mind and a critical assessment of audit evidence. This practice alert highlights: (1) professional skepticism and due professional care; (2) impediments to the application of professional skepticism; (3) promoting professional skepticism via an appropriate system of quality control; (4) the importance of supervision to the application of professional skepticism; and (5) the appropriate application of professional skepticism.

Audit Risk

5.06 Paragraph .A36 of AU-C section 200 explains that audit risk is a function of the risks of material misstatement and detection risk. The assessment of risks is based on audit procedures to obtain information necessary for that purpose and evidence obtained throughout the audit. The assessment of risks is a matter of professional judgment, rather than a matter capable of precise measurement.

5.07 Paragraphs .A38–.A40 of AU-C section 200 provide further explanation on the two levels of the risks of material misstatement. The risks of material misstatement exist at the overall financial statement level and the assertion level for classes of transactions, account balances, and disclosures. Risks of material misstatement at the overall financial statement level refer to risks of material misstatement that relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of material misstatement at the assertion level are assessed in order to determine the nature, timing, and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. This evidence enables the auditor to express an opinion on the financial statements at an acceptably low level of audit risk.

5.08 Paragraph .A44 of AU-C section 200 states that GAAS do not ordinarily refer to inherent risk and control risk separately but rather to a combined assessment of the risks of material misstatement. However, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations. The assessment of the risks of material misstatement may be expressed in quantitative terms, such as in percentages or in nonquantitative terms. In any case, the need for the auditor to make appropriate risk assessments is more important than the different approaches by which they may be made.

5.09 Paragraphs .A41–.A44 and .A46–.A47 of AU-C section 200 provide further guidance on the two components of the risk of material misstatement (inherent risk and control risk) and characteristics of detection risk.

Performance Materiality

5.19 Paragraph .A14 of AU-C section 320 explains that planning the audit solely to detect individual material misstatements overlooks the fact that the aggregate of individually immaterial misstatements may cause the financial statements to be materially misstated and leaves no margin for possible undetected misstatements. Therefore, in accordance with paragraph .11 of AU-C section 320, the auditor should determine performance materiality for purposes of assessing the risks of material misstatement and determining the nature, timing, and extent of further audit procedures. Performance materiality, for purposes of GAAS, is defined in AU-C section 320 as the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. If applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances, or disclosures. Performance materiality is to be distinguished from tolerable misstatement, which is the application of performance materiality to a particular sampling procedure.⁶

5.20 Paragraph .A14 of AU-C section 320 goes on to explain that the determination of performance materiality is not a simple mechanical calculation and involves the exercise of professional judgment. It is affected by the auditor’s understanding of the entity, updated during the performance of the risk assessment procedures, and the nature and extent of misstatements identified in previous audits and, thereby, the auditor’s expectations regarding misstatements in the current period.

Risk Assessment Procedures and Related Activities

5.25 In accordance with paragraph .05 of AU-C section 315, the auditor should perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and relevant assertion levels. Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion. For purposes of GAAS, risk assessment procedures are defined in AU-C section 315 as audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels.

5.26 The auditor is required to exercise professional judgment⁷ to determine the extent of the required understanding of the entity. Paragraph .A3 of AU-C section 315 states that the auditor’s primary consideration is whether the understanding of the entity that has been obtained is sufficient to meet the objectives of AU-C section 315. The depth of the overall understanding that is required by the auditor is less than that possessed by management in managing the entity.

5.27 Paragraph .06 of AU-C section 315 states that the risk assessment procedures should include the following:

• Inquiries of management, appropriate individuals within the internal audit function (if such function exists), and others within the entity who, in the auditor’s professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
• Analytical procedures
• Observation and inspection

Understanding the Entity and Its Environment, Including the Entity’s Internal Control

5.33 Paragraph .12 of AU-C section 315 states that the auditor should obtain an understanding of the following:

i.  its operations;

ii.  its ownership and governance structures;

iii.  the types of investments that the entity is making and plans to make, including investments in entities formed to accomplish specific objectives; and

iv.  the way that the entity is structured and how it is financed,

to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements.

Appendix A, "Understanding the Entity and Its Environment," of AU-C section 315 contains examples of matters that the auditor may consider in obtaining an understanding of the entity and its environment. Appendix B, "Internal Control Components," of AU-C section 315 contains a detailed explanation of the internal control components.

Identifying and Assessing the Risks of Material Misstatement

5.77 To provide a basis for designing and performing further audit procedures, paragraphs .26–.27 of AU-C section 315 state that the auditor should identify and assess the risks of material misstatement at the financial statement level and at the relevant assertion level for classes of transactions, account balances, and disclosures. For this purpose, the auditor should

5.78 Paragraph .A108 of AU-C section 315 explains that the risks of material misstatement at the financial statement level refer to risks that relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of this nature are not necessarily risks identifiable with specific assertions at the class of transactions, account balance, or disclosure level. Rather, they represent circumstances that may increase the risks of material misstatement at the assertion level (for example, through management override of internal control). Financial statement level risks may be especially relevant to the auditor’s consideration of the risks of material misstatement arising from fraud.

5.79 Process of identifying risks of material misstatement. Paragraph .A120 of AU-C section 315 explains that information gathered by performing risk assessment procedures, including the audit evidence obtained in evaluating the design of controls and determining whether they have been implemented, is used as audit evidence to support the risk assessment. The risk assessment determines the nature, timing, and extent of further audit procedures to be performed.

Designing and Performing Further Audit Procedures

5.82 AU-C section 330 addresses the auditor’s responsibility to design and implement responses to the risks of material misstatement identified and assessed by the auditor in accordance with AU-C section 315 and to evaluate the audit evidence obtained in an audit of financial statements.

Timely Preparation of Audit Documentation

5.105 Paragraph .07 of AU-C section 230 states that the auditor should prepare audit documentation on a timely basis. Paragraph .A3 of AU-C section 230 further explains that preparing sufficient and appropriate audit documentation on a timely basis throughout the audit helps to enhance the quality of the audit and facilitates the effective review and evaluation of the audit evidence obtained and conclusions reached before the auditor’s report is finalized. Documentation prepared at the time such work is performed or shortly thereafter is likely to be more accurate than documentation prepared at a much later time.²³

Documentation of the Audit Procedures Performed and Audit Evidence Obtained

5.106 Paragraphs .08–.12 of AU-C section 230 address the auditor’s responsibilities regarding documentation of the audit procedures performed and audit evidence obtained including form, content, and extent of audit documentation. In accordance with paragraph .08 of AU-C section 230, the auditor should prepare audit documentation that is sufficient to enable an experienced auditor, having no previous connection with the audit, to understand

As stated in paragraph .A5 of AU-C section 230, examples of audit documentation include audit plans, analyses, issues memorandums, summaries of significant findings or issues, letters of confirmation and representation, checklists, and correspondence (including e-mail) concerning significant findings or issues.

5.107 For audit procedures related to the inspection of significant contracts or agreements, paragraph .10 of AU-C section 230 states that the auditor should include abstracts or copies of those contracts or agreements in the audit documentation.

5.108 In addition to the requirements discussed previously, paragraphs .13–.14 of AU-C section 230 address further documentation requirements about departures from relevant requirements and matters arising after the date of the auditor’s report.

Assembly and Retention of the Final Audit File

5.109 Paragraphs .15–.19 of AU-C section 230 address an auditor’s responsibilities regarding assembly and retention of the final audit file. Paragraph .16 of AU-C section 230 states that the auditor should assemble the audit documentation in an audit file and complete the administrative process of assembling the final audit file on a timely basis, no later than 60 days following the report release date. After the documentation completion date, paragraph .17 of AU-C section 230 prohibits the auditor from deleting or discarding audit documentation of any nature before the end of the specified retention period. If it is necessary to modify existing audit documentation or add new audit documentation after the documentation date, paragraph .18 of AU-C section 230 requires the auditor to document the specific reasons for making the changes and when and by whom the changes were made and reviewed.

Professional Skepticism

5.126 Consistent with paragraph .15 of AU-C section 200, paragraph .12 of AU-C section 240 states that the auditor should maintain professional skepticism throughout the audit, recognizing the possibility that a material misstatement due to fraud could exist, notwithstanding the auditor’s past experience of the honesty and integrity of the entity’s management and those charged with governance.

5.127 Paragraphs .A9–.A10 of AU-C section 240 states that maintaining professional skepticism requires an ongoing questioning of whether the information and evidence obtained suggests that a material misstatement due to fraud may exist. It includes considering the reliability of the information to be used as audit evidence and the controls over its preparation and maintenance when relevant. Although the auditor cannot be expected to disregard past experience of the honesty and integrity of the entity’s management and those charged with governance, the auditor’s professional skepticism is particularly important in considering the risk of material misstatement due to fraud because there may have been changes in circumstances.

5.128 When responses to inquiries of management, those charged with governance, or others are inconsistent or otherwise unsatisfactory (for example, vague or implausible), paragraph .14 of AU-C section 240 states that the auditor should further investigate the inconsistencies or unsatisfactory responses.

Discussion Among the Engagement Team

5.129 AU-C section 315 requires a discussion among the key engagement team members (see detailed discussion at paragraph 5.31). Paragraph .15 of AU-C section 240 states this discussion should include an exchange of ideas or brainstorming among the engagement team members about how and where the entity’s financial statements might be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated. The discussion should occur setting aside beliefs that the engagement team members may have that management and those charged with governance are honest and have integrity, and should, in particular, also address

Communication among the engagement team members about the risks of material misstatement due to fraud should continue throughout the audit, particularly upon discovery of new facts during the audit.

5.130 Paragraph .A12 of AU-C section 240 states that discussing the susceptibility of the entity’s financial statements to material misstatement due to fraud with the engagement team

• provides an opportunity for more experienced engagement team members to share their insights about how and where the financial statements may be susceptible to material misstatement due to fraud.
• enables the auditor to consider an appropriate response to such susceptibility and to determine which members of the engagement team will conduct certain audit procedures.
• permits the auditor to determine how the results of audit procedures will be shared among the engagement team and how to deal with any allegations of fraud that may come to the auditor’s attention during the audit.

5.131 In addition, paragraph .A13 of AU-C section 240 states the discussion may include the following matters:

• A consideration of management’s involvement in overseeing employees with access to cash or other assets susceptible to misappropriation
• A consideration of any unusual or unexplained changes in behavior or lifestyle of management or employees that have come to the attention of the engagement team
• A consideration of the types of circumstances that, if encountered, might indicate the possibility of fraud
• A consideration of how an element of unpredictability will be incorporated into the nature, timing, and extent of the audit procedures to be performed
• A consideration of the audit procedures that might be selected to respond to the susceptibility of the entity’s financial statements to material misstatement due to fraud and whether certain types of audit procedures are more effective than others
• A consideration of any allegations of fraud that have come to the auditor’s attention

A number of factors may influence the extent of the discussion and how it may occur. For example, if the audit involves more than one location, there could be multiple discussions with team members in differing locations. Another factor in planning the discussions is whether to include specialists assigned to the audit team.

5.132 Exhibit 5-1, "Fraud Risk Factors," which appears at the end of this chapter, contains a list of fraud risk factors that auditors may consider as part of their planning and audit procedures. The purpose is for audit team members to communicate and share information obtained throughout the audit that may affect the assessment of the risks of material misstatement due to fraud or error or the audit procedures performed to address the risks.

Risk Assessment Procedures and Related Activities

5.133 When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, including the entity’s internal control, required by AU-C section 315, paragraph .16 of AU-C section 240 states that the auditor should perform the procedures in paragraphs .17–.24 of AU-C section 240 to obtain information for use in identifying the risk of material misstatement due to fraud. As part of this work, the auditor should perform the following procedures:

Identification and Assessment of the Risks of Material Misstatement Due to Fraud

5.137 In accordance with AU-C section 315, paragraph .25 of AU-C section 240 states that the auditor should identify and assess the risks of material misstatement due to fraud at the financial statement level, and at the assertion level for classes of transactions, account balances, and disclosures.²⁹ The auditor’s risk assessment should be ongoing throughout the audit, following the initial assessment.

5.138 Paragraph .26 of AU-C section 240 states that when identifying and assessing the risks of material misstatement due to fraud, the auditor should, based on a presumption that risks of fraud exist in revenue recognition, evaluate which types of revenue, revenue transactions, or assertions give rise to such risks. Paragraph .46 of AU-C section 240 specifies the documentation required when the auditor concludes that the presumption is not applicable in the circumstances of the engagement and, accordingly, has not identified revenue recognition as a risk of material misstatement due to fraud. (See paragraphs .A33–.A35 of AU-C section 240 for application guidance of fraud risks in revenue recognition.³⁰)

Considerations for Audits Performed in Accordance With PCAOB Standards³¹

PCAOB Staff Audit Practice Alert No. 12, Matters Related to Auditing Revenue in an Audit of Financial Statements (AICPA, PCAOB Standards and Related Rules, PCAOB Staff Guidance, sec. 400.12), highlights certain requirements of PCAOB standards relating to aspects of auditing revenue in which significant auditing deficiencies have been frequently observed by PCAOB Inspections staff. More specifically, the alert addresses, among other topics, responding to the risks of material misstatement due to fraud associated with revenue.

5.139 Paragraph .27 of AU-C section 240 states that the auditor should treat those assessed risks of material misstatement due to fraud as significant risks and, accordingly, to the extent not already done so, the auditor should obtain an understanding of the entity’s related controls, including control activities, relevant to such risks, including the evaluation of whether such controls have been suitably designed and implemented to mitigate such fraud risks. (See paragraphs .A36–.A37 of AU-C section 240 for application guidance on identifying and assessing the risks of material misstatement due to fraud and understanding the entity’s related controls.)

Responses to the Assessed Risks of Material Misstatement Due to Fraud

Evaluation of Audit Evidence

5.144 Paragraphs .34–.37 and .A56–.A62 of AU-C section 240 provide requirements and application guidance for evaluating audit evidence. As stated in paragraph .34 of AU-C section 240, the auditor should evaluate, at or near the end of the audit, whether the accumulated results of auditing procedures, including analytical procedures, that were performed as substantive tests or when forming an overall conclusion, affect the assessment of the risks of material misstatement due to fraud made earlier in the audit or indicate a previously unrecognized risk of material misstatement due to fraud.

5.145 Paragraph .35 of AU-C section 240 states that, if the auditor identifies a misstatement, the auditor should evaluate whether such a misstatement is indicative of fraud. If such an indication exists, the auditor should evaluate the implications of the misstatement with regard to other aspects of the audit, particularly the auditor's evaluation of materiality, management and employee integrity, and the reliability of management representations, recognizing that an instance of fraud is unlikely to be an isolated occurrence. Furthermore, paragraph .36 of AU-C section 240 states that, if the auditor identifies a misstatement, whether material or not, and the auditor has reason to believe that it is, or may be, the result of fraud and that management (in particular, senior management) is involved, the auditor should reevaluate the assessment of the risks of material misstatement due to fraud and its resulting effect on the nature, timing, and extent of audit procedures to respond to the assessed risks. The auditor should also consider whether circumstances or conditions indicate possible collusion involving employees, management, or third parties when reconsidering the reliability of evidence previously obtained.

5.146 Paragraph .A60 of AU-C section 240 states that the implications of identified fraud depend on the circumstances. For example, an otherwise insignificant fraud may be significant if it involves senior management. In such circumstances, the reliability of evidence previously obtained may be called into question because there may be doubts about the completeness and truthfulness of representations made and genuineness of accounting records and documentation. There may also be a possibility of collusion involving employees, management, or third parties.

5.147 Paragraph .37 of AU-C section 240 states that if the auditor concludes that, or is unable to conclude whether, the financial statements are materially misstated as a result of fraud, the auditor should evaluate the implications for the audit. AU-C sections 450 and 700 address the evaluation and disposition of misstatements and the effect on the auditor’s opinion in the auditor’s report.

Auditor Unable to Continue the Engagement

5.148 Paragraph .38 of AU-C section 240 states that, if, as a result of identified fraud or suspected fraud, the auditor encounters circumstances that bring into question the auditor’s ability to continue performing the audit, the auditor should

i.  discuss with the appropriate level of management and those charged with governance the auditor’s withdrawal from the engagement and the reasons for the withdrawal, and

ii.  determine whether a professional or legal requirement exists to report to the person or persons who engaged the auditor or, in some cases, to regulatory authorities, the auditor’s withdrawal from the engagement and the reasons for the withdrawal.

Given the nature of the circumstances and the need to consider the legal requirements, paragraph .A65 of AU-C section 240 states that the auditor may consider it appropriate to seek legal advice when deciding whether to withdraw from an engagement and in determining an appropriate course of action, including the possibility of reporting to regulators or others.³² For additional application guidance, including examples of circumstances that may arise and bring into question the auditor’s ability to continue performing the audit, see paragraphs .A63–.A65 of AU-C section 240.

Communications to Management and With Those Charged With Governance

5.149 Paragraph .39 of AU-C section 240 states that, if the auditor has identified a fraud or has obtained information that indicates that a fraud may exist, the auditor should communicate these matters on a timely basis to the appropriate level of management in order to inform those with primary responsibility for the prevention and detection of fraud of matters relevant to their responsibilities. As stated in paragraph .A67 of AU-C section 240, this is true even if the matter might be considered inconsequential (for example, a minor defalcation by an employee at a low level in the entity's organization). Unless all of those charged with governance are involved in managing the entity, paragraphs .40–.41 of AU-C section 240 state that, if the auditor has identified or suspects fraud involving (a) management, (b) employees who have significant roles in internal control, or (c) others, when the fraud results in a material misstatement in the financial statements, the auditor should communicate these matters to those charged with governance on a timely basis. If the auditor suspects fraud involving management, the auditor should communicate these suspicions to those charged with governance and discuss with them the nature, timing, and extent of audit procedures necessary to complete the audit. In addition, the auditor should communicate with those charged with governance any other matters related to fraud that are, in the auditor’s professional judgment, relevant to their responsibilities. See paragraphs .A68–.A71 of AU-C section 240 for further application guidance concerning communications with those charged with governance.

Communications to Regulatory and Enforcement Authorities

5.150 If the auditor has identified or suspects a fraud, paragraph .42 of AU-C section 240 states that the auditor should determine whether the auditor has a responsibility to report the occurrence or suspicion to a party outside the entity. Although the auditor’s professional duty to maintain the confidentiality of client information may preclude such reporting, the auditor’s legal responsibilities may override the duty of confidentiality in some circumstances.

Documentation

5.151 Paragraphs .43–.46 of AU-C section 240 address requirements on certain items and events to be documented by the auditor in relation to assessed risks of material misstatement due to fraud.

Responsibility for Compliance With Laws and Regulations

The Auditor’s Consideration of Compliance With Laws and Regulations

5.157 Paragraph .A9 of AU-C section 250 states that certain laws and regulations are well established, known to the entity and within the entity’s industry or sector, and relevant to the entity’s financial statements. These laws and regulations generally are directly relevant to the determination of material amounts and disclosures in the financial statements and readily evident to the auditor. They could include those that relate to, for example

• tax laws affecting accruals and the amount recognized as expense in the accounting period.
• certain laws and regulations placing limits on the nature or amount of investments that institutions are permitted to hold. Such laws and regulations may affect the classification and valuation of assets.

For such laws and regulations, paragraph .13 of AU-C section 250 states that the auditor should obtain sufficient appropriate audit evidence regarding material amounts and disclosures in the financial statements that are determined by the provisions of those laws and regulations (see paragraph 5.156a).

Evaluating Whether Substantial Doubt Exists

5.165 In accordance with paragraph .08 of AU-C section 570A, the auditor should evaluate whether there is substantial doubt about an entity's ability to continue as a going concern for a reasonable period of time (defined in AU-C section 570A as a period of time not to exceed one year beyond the date of the financial statements being audited) based on the results of the audit procedures.

5.166 When the applicable financial reporting framework includes a definition of substantial doubt about an entity’s ability to continue as a going concern, Interpretation No. 1, “Definition of Substantial Doubt About an Entity’s Ability to Continue as a Going Concern” (AICPA, Professional Standards, AU-C sec. 9570A par. 01–.02), of AU-C section 570A states that definition would be used by the auditor when applying the requirements of AU-C section 570A. Interpretation No. 2, “Definition of Reasonable Period of Time” (AICPA, Professional Standards, AU-C sec. 9570A par. 03–.05), of AU-C section 570A provides guidance on how an auditor should apply the term reasonable period of time when the applicable financial reporting framework requires management to evaluate whether there are conditions and events that raise substantial doubt for a period of time greater than one year from the date of the financial statements. Specifically, Interpretation No. 2 states that the auditor’s assessment of management’s going concern evaluation would be for the same period of time as required by the applicable financial reporting framework.

Written Representations

5.175 If the auditor believes, before consideration of management’s plans pursuant to paragraph .10 of AU-C section 570A (see paragraph 5.170), there is substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time, paragraph .14 of AU-C section 570A states that the auditor should obtain written representations from management

Consideration of the Effects on the Auditor’s Report

5.176 Paragraphs .15–.16 of AU-C section 570A state that, if, after considering identified conditions and events and management's plans, the auditor concludes that substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time remains, the auditor should include an emphasis-of-matter paragraph³⁸ in the auditor’s report to reflect that conclusion. The auditor’s conclusion about the entity’s ability to continue as a going concern should be expressed through the use of the phrase "substantial doubt about its (the entity’s) ability to continue as a going concern" or similar wording that includes the terms substantial doubt and going concern. In a going concern emphasis-of-matter paragraph, the auditor should not use conditional language in expressing a conclusion concerning the existence of substantial doubt about the entity’s ability to continue as going concern. Paragraph .A6 of AU-C section 570A provides an illustration of a going-concern emphasis-of-matter paragraph.

5.177 The auditor's decision about whether modification of the standard report is appropriate may depend also on

• the institution's existing regulatory-capital position;
• the likelihood that the institution's regulatory-capital position will improve or deteriorate within the next 12 months;
• whether the plan has been accepted by regulatory authorities; and
• the auditor's assessment of the institution's ability to achieve its capital plan, if any.

5.178 Chapter 23 of this guide discusses circumstances that the auditor might disclaim an opinion on.

Documentation

5.179 If the auditor believes, before consideration of management’s plans pursuant to paragraph .10 of AU-C section 570A (see paragraph 5.170), there is substantial doubt about the ability of the entity to continue as a going concern for a reasonable period of time, paragraph .22 of AU-C section 570A states that the auditor should document the following:

• The conditions or events that led the auditor to believe that there is substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time.
• The elements of management’s plans that the auditor considered to be particularly significant to overcoming the adverse effects of the conditions or events.
• The auditing procedures performed to evaluate the significant elements of management’s plans and evidence obtained.
• The auditor’s conclusion as to whether substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time remains or is alleviated. If substantial doubt remains, the auditor also should document the possible effects of the conditions or events on the financial statements and the adequacy of the related disclosures. If substantial doubt is alleviated, the auditor also should document the conclusion as to the need for and, if applicable, the adequacy of disclosure of the principal conditions and events that initially caused the auditor to believe there was substantial doubt.
• The auditor’s conclusion with respect to the effects on the auditor’s report.

Written Representations as Audit Evidence

5.181 According to paragraphs .03–.04 of AU-C section 580, written representations are necessary information that the auditor requires in connection with the audit of the entity’s financial statements. Accordingly, similar to responses to inquiries, written representations are audit evidence. Although written representations provide necessary audit evidence, they complement other auditing procedures and do not provide sufficient appropriate audit evidence on their own about any of the matters with which they deal. Furthermore, obtaining reliable written representations does not affect the nature or extent of other audit procedures that the auditor applies to obtain audit evidence about the fulfillment of management’s responsibilities or about specific assertions.

Management From Whom Written Representations Are Requested

5.182 As explained in paragraph .A2 of AU-C section 580, written representations are requested from those with overall responsibility for financial and operating matters whom the auditor believes are responsible for, and knowledgeable about, directly or through others in the organization, the matters covered by the representations, including the preparation and fair presentation of the financial statements. As such, in accordance with paragraph .09 of AU-C section 580, the auditor should request written representations from management with appropriate responsibilities for the financial statements and knowledge of the matters concerned.

5.183 Paragraph .A2 of AU-C section 580 further states that those individuals with overall responsibility may vary depending on the governance structure of the entity; however, management (rather than those charged with governance) is often the responsible party. Written representations may therefore be requested from the entity’s chief executive officer and chief financial officer or other equivalent persons in entities that do not use such titles. In some circumstances, however, other parties, such as those charged with governance, also are responsible for the preparation and fair presentation of the financial statements.

Written Representations About Management’s Responsibilities and Other Written Representations

5.184 Paragraphs .10–.18 of AU-C section 580 discuss matters the auditor should request management to provide written representation about such as preparation and fair presentation of the financial statements, information provided and completeness of transactions, fraud, laws and regulations, uncorrected misstatements, litigation an claims, estimates, related party transactions, and subsequent events. If, in addition to such required representations and those addressed in other AU-C sections,⁴³ the auditor determines that it is necessary to obtain one or more written representations to support other audit evidence relevant to the financial statements or one or more specific assertions in the financial statements, paragraph .19 of AU-C section 580 states that the auditor should request such other written representations.

5.185 Additional representations specific to banks and savings institutions, credit unions, or both that may be obtained include the following:

• All regulatory examination reports, supervisory correspondence, and similar materials from applicable regulatory agencies (particularly communications concerning supervisory actions or noncompliance with or deficiencies in the rules and regulations or supervisory actions) have been provided to the auditor.
• The classification of securities between held-to-maturity, available-for-sale, or trading categories accurately reflects management's ability and intent.
• The methodology for determining fair value disclosures is based on reasonable assumptions.
• Adequate disclosure has been made of the status of the institution's capital plan filed with regulators, if applicable, and management believes it is in compliance with any formal agreements or orders in any memorandum of understanding or cease-and-desist order.
• Contingent assets and liabilities have been adequately disclosed in the financial statements.
• Related-party transactions have been entered into in compliance with existing regulations.
• Adequate provision has been made for any losses, costs, or expenses that may be incurred on securities, loans, or leases and real estate as of the balance sheet date.
• Other than temporary declines in the value of investment securities have been properly recognized in the financial statements.
• Commitments to purchase or sell securities under forward-placement, financial-futures contracts, and standby commitments have been adequately disclosed in the financial statements.
• Sales with recourse have been adequately disclosed in the financial statements.
• Proper disclosure has been made regarding the nature, terms, and credit risk of financial instruments with off-balance-sheet risk.
• No transactions or activities are planned that would result in any recapture of the base-year, tax-basis bad debt reserves.
• Proper disclosure has been made regarding financial instruments with significant

—  off-balance-sheet risk and

—  individual or group concentrations of credit risk.

5.186 Paragraph .A22 of AU-C section 580 states that management's representations may be limited to matters that are considered either individually or collectively material to the financial statements, provided management and the auditor have reached an understanding on materiality for this purpose. Materiality may be different for different representations. A discussion of materiality may be included explicitly in the representation letter in either qualitative or quantitative terms. Materiality considerations do not apply to those representations that are not directly related to amounts included in the financial statements (for example, management’s representations about the premise underlying the audit). In addition, because of the possible effects of fraud on other aspects of the audit, materiality would not apply to management’s acknowledgment regarding its responsibility for the design, implementation, and maintenance of internal control to prevent and detect fraud.

Date of, and Period(s) Covered by, Written Representations

5.187 Paragraph .20 of AU-C section 580 states that the date of the written representations should be as of the date of the auditor’s report on the financial statements. The written representations should be for all financial statements and period(s) referred to in the auditor’s report.

Form of Written Representations

5.188 In accordance with paragraph .21 of AU-C section 580, the written representations should be in the form of a representation letter addressed to the auditor.

Doubt About the Reliability of Written Representations and Requested Written Representations Not Provided

5.189 Paragraph .25 of AU-C section 580 states that the auditor should disclaim an opinion on the financial statements in accordance with AU-C section 705 or withdraw from the engagement if

Disclosures of Certain Significant Risks and Uncertainties

5.193 FASB ASC 275-10-50-1⁴⁴ requires institutions to make disclosures in their financial statements about the risks and uncertainties existing as of the date of those statements in the following areas:

5.194 An illustration of the application of these disclosure requirements by a bank or savings institution follows:

Nature of operations. ABC Institution operates seven branches in rural and suburban communities in the United States Midwest. The Institution's primary source of revenue is providing loans to customers that are predominantly small and middle-market businesses and middle-income individuals.

Use of estimates in the preparation of financial statements. The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities and disclosure of contingent assets and liabilities at the date of the financial statements and that affect the reported amounts of revenues and expenses during the reporting period. Actual results could differ from those estimates.

5.195 The application of these disclosure requirements by a bank or savings institution is discussed and illustrated in the following paragraphs.

Segment Reporting

5.210 FASB ASC 280-10 provides guidance to public entities on how to report certain information about operating segments in complete sets of financial statements of the public entity and in condensed financial statements of interim periods issued to shareholders. Refer to FASB ASC 280, Segment Reporting, for further discussion and detail regarding segment reporting requirements.

5.211 Per the FASB ASC glossary, a public entity is defined as a business entity or a not-for-profit entity that meets any of the following conditions:

• It has issued debt or equity securities or is a conduit bond obligor for conduit debt securities that are traded in a public market (a domestic or foreign stock exchange or an over-the-counter market, including local or regional markets).
• It is required to file financial statements with the SEC.
• It provides financial statements for the purpose of issuing any class of securities in a public market.

Introduction

5.212 Laws and their implementing regulations affect the areas and ways in which certain financial institutions operate while creating standards with which those institutions must comply. Some laws and regulations directly address the responsibilities of auditors.⁴⁹

5.213 The primary objective of this section is to explain why and how auditors might consider regulatory matters in the audits of certain financial institutions. This chapter also addresses the overall regulatory approach and environment, and the relative responsibilities of those institutions, examiners, and auditors. Considerations auditors might give to specific areas of regulation are highlighted in subsequent chapters.

5.214 Auditors might consider the effect regulations have on various engagements:

5.215 Paragraph .12 of AU-C section 315 indicates that auditors should obtain an understanding of relevant regulatory factors, including the applicable financial reporting framework. In that regard, it is helpful for auditors to be familiar with the nature and purpose of regulatory examinations—including the differences and relationship between examinations and financial statement audits.

5.216 Finally, an understanding of the regulatory environment in which these institutions operate is necessary to complement the auditor's knowledge of existing regulatory requirements. Because the regulatory environment is continually changing, the auditor might consider monitoring relevant regulatory changes and consider their implications in the audit process.

5.217 One primary objective of regulation is to maintain the strength of the financial system, in turn, promoting and enforcing the public role of certain financial institutions as financial intermediaries, protecting depositors, and preserving funds for federal deposit insurance. Regulations are generally associated with one or more of the following objectives: capital adequacy, asset quality, management competence, earnings, liquidity, and sensitivity to market risk.

5.218 Many laws and areas of regulation address the public role of certain financial institutions. For example, laws and regulations exist to ensure the availability of credit to all creditworthy applicants without discrimination and to satisfy the credit needs of low- and moderate-income neighborhoods in institutions' local communities.

5.219 Other regulations address directly these institution's operations and, therefore, have broader financial implications. For example, rules exist that restrict the acceptance and renewal of brokered deposits based on a bank or savings institution's level of capitalization.

5.220 In addition to the specific regulatory matters outlined in subsequent chapters, the three aspects of the regulatory process that are particularly important to auditors are rule making, examinations, and enforcement.

Rule Making

5.221 Regulations are created by the agencies based on their ongoing authority or as specifically mandated by legislation. Proposed rules and regulations are generally published for comment in the Federal Register, a daily publication of the federal government. Final rules also appear in the Federal Register and are codified in Title 12, Banks and Banking, of U.S. CFR. The Federal Register may be accessed at the Government Printing Office website. The rules applicable to a given institution depend on the institution's charter and other factors, such as whether it is federally insured and whether it is a member of the Federal Reserve System. Institutions are informed of new rules, policies, and guidance through publications of the agencies.

5.222 Discussions of specific regulatory matters found throughout this guide should not be substituted for a complete reading of related regulations, rulings, or other documents where appropriate. It is important for auditors to keep apprised of recent changes in regulations, as the regulatory environment is constantly changing.

Examinations

5.223 As used in this guide, the term audit refers to an audit performed by an auditor for the purpose of expressing an opinion on an institution’s financial statements, unless the context in which the term is used clearly indicates that the reference is to an internal audit. The term examination generally refers to an examination made by a regulatory authority. There are several types of regulatory examinations, including a Safety and Soundness Examination, an Information Systems Examination, a Trust Examination and a Compliance Examination. These examinations may be combined or performed separately. The purpose of the regulatory examination is to determine the safety and soundness of an institution. The term examiner as used in this guide means those individuals—acting on behalf of a regulatory agency—responsible for supervising the performance or preparation of reports of examination and, when appropriate, supervisory personnel at the district and national level.

5.224 Federally insured financial institutions are required to have periodic full-scope, on-site examinations by the appropriate agency. In some cases the OCC and the Federal Reserve will perform off site examinations. In certain cases, an examination by a state regulatory agency is accepted. Full-scope and other examinations are intended primarily to provide early identification of problems at insured institutions rather than as a basis for expressing an opinion on fair presentation of an institution's financial statements.

5.225 The scope of an examination is generally unique to each institution based on risk factors assessed by the examiner; however, general areas that might be covered include the following:

• Capital adequacy
• Asset quality
• Management
• Earnings
• Liquidity
• Sensitivity to market risk
• Funds management
• Internal systems and controls
• Consumer affairs
• Electronic data processing
• Fiduciary activities

5.226 Examinations are sometimes targeted to a specific area of operations. Separate compliance examination programs also exist to address institutions' compliance with laws and regulations in areas such as consumer protection, insider transactions, and reporting under the Bank Secrecy and USA Patriot Acts.

5.227 An examination generally begins with a review of various background material and information, including practices, policies or procedures established by an institution. The examiner compares these practices, policies, or procedures to regulatory and supervisory requirements and assesses the institution's adherence to sound fundamental principles in its day-to-day operations. Any additional detailed procedures considered necessary are then applied. A written report of procedures and findings is then prepared by the examiner. The relationship between the work of the examiner and that of the auditor is further discussed in the following paragraph.

5.228 Results of examinations are also used in assigning the institution a rating under regulatory rating systems. The FFIEC has adopted the Uniform Financial Institutions Rating System, which bases an institution's composite CAMELS (the rating on component factors addressing capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk). Further, the Federal Reserve assigns BOPEC (the rating stands for the five key areas of supervisory concern: the condition of the BHC's bank subsidiaries, other nonbank subsidiaries, parent company, earnings, and capital adequacy) ratings to bank holding companies based on consideration of the bank's CAMELS rating, operation of significant nonbanking subsidiaries, the parent's strength and operations, earnings of the banking organization, and capital of the banking organization. Both systems involve a five-point rating scale, with one being the highest possible rating.

Enforcement

5.229 Regulatory enforcement is sometimes carried out through a written agreement between the regulator and the institution—ranging from the least severe commitment letter to a cease-and-desist order. Among other actions that can be taken, the agencies may enforce regulations by

• ordering an institution to cease and desist from certain practices or violations;
• removing an officer or prohibiting an officer from participating in the affairs of the institution or the industry;
• assessing civil money penalties; and
• terminating insurance of an institution's deposits.

5.230 The examination focus has shifted from complete reliance on transaction testing to an assessment of risks and each of the agencies has issued guidance on "supervision by risk," under which examiners identify the risks a bank faces and evaluate how the institution manages those risks. Derivative activities (including the use of credit derivatives), as well as bank trading activities, have also received increased scrutiny. In addition, recent losses involving fraud have led to a reemphasis on the identification of significant internal control weaknesses and other potential indicators of fraud.

5.231 Further, insured financial institutions may be subject to other mandatory and discretionary actions taken by regulators under prompt corrective action (PCA) provisions of the FDI Act and the Federal Credit Union Act (FCUA). As described in chapters 1 and 2 of this guide, possible actions range from the restriction or prohibition of certain activities to appointment of a receiver or conservator of the institution's net assets.

5.232 Many enforcement actions—such as civil money penalties—apply not only to an insured financial institution but also to a broader class of institution-affiliated parties, which could include auditors. For example, regulatory agencies may assess civil money penalties of up to $1 million⁵⁰ per day against an institution or institution-affiliated party that violates a written agreement or any condition imposed in writing by the agency, breaches a fiduciary duty, or engages in unsafe or unsound practices. Because the term unsafe or unsound is not defined in any law or regulation, the potential liability of institution-affiliated parties is great.

5.233 The FDI Act also authorizes the agencies that regulate banks and savings institutions—on a showing of good cause—to remove, suspend, or bar an auditor from performing engagements required under the FDI Act.

5.234 Due to the passage of Credit Union Membership Access Act of 1998 in 1998, the NCUA adopted stiffer net worth requirements and PCA regulations. Practitioners should understand these regulations and their effect on the credit union.

5.235 The NCUA is required to publicly disclose formal and informal enforcement orders and any modifications to or terminations of such orders. Publication may be delayed for a reasonable time if disclosure would seriously threaten the safety or soundness of the credit union.

5.236 Currently, federal and most state credit union regulators use a letter of understanding and agreement or similar contractual arrangement to formalize the negotiated agreement between the regulatory agency or agencies (the regional director represents the NCUA) and the credit union's board of directors concerning problems, the actions to be taken, and the timetable for completing each action. In dealing with a state-chartered, non-National Credit Union Share Insurance Fund–insured credit union, the state regulator will usually involve the appropriate state or private insurer.

Planning

5.237 AU-C section 315 addresses the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements through understanding the entity and its environment, including the entity’s internal control. The auditor should obtain knowledge about regulatory matters and developments as part of the understanding of an institution's business. The auditor might also consider the results of regulatory examinations, as discussed previously.

Detection of Errors and Fraud

5.238 AU-C section 240 addresses the auditor’s responsibilities relating to fraud in an audit of financial statements. Specifically, it expands on how AU-C sections 315 and 330 are to be applied regarding risks of material misstatement due to fraud. Noncompliance with laws and regulations (for example, noncompliance with regulatory capital requirements) is one indicator of higher risk that is especially relevant in the industry. Events of noncompliance are often described in

• regulatory reports and
• cease-and-desist orders or other regulatory actions, whether formal or informal.

5.239 In accordance with paragraph .A10 of AU-C section 250, the auditor’s responsibility regarding misstatements resulting from noncompliance with laws and regulations having a direct effect on the determination of material amounts and disclosures in the financial statements is the same as that for misstatements caused by fraud or error. For purposes of AU-C section 250, noncompliance is defined as acts of omission or commission by the entity either intentional or unintentional, which are contrary to the prevailing laws or regulations. Such acts include transactions entered into by, or in the name of, the entity or on its behalf by those charged with governance, management, or employees. Noncompliance does not include personal misconduct (unrelated to the business activities of the entity) by those charged with governance, management, or employees of the entity.

Evaluation of Contingent Liabilities and Related Disclosures

5.240 Management's financial statement assertions include those about the completeness, presentation, and disclosure of liabilities. Because some areas of regulation relate more to operations than to financial reporting or accounting, consideration of compliance in those areas would normally be limited to the evaluation of disclosures of any contingent liability based on alleged or actual violation of the law.

Going-Concern Considerations

5.241 Paragraphs 5.163–.179 address going-concern considerations. In addition to the matters discussed in those paragraphs, the auditor's consideration might include regulatory matters such as the following:

• Noncompliance with laws and regulations
• Supervisory actions or regulatory changes that place limitations or restrictions on operating activities
• Classification of the institution under PCA provisions of the FDI Act and the FCUA (see chapters 1 and 2 of this guide)

5.242 For example, regulatory changes in 1992 placed new restrictions on the acceptance of brokered deposits by certain banks and savings institutions. This change had two implications. First, it potentially limited sources of liquidity and created a compliance requirement. An auditor auditing the financial statements of an institution subject to those restrictions would have needed to evaluate whether the effect on the institution's liquidity, when considered with other factors, raised substantial doubt about the institution's ability to remain a going concern for a reasonable period of time. The auditor would also have needed to consider the financial statement effects of any known event of noncompliance with the requirement itself. Examples of other events or conditions that would warrant the auditor's consideration include

• the continued existence of conditions that brought about previous regulatory actions or restrictions;
• effects of scheduled increases in deposit insurance premiums;
• failure to meet minimum regulatory capital requirements;
• limitations on the availability of borrowings through the Federal Reserve System discount window; and
• exposure to the institution posed by transactions with correspondent banks and related limitations on interbank liabilities.

Regulatory Reporting Matters—Interpretation and Reporting Related to GAAP

5.243 General purpose financial statements are prepared in accordance with GAAP. Every national bank and savings and loan association, state member bank and state chartered savings and loan association, and insured state nonmember bank is required to file FFIEC Call Reports. Every federally insured credit union is required to file the NCUA 5300 Call Report. Call Reports (for example, FFIEC and NCUA) present an institution’s financial condition and results of operations on a consolidated basis in accordance with GAAP. These reports are used by regulators as a basis for supervisory action, a source of statistical information, and other such purposes. In 1997, the banking regulators adopted instructions for these reports that follow GAAP.

5.244 FDI Act Section 37(a)(2) requires that reports and other regulatory filings for banks and savings institutions follow accounting principles that are uniform and consistent with GAAP. Regulatory reporting topics noted herein are consistent with acceptable practices under GAAP. The Call Report instructions explain certain specific reporting guidance in greater detail. Information may often be found in the appropriate entries in the "Glossary" section of the Call Report or, in more detail, in the GAAP standards. Financial institutions are encouraged to discuss specific events and transactions not covered by GAAP or the guidance in the regulatory report instructions with their primary supervisory agency for more technical detail on the application of the GAAP accounting standards.

5.245 Appendix B, "Regulatory Reporting Matters—Interpretation and Reporting Related to U.S. GAAP," of this guide serves as an aid in specific selected areas and is not intended to be a comprehensive discussion of the principles of bank accounting or reporting.

5.246 For financial institutions, the allowance for loan and lease losses (ALLL) is an area that requires judgment and is a focus of auditors and examiners. At the same time, the Interagency Policy Statement on the Allowance for Loan and Lease Losses, dated December 13, 2006, emphasizes that the ALLL should be consistent with GAAP. This policy statement reminds institutions that the ALLL generally should not be based solely on a "standard percentage" of loans. To that end, the policy statement no longer references standardized loss estimates for classified loans. Banks should review the entry allowance for loan and lease losses in the “Glossary” section of the FFIEC’s Instructions for Preparation of Consolidated Reports of Condition and Income, and the interagency policy statement on the ALLL.

5.247 Bank examiners will review the reasonableness of the range and management’s best estimate within the range. The agencies find that an ALLL established in accordance with the December 13, 2006, Interagency Policy Statement on the Allowance for Loan and Lease Losses and the Interagency Policy Statement on Allowance for Loan and Lease Losses Methodologies and Documentation for Banks and Savings Institutions, issued July 2001 (2001 Policy Statement) as applicable, falls within the range of acceptable estimates determined in accordance with GAAP. The guidance in the 2001 Policy Statement was substantially adopted by the NCUA through its Interpretive Ruling and Policy Statement 02-3, Allowance for Loan and Lease Losses Methodologies and Documentation for Federally-Insured Credit Unions, in May 2002.

Auditor and Examiner Relationship

5.248 Banking regulators conduct periodic on-site examinations to address broader regulatory and supervisory issues. There are some objectives shared by examiners and auditors, and coordination in consultation with the institution may be beneficial.

5.249 The primary objective of communicating with examiners is to ensure that auditors consider competent audit evidence produced by examiners before expressing an opinion on audited financial statements. In areas such as the adequacy of credit loss allowances and violations of laws or regulations, for example, information known to or judgments made by examiners generally should be made known to management and the auditor before financial statements are issued or an audit opinion is rendered. Such communication will minimize the possibility that a regulatory agency will subsequently require restatement—based on the examiner's additional knowledge or different judgment—of Call Reports and affect the general purpose financial statements, on which the auditor has already expressed an opinion, dated during or subsequent to the period in which a regulatory examination was being conducted.

5.250 FDI Act Section 36(h) requires that each bank and savings institution provide its auditor with copies of the institution's most recent Call Report and examination report (see 12 CFR 363). According to regulations, the institution must also provide the auditor with any of the following documents related to the period covered by the engagement:

5.251 The auditor might consider reviewing communications from examiners and, when appropriate, make inquiries of examiners. Specifically, the auditor could

5.252 The auditor's attendance at other meetings between examiners and representatives of the institution is based on prior approval by the regulatory agency.

5.253 Auditors may request a meeting with the appropriate regulatory representatives to inquire about supervisory matters relevant to the client institution. The management of the institution would generally be present at such a meeting, and matters discussed would generally be limited to findings already presented to management. Federal regulatory policy also permits meetings between examiners and auditors in the absence of the institution's management.⁵¹

5.254 Management refusal to furnish access to reports or correspondence, or to permit the auditor to communicate with the examiner, would ordinarily be a limitation on the scope of a financial statement audit sufficient to preclude an opinion. Refusal by an examiner to communicate with the auditor may create the same scope limitation, depending on the auditor's assessment of the circumstances. AU-C section 705 addresses how the form and content of the auditor’s report is affected when the auditor expresses a modified opinion in the auditor’s report. (For a detailed discussion on reports issued under the guidance of AU-C section 705, along with AU-C sections 700 and 706, Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs in the Independent Auditor’s Report [AICPA, Professional Standards], and related PCAOB requirements when performing integrated audits see chapter 23 of this guide.)

5.255 Examiners might request permission to attend the meeting between the auditor and representatives of the institution (for example, the audit committee of the board of directors) to review the auditor's report on the institution's financial statements. If such a request is made and management concurs, the auditor should be responsive to the request.

5.256 Examiners and others may, from time to time, request auditors of financial statements of banks and savings institutions to provide access to working papers and audit documentation. The FFIEC’s Interagency Policy Statement on External Auditing Programs for Banks and Savings Associations states that the independent public auditor or other auditor of an institution should agree in the engagement letter to grant examiners access to all the auditor’s working papers and other material pertaining to the institution prepared in the course of performing the completed external auditing program. The FDIC issued guidance concerning the review of external auditor’s working papers (Regional Director Memorandum No. 2000-019, Reviews of External Auditors’ Workpapers, dated March 21, 2000.) Auditors who have been requested to provide such access should consider Interpretation No. 1, "Providing Access to or Copies of Audit Documentation to a Regulator" (AICPA, Professional Standards, AU-C sec. 9230 par. .01–.15), of AU-C section 230. The interpretation states when a regulator requests access to audit documentation pursuant to law, regulation, or audit contract, the auditor may take the following steps:

• Consider advising the client that the regulator has requested access to (and possibly copies of) the audit documentation and that the auditor intends to comply with such request.
• Make appropriate arrangements with the regulator for the review.
• Maintain control over the audit documentation.
• Consider submitting to the regulator a letter clarifying that an audit performed in accordance with GAAS is not intended to, and does not, satisfy a regulator's oversight responsibilities. An example of such a letter is illustrated in paragraph .06 of Interpretation No. 1 of AU-C section 230.

In addition, the interpretation addresses situations in which an auditor has been requested by a regulator to provide access to the audit documentation before the audit has been completed and the report released. Also, the interpretation notes that if a regulator engages an independent party, such as another independent public auditor, to perform the audit documentation review on behalf of the regulatory agency, there are some precautions auditors might consider observing.

5.257 Information in examination reports, inspection reports, and supervisory discussions—including summaries or quotations—is considered confidential. Such information may not be disclosed to any party without the written permission of the appropriate agency, and unauthorized disclosure of such information could subject the auditor to civil and criminal enforcement actions.

Two types of fraud are relevant to the auditor’s consideration, namely, fraudulent financial reporting and the misappropriation of assets. For each of these types of fraud, the risk factors are further classified based on the three conditions generally present when material misstatements due to fraud occur, which are incentives/pressures, opportunities, and attitudes/rationalizations. Although the risk factors cover a broad range of situations, they are only examples and, accordingly, the auditor may identify additional or different risk factors. Also, the order of the examples of risk factors provided is not intended to reflect their relative importance or frequency of occurrence.

Although fraud is a broad legal concept, for the purposes of GAAS, paragraph .03 of AU-C section 240, Considerations of Fraud in a Financial Statement Audit (AICPA, Professional Standards), states that the auditor is primarily concerned with fraud that causes a material misstatement in the financial statements. Some of the following factors and conditions are present in entities in which specific circumstances do not present a risk of material misstatement. Also, specific controls may exist that mitigate the risk of material misstatement due to fraud, even though risk factors or conditions are present. When identifying risk factors and other conditions, the auditors might assess whether those risk factors and conditions, individually and in combination, present a risk of material misstatement of the financial statements.

Fraudulent Financial Reporting

The following are examples of risk factors that might result in misstatements arising from fraudulent financial reporting.

Incentives/Pressures

1. a.  High degree of competition or market saturation, accompanied by declining margins shown by the following:

1.  An increase of competitor investment products that are close alternatives for the institution’s deposit products (for example, mutual funds, insurance annuities, and mortgage loans), placing pressure on the institution’s deposit rates

ii.  Competitor product pricing that results in loss of customers or market share for such products as loan, deposit, trust, asset management, and brokerage offerings

1. b.  High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates, exemplified by the following:

i.  A failure or inability to keep pace with or to afford rapid changes in technology, if the financial stability or profitability of the particular institution is placed at risk due to that failure or inability

ii.  Significant unexpected volatility (for example, in interest rates, foreign exchange rates, and commodity prices) in financial markets where the institution has a significant capital market presence and is exposed to loss of revenue or has not appropriately hedged its risk to price changes that effect proprietary positions

iii.  Flattening yield curves or extremely high or low market interest rate environments

1. c.  Significant declines in customer demand and increasing business failures in either the industry or overall economy, such as the following:

i.  Deteriorating economic conditions (for example, declining corporate earnings, adverse exchange movements, and real estate prices) within industries or geographic regions in which the institution has significant credit concentrations

ii.  For credit unions, losing a very substantial portion of the membership base, which places considerable pressure on management insofar as financial projections are often based on gaining new members and offering commercial loans

1. d.  Rapid growth or unusual profitability, especially compared to that of other peer financial institutions; for example, unusually large growth in the loan portfolio without a commensurate increase in the size of the allowance for loan and lease losses (ALLL)
2. e.  New and existing accounting, statutory, or regulatory requirements, such as the following:

i.  Substantially weak CAMELS (capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk) or, for bank-holding companies, BOPEC (bank’s CAMELS rating, operation of significant nonbanking subsidiaries, parent’s strength and operations, earnings of the banking organization, and capital of the banking organization) ratings.

ii.  Regulatory capital requirements

1. f.  Decline in asset quality due to the following:

i.  Borrowers affected by recessionary declines and layoffs

ii.  Issuers affected by recessionary declines and industry factors

1. a.  Unrealistically aggressive loan goals and lucrative incentive programs for loan originations, shown by the following, for example:

i.  Relaxation of credit standards

ii.  Excessive extension of credit standards with approved deviation from policy

iii.  Excessive concentration of lending (particularly new lending)

iv.  Excessive lending in new products

v.  Excessive pricing concessions not linked to enhanced collateral positions or other business rational (for example, sales of other products or services)

vi.  Excessive refinancing at lower rates that may delay the recognition of problem loans

1. b.  Perceived or real adverse effects of reporting poor financial results on significant pending transactions, such as business combinations (For example, the acquisition of another institution has been announced in the press with the terms dependent on the future financial results of the acquiring institution.)
2. c.  Willingness by management to respond to these pressures by pursuing business opportunities for which the institution does not possess the needed expertise
3. d.  Excessive reliance on wholesale funding (brokered deposits)
4. e.  Speculative use of derivatives
5. f.  Failure to establish economic hedges against key risks (for example, interest rate) through effective asset liability committee processes
6. g.  Changes in a bank’s loan loss accounting methodology that are not accompanied by observed changes in credit administration practices or credit conditions
7. h.  Frequent or unusual exceptions to credit policy
8. i.  Threat of a downgrade in the institution’s overall regulatory rating (for example, CAMEL, MACRO [rating stands for management, asset quality, capital adequacy, risk management and operating results], or BOPEC) that could preclude expansion or growth plans
9. j.  Threat of failing to meet minimum capital adequacy requirements that could cause adverse regulatory actions

1. a.  Heavy concentrations of their personal net worth in the entity
2. b.  Bank is privately owned by one person or family whose net worth or income (from dividends) is dependent on the bank

Opportunities

1. a.  Significant related party transactions not in the ordinary course of business or with related entities not audited or audited by another firm, such as the following:

i.  Loans and other transactions with directors, officers, significant shareholders, affiliates, and other related parties, particularly those involving favorable terms

ii.  Variable interest entities (VIEs)

iii.  Certain types of lending practices such as, subprime and predatory lending by banks in an effort to obtain better yields

iv.  Transfers of impaired assets

1. b.  Assets, liabilities, revenues, or expenses based on significant estimates that involve subjective judgments or uncertainties that are difficult to corroborate (Significant estimates generally include the allowance for loan losses, and the valuation of servicing rights, residual interests, and deferred tax assets, fair value determinations, and the recognition of other impairment losses; for example, goodwill and investments)
2. c.  Significant, unusual, or highly complex transactions, especially those close to year end that pose difficult "substance over form" questions, such as the following:

i.  Consolidation questions with VIEs

ii.  Material amounts of complex financial instruments and derivatives held by the institution that are difficult to value, or the institution’s use of complex collateral disposition schemes

1. d.  Frequent or unusual adjustments to the ALLL
2. e.  Loan sales that result in retained beneficial interests (Valuation of retained beneficial interests is based on estimates and assumptions and are susceptible to manipulation if not properly controlled.)
3. f.  Complex transactions that result in income or gains, such as sale and leasebacks, with arbitrarily short leaseback terms
4. g.  Deferred tax assets, arising from net operating loss carryforwards, without valuation allowances
5. h.  Deferral of loan origination costs that exceed the appropriate costs that may be deferred under FASB ASC 310-20

1. a.  Inadequate monitoring of controls, including automated controls and controls over financial reporting, such as lack of oversight of critical processes in the following areas:

i.  Cash and correspondent banks—Reconciliation and review

ii.  Intercompany or interbranch cash or suspense accounts and "internal" demand deposit accounts (DDAs)—Monitoring of activity and resolution of aged items

iii.  Lending—Lack of credit committee and lack of stringent underwriting procedures

iv.  Treasury—Securities/derivatives valuation (selection of models, methodologies, and assumptions)

v.  Regulatory compliance—Lack of knowledge of pertinent regulation

vi.  Deposits—Lack of monitoring unusual and significant activity

1. b.  Ineffective internal audit function
2. c.  Lack of board-approved credit (underwriting and administration) or investment policies
3. d.  Vacant staff positions remain unfilled for extended periods, thereby preventing the proper segregation of duties
4. e.  Lack of an appropriate system of authorization and approval of transactions in areas such as lending and investment, in which the policies and procedures for the authorization of transactions are not established at the appropriate level
5. f.  Lack of independent processes for the establishment and review of allowance for loan losses
6. g.  Lack of independent processes for the evaluation of other than temporary impairments
7. h.  Inadequate controls over transaction recording, including the setup of loans on systems
8. i.  Lack of controls over the perfection of interests in lending collateral
9. j.  Inadequate methods of identifying and communicating exceptions and variances from planned performance
10. k.  Inadequate accounting reconciliation policies and practices, including appropriate supervisory review, the monitoring of stale items and out of balance conditions, and the timeliness of write-offs
11. l.  Failure to establish adequate segregation of duties between approval transactions and the disbursement of funds
12. m.  Lack of control over the regulatory reporting process, in which key decision makers also have control over the process
13. n.  Lack of adequate reporting to the board of directors and executive management regarding credit, interest-rate, liquidity, and market risks
14. o.  Change from an internal audit function that has been outsourced to the external auditor or other provider to a new in-house internal audit department or another outsourcing provider

Attitudes and Rationalizations

1. a.  The existence of a regulatory cease and desist order, memorandum of understanding, or other regulatory agreements (whether formal or informal) that concern management competence or internal control
2. b.  Repeated criticisms or apparent violations cited in regulatory examination reports that management has ignored

1. a.  Consideration of "business issues" (for example, shareholder expectations) in determining significant estimates
2. b.  Adjustments to the allowance for loan losses by senior management or the board for which there is no written documentation
3. c.  An unusual propensity to enter into complex asset disposition agreements

Misappropriation of Assets

Risk factors that relate to misstatements arising from the misappropriation of assets are also classified according to the three conditions generally present when fraud exists, namely, incentives/pressures, opportunity, and attitudes/rationalizations. Some of the risk factors related to misstatements arising from fraudulent financial reporting also may be present when misstatements arising from misappropriation of assets occur. For example, ineffective monitoring of management and other deficiencies in internal control that are not effective may be present when misstatements due to either fraudulent financial reporting or the misappropriation of assets exist. The following sections show examples of risk factors related to misstatements arising from misappropriation of assets.

Incentives and Pressures

1. a.  It is likely that the institution will be merged into or acquired by another institution and there is uncertainty regarding the employees’ future employment opportunities.
2. b.  The institution has recently completed a merger or acquisition, employees are working long hours on integration projects, and morale is low.
3. c.  The institution is under regulatory scrutiny, and there is uncertainty surrounding the future of the institution.

Opportunities

1. a.  Large amounts of cash on hand and wire transfer capabilities
2. b.  Easily convertible assets, such as bearer bonds or diamonds, that may be in safekeeping
3. c.  Inadequate or ineffective physical security controls, for example, overliquid assets or information systems
4. d.  Access to customer accounts

1. a.  Inadequate management oversight of employees responsible for assets, such as the following:

i.  Vacant branch manager positions or managers are away on leave without replacements for an inordinate amount of time, causing a considerable lack of management oversight.

ii.  The independent risk management function does not have the appropriate level of sophistication or the capability to effectively monitor and measure the risks, such as capital markets trading activities.

iii.  Lack of adherence or enforcement of vacation policy.

1. b.  Inadequate job applicant screening and monitoring of employees, such as the following:

i.  Federal Bureau of Investigation background checks, credit reports, and bonding eligibility screening are not incorporated into the hiring process for employees with access to significant assets susceptible to misappropriation.

ii.  A monitoring process does not identify employees who have access to assets susceptible to misappropriation and who are known to have financial difficulties.

1. c.  Inadequate segregation of duties or independent checks, such as the following:

i.  Lack of independent monitoring of activity in internal DDAs and correspondent bank accounts

ii.  No independent monitoring and resolution of customer exceptions/inquiries related to electronic funds transfer (EFT) transactions, loan disbursements/payments, customer deposit accounts, securities and derivatives transactions, and trust/fiduciary accounts

iii.  Lack of key periodic independent reconciliations (in addition to reconciliations of subledgers to the general ledger) for wire transfer, treasury, trust, suspense accounts, automated teller machines, and cash

iv.  Lack of segregation of duties in the following areas:

(1)  EFT—Origination, processing, confirmation, and recordkeeping

(2)  Lending—Relationship management, underwriting (including approval), processing, cash collection/disbursement, and recordkeeping; no periodic confirmation of customer loan information or indebtedness by personnel independent of the relationship officer.

(3)  Treasury—Trading, processing, settlement, and recordkeeping. (The derivatives positions on the Treasury system are not priced by an independent operations area. The capital markets risk management process is not independent from the trading function. There is no independent confirmation of individual trades.)

(4)  Trust—Relationship management, transaction authorization, transaction execution, settlement, custody, and account recordkeeping. (There is no annual review of the activity in trust accounts by an investment committee to ensure compliance with the terms of the trust agreement and bank investment guidelines.)

(5)  Fiduciary—Issuance, registration, transfer, cancellation, and recordkeeping

(6)  Charged-off loan accounts and recoveries

(7)  Dormant and inactive DDAs and the escheatment process.

1. d.  No independent mailing of customer statements or monitoring of "Do not Mail/Hold" statements
2. e.  Lack of control over new accounts
3. f.  Failure to reconcile "due from" bank accounts on a regular basis, and review open items
4. g.  Loans are purchased from loan brokers, but the loans are not re-underwritten before purchase
5. h.  Inadequate segregation of duties because the institution is small and has limited staff
6. i.  Lack of appropriate system of authorization and approval of transactions, such as the following:

i.  No verification of EFT initiation and authorization, including those instances in which bank employees initiate a transaction on a customer’s behalf

ii.  Frequent underwriting exceptions to board-established credit authorization limits

iii.  Frequent instances of cash disbursements on loans that have not yet received all approvals or met all preconditions for funding

iv.  Lack of board approval for significant loans or unusually high loan-officer approval limits (Be alert to the existence of multiple loans being funded just below a loan officer’s limit.)

1. j.  Poor physical safeguards over cash, investments, customer information, or fixed assets, such as the following:

i.  Lack of adequate physical security over the EFT operations area and customer records

ii.  Failure to appropriately limit access to the vault to authorized employees acting within the scope of their job

iii.  Lack of dual control over the vault, negotiable instruments (including travelers’ checks and money orders), and blank-check stock

iv.  Lack of accountability over negotiable instruments

1. k.  Inadequate training of tellers and operations personnel regarding the following:

i.  "Knowing your customer"

ii.  Recognizing check fraud and kiting activities

iii.  Controls over cash, negotiable instruments, and EFT

Attitudes and Rationalization