PCAOB 12: Identifying and Assessing Risks of Material Misstatement1

EFFECTIVE DATE AND APPLICABILITY

DEFINITIONS OF TERMS

Fraud risk factors. Events or conditions that indicate an incentive or pressure to perpetrate fraud, an opportunity to carry out fraud, or an attitude or rationalization that justifies the fraudulent action. Fraud risk factors do not necessarily indicate the existence of fraud. However, they are frequently present where fraud exists.

OBJECTIVES OF PCAOB STANDARD 12

Public Company Accounting Oversight Board (PCAOB) Auditing Standard 12 sets the objective of identifying and appropriately assessing the risk of material misstatement, thereby providing a basis for designing and implementing responses to that risk.

FUNDAMENTAL REQUIREMENTS

Performing Risk Assessment Procedures

The auditor should perform sufficient risk assessment procedures to provide a reasonable basis for identifying and assessing the risks of material misstatement due to error or fraud, and to design further audit procedures.

There are a variety of sources from which the risk of material misstatement can arise, including both internal and external factors. These factors can affect the judgments involved in the determination of accounting estimates, or create pressure to manipulate the financial statements in order to achieve financial goals. This standard addresses the following risk assessment procedures:

In the case of an integrated audit, the risks of material misstatement of the financial statements are the same for both the audit of internal control over financial reporting and the audit of financial statements. Thus, the auditor’s risk assessment procedures should apply to both the audit of internal control over financial reporting and the audit of financial statements.

Obtaining an Understanding of the Company and Its Environment

The auditor should obtain an understanding of the company and its environment that might reasonably be expected to have a significant effect on the risks of material misstatement. Obtaining this understanding includes:

• Relevant industry, regulatory, and other external factors
• The nature of the company
• The company’s selection and application of accounting principles and disclosures
• The company’s objectives and strategies and related business risks that might reasonably be expected to result in risks of material misstatement
• The company’s measurement and analysis of its financial performance

The auditor should evaluate whether significant changes in the company from prior periods, including any changes in its internal control over financial reporting, affect the risks of material misstatement.

Industry, Regulatory, and Other External Factors

The auditor should obtain an understanding of the relevant industry, regulatory, and other external factors, including the competitive environment, technological developments, regulatory environment, legal and political environment, and general economic conditions.

Nature of the Company

The auditor should obtain an understanding of the nature of the company, which should include:

• Its organizational structure and management personnel
• The sources of funding for its operations and investment activities, including its capital structure, noncapital funding, and other debt instruments
• Its significant investments, including equity method investments, joint ventures, and variable interest entities
• Its operating characteristics, including its size and complexity

• The sources of its earnings, including the relative profitability of key products and services.
• Key supplier and customer relationships.

The auditor should consider performing the following procedures:

• Read public information about the company relevant to the evaluation of the likelihood of material financial statement misstatements and, in an integrated audit, the effectiveness of the company’s internal control over financial reporting (as may be found in press releases and analyst reports).
• Observe earnings calls and other meetings with investors or rating agencies.
• Obtain an understanding of senior compensation arrangements with senior management, including incentive compensation arrangements.
• Obtain information about trading activity and holdings in the company’s securities by significant holders.

Selection and Application of Accounting Principles, Including Related Disclosures

The auditor should evaluate whether the company’s selection and application of accounting principles are appropriate for its business and are consistent with the applicable financial reporting framework. The auditor should also identify and assess the risks of material misstatement related to omitted, incomplete, or inaccurate disclosures by developing expectations about the disclosures necessary for the company’s financial statements to be presented fairly in conformity with the applicable financial reporting framework.

If the following matters are present, they are relevant to the auditor’s understanding of the accounting principles that the company has selected:

• Significant changes in the company’s accounting principles, financial reporting policies, disclosures, and the reasons for those changes
• The competencies of the company’s financial reporting personnel in regard to selecting and applying significant or complex accounting principles
• Those accounts or disclosures where judgment is used in the application of significant accounting principles, especially those related to the determination of management’s estimates and assumptions
• The impact of significant accounting principles in either controversial or emerging areas where there is a lack of authoritative guidance or consensus
• The methods used by the company to account for significant and unusual transactions
• The financial reporting standards, laws, and regulations that are new to the company

Company Objectives, Strategies, and Related Business Risks

The auditor obtains an understanding of a company’s objectives, strategies, and related business risks in order to identify those business risks that could reasonably be expected to result in material misstatement of the company’s financial statements.

Following are examples of situations in which business risks may result in the material misstatement of a company’s financial statements:

• Industry developments
• New products and services
• Use of information technology
• New accounting requirements
• Expansion of the business
• The effects of implementing a strategy, especially one that will involve new accounting requirements
• Current and prospective financing requirements
• Regulatory requirements

Company Performance Measures

The reason for obtaining an understanding of a company’s performance measures is to identify any performance measures that affect the risks of material misstatement. The following are examples of performance measurements that may affect the risks of material misstatement:

• Measures used as the basis for contractual commitments or incentive compensation agreements.
• Measures used by such external parties as analysts and rating agencies to review a company’s performance.
• Measures a company uses to monitor its operations that highlight unexpected results or trends that prompt management to investigate their cause and take corrective action.

Obtaining an Understanding of Internal Control over Financial Reporting

The auditor should have a sufficient understanding of each component of internal control over financial reporting to identify the types of potential misstatements, assess the factors that affect the risks of material misstatement, and design further audit procedures.

The timing, nature, and extent of the procedures used to obtain an understanding of internal control depend on:

• The size and complexity of the company
• The auditor’s existing knowledge of the company’s internal control over financial reporting
• The nature of the company’s records
• The nature and extent of changes in systems and operations
• The nature of the company’s documentation of its internal control over financial reporting

The auditor should obtain an understanding of the design of controls that are relevant to the audit, and determine whether the controls have been implemented. This step can include the inquiry of appropriate personnel, observation of the company’s operations, and the inspection of relevant documentation. To determine if a control has been implemented, the auditor should determine whether the control exists, and whether the company is using it. This step can include inquiry of appropriate personnel, combined with the observation of the application of controls or the inspection of documentation.

Internal control over financial reporting consists of the following components:

• The control environment
• The company’s risk assessment process
• Information and communication
• Control activities
• Monitoring of control

Management may use an internal control framework containing components that differ from the components just noted. In evaluating the design of controls and determining whether they have been implemented in an audit of financial statements, the auditor may use the framework used by management, or another suitable framework. For an integrated audit, Auditing Standard No. 5 states that the auditor should use the same control framework to perform the audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company’s internal control over financial reporting.

If the auditor uses a suitable internal control framework with components that differ from those just listed in this section, he or she should adapt the requirements in the following section to conform to the components in the framework used.

Control Environment

The auditor should obtain an understanding of the company’s control environment, including the policies and actions of management, the board of directors, and the audit committee concerning the company’s control environment. Obtaining this understanding includes assessing the following:

• Whether management’s philosophy and operating style promote effective internal control over financial reporting
• Whether sound integrity and ethical values, especially of top management, are developed and understood
• Whether the board of directors or audit committee understands and exercises oversight responsibility over financial reporting and internal control

If the auditor identifies a control deficiency in the control environment of a company, he or she should evaluate the extent to which this deficiency is indicative of a fraud risk factor, as discussed later in this standard.

The Company’s Risk Assessment Process

The auditor should obtain an understanding of management’s process for identifying risks relevant to financial reporting objectives, assessing the likelihood and significant of misstatements resulting from those risks, and deciding about actions to address those risks. Obtaining an understanding of a company’s risk assessment process includes obtaining an understanding of the risks of material misstatement that have been identified and assessed by management, as well as the actions taken to address those risks.

Information and Communication

The auditor should obtain an understanding of the information system of a company, including the related business processes that are relevant to financial reporting. This understanding should include the following:

• The classes of transactions in the company’s operations that are significant to its financial statements
• The procedures by which those transactions are initiated, authorized, processed, recorded, and reported
• The related accounting records, supporting information, and specific accounts in the financial statements that are used to initiate, authorize, process, and record transactions
• How the information system captures events and conditions other than transactions that are significant to the financial statements
• The period-end financial reporting process

The auditor should also obtain an understanding of how information technology affects the company’s flow of transactions. This is an integral part of the approach used to identify significant accounts and disclosures, and their relevant assertions, as well as the selection of controls to test.

A company’s business processes are those activities designed to develop, purchase, produce, sell, and distribute a company’s products or services, record information, and ensure compliance with laws and regulations relevant to the financial statements.

A company’s period-end financial reporting process includes the following activities:

• Procedures used to log transaction totals into the general ledger
• Procedures for the selection and application of accounting principles
• Procedures to initiate, authorize, record, and process journal entries in the general ledger
• Procedures to record recurring and nonrecurring adjustments to the annual financial statements
• Procedures for preparing annual financial statements and related disclosures

The auditor should understand how the company communicates financial reporting roles and responsibilities and significant matters relating to financial reporting to company personnel and others, including communications between management, the audit committee, and the board of directors, as well as to such external parties as regulatory authorities and shareholders.

Control Activities

The auditor should gain an understanding of control activities that is sufficient to assess the factors that affect the risks of material misstatement, as well as to design further audit procedures. The auditor should use this knowledge of the presence or absence of control activities to determine the extent to which he or she should devote additional attention to understanding control activities to assess the factors affecting the risks of material misstatement, as well as to design further audit procedures.

Monitoring of Controls

The auditor should understand the major types of activities that a company uses to monitor the effectiveness of its internal control over financial reporting, as well as how the company initiates corrective actions related to its controls. This understanding includes understanding the source of the information used in the monitoring activities.

Performing Walk-throughs

The auditor may perform walk-throughs while obtaining an understanding of internal control over financial reporting. When performing a walk-through, the auditor tracks a transaction from its origination through the company’s processes until it is reflected in the company’s financial records, using the same documents and information technology that the company uses. This activity can include a combination of inquiries, observations, document inspections, and the reperformance of controls.

At the points in a process walk-through where important processes occur, the auditor should question company personnel about their understanding of what is required by the company’s procedures and controls. These questions, combined with other walk-through procedures, improve the auditor’s understanding of the process and enable him or her to identify important points at which a control is missing or not designed properly. These questions also allow the auditor to understand the different types of transactions handled by the process.

Relationship of Understanding of Internal Control to Tests of Controls

The auditor may obtain an understanding of internal control while performing tests of controls if he or she obtains sufficient appropriate evidence to achieve the objectives of both procedures. The auditor should take into account the evidence obtained from understanding internal control when assessing control risk and (in the audit of internal control over financial reporting) forming an opinion about the effectiveness of internal control over financial reporting.

The procedures performed by the auditor to understand certain components of internal control in accordance with Auditing Standard No. 5 (e.g., the control environment, the company’s risk assessment process, information and communication, and monitoring of controls) may provide evidence that is relevant to the auditor’s evaluation of entity-level controls. The auditor should take this evidence into account when determining the timing, nature, and extent of procedures necessary to support the auditor’s conclusions about the effectiveness of entity-level controls in the audit of internal control over financial reporting.

Considering Information from the Client Acceptance and Retention Evaluation, Audit Planning Activities, Past Audits, and Other Engagements

The auditor should evaluate whether the information obtained from the client acceptance and retention evaluation process or audit planning activities is relevant to identifying risks of material misstatement. Such risks identified during those activities should be assessed as discussed later in the “Identifying and Assessing the Risks of Material Misstatement” section.

In subsequent years, the auditor should incorporate the knowledge obtained during past audits to update his or her process for identifying the risks of material misstatement, including when identifying significant ongoing matters that affect the risks of material misstatement or determining how changes in the company or its environment affect the risks of material misstatement.

If the auditor plans to limit the nature, timing, or extent of the risk assessment procedures by relying on such information from past audits, the auditor should evaluate whether the information from prior years remains relevant and reliable.

When the auditor has conducted a review of interim financial information as per AU 722, Interim Financial Information, he or she should evaluate whether information from the review is relevant to identifying the risks of material misstatement in the year-end audit.

The auditor should understand the nature of the services that have been performed for the company by the auditor or affiliates of the firm, and should take into account any relevant information obtained from those engagements to identify risks of material misstatement.

Performing Analytical Procedures

The analytical procedures that the auditor performs should be designed to enhance the auditor’s understanding of the client’s business and the significant transactions and events that occurred after the prior year-end, as well as to identify areas that might represent specific risks relevant to the audit, including the existence of unusual transactions and events, amounts, ratios, and trends.

When applying analytical procedures as risk assessment procedures, the auditor should perform analytical procedures for revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that might indicate a material misstatement, which includes material misstatement due to fraud. Further, when the auditor has performed a review of interim financial information in accordance with AU 722, he or she should take account of the analytical procedures used in that review when designing and applying analytical procedures as risk assessment procedures.

When performing an analytical procedure, the auditor should use his or her understanding of the company to create expectations about plausible relationships among the data to be used in the procedure. When the comparison of those expectations with relationships from recorded amounts results in unusual or unexpected results, the auditor should factor in those results in identifying the risks of material misstatement.

Conducting a Discussion Among Engagement Team Members Regarding Risks of Material Misstatement

Key members of the engagement team should discuss the company’s selection and application of accounting principles and disclosure requirements, as well as the susceptibility of the company’s financial statements to material misstatement due to error or fraud. Members of the key engagement team should include those who have significant engagement responsibilities; this includes the engagement partner. The engagement partner or other key engagement team members should communicate the important matters from the discussion to those engagement team members not involved in the discussion. This communication should continue throughout the audit, including when conditions change.

Discussion of the Potential for Material Misstatement Due to Fraud

When members of the key engagement team discuss the potential for material misstatement due to fraud, they should do so with a questioning mind, and should set aside any prior beliefs that management is honest and has integrity. This discussion should include the following:

• Brainstorming among the team members about how and where the company’s financial statements might be susceptible to material misstatement due to fraud, how management could create and conceal fraudulent financial reporting, and how the assets of the company could be misappropriated. The discussion should include the susceptibility of the financial statements to material misstatement through related party transactions and how fraud might arise or be concealed by omitting or presenting incomplete or inaccurate disclosures.
• Consideration of the external and internal factors affecting the company that might create incentives or pressures for management and others to commit fraud, create the opportunity for fraud to be committed, and indicate a culture or environment that enables management to rationalize committing fraud.
• Consideration of the risk of management override.
• Consideration of the potential audit responses to the susceptibility of the company’s financial statements to material misstatement due to fraud.

The auditor should point out the following matters to all members of the engagement team:

• They should maintain a questioning mind throughout the audit and exercise professional skepticism in gathering and evaluating evidence.
• They should be alert for information or other conditions that might affect the assessment of fraud risks.
• If there is an indication that a material misstatement due to fraud may have occurred, they should probe the issues, acquire additional evidence as necessary, and consult with other team members or others in the firm, including specialists.

Inquiring of the Audit Committee, Management, and Others within the Company about the Risks of Material Misstatement

The auditor should make inquiries of the audit committee or its equivalent, management, the internal audit function, and any others within the company who might be expected to have information important to the identification and assessment of risks of material misstatement. These inquiries should address fraud risks.

The auditor should employ his or her knowledge of the company and its environment, plus information from other risk assessment procedures, to determine the nature of the inquiries about risks of material misstatement.

Inquiries Regarding Fraud Risks

Inquiries by the auditor concerning fraud risks should include the following items:

In addition to the inquiries just noted, the auditor should make inquiries of others within the company regarding their views about fraud risk, including any knowledge of alleged, suspected, or actual fraud. The auditor should identify others within the company to whom to make these inquiries, and determine the extent of the inquiries by considering whether others in the company may have additional information on this topic, or can corroborate fraud risks identified in discussions with management or the audit committee. These people may include:

• Employees with varying levels of authority within the company, including those with whom the auditor comes into contact during the audit
• Operating personnel not directly involved in the financial reporting process
• Employees involved in initiating, recording, or processing complex or unusual transactions
• In-house legal counsel

When evaluating responses to inquiries about fraud risks and determining when to corroborate their responses, the auditor should account for the fact that management is commonly in the best position to commit fraud. Further, the auditor should compile evidence to address inconsistencies in the responses to his or her inquiries.

Identifying and Assessing the Risks of Material Misstatement

The auditor should identify and assess the risks of material misstatement at both the financial statement level and the assertion level. In identifying these risks of misstatement, the auditor should:

• Identify risks of misstatement using information obtained from the performance of risk assessment procedures and consider the characteristics of the accounts and disclosures in the financial statements
• Evaluate whether the identified risks relate pervasively to the financial statements as a whole and may potentially affect many assertions
• Evaluate the types of potential misstatements that may result from the identified risks and the accounts, disclosures, and assertions that may be affected
• Assess the likelihood of misstatement and the magnitude of potential misstatement to assess the possibility that the risk could result in material misstatement of the financial statements
• Identify significant accounts and disclosures and their relevant assertions
• Determine whether any of the identified and assessed risks of material misstatement are significant risks

Identifying Significant Accounts and Disclosures and Their Relevant Assertions

To identify significant accounts and disclosures and relevant assertions, the auditor should evaluate the qualitative and quantitative risk factors related to the financial statement line items and disclosures. The risk factors relevant to the identification of significant accounts and disclosures and relevant assertions include:

• Size and composition of the account
• Susceptibility to misstatement due to error or fraud
• Volume of activity, complexity, and homogeneity of the transactions processed through the account or reflected in the disclosure
• Nature of the account or disclosure
• Accounting and reporting complexities associated with the account or disclosure
• Exposure to losses in the account
• Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure
• Existence of related party transactions in the account
• Changes from the prior period in account and disclosure characteristics

The auditor should also determine the likely sources of potential misstatements that could cause the financial statements to be materially misstated. The auditor may determine the likely sources of potential misstatements by asking “what could go wrong” within a significant account or disclosure.

The auditor should evaluate risk factors in the identification of significant accounts and disclosures and their relevant assertions that are the same in the audit of internal control over financial reporting as for the audit of the financial statements. Thus, significant accounts and disclosures and their relevant assertions are the same for both types of audits.

The components of a potential significant account or disclosure might be subject to significantly differing risks.

When a company has multiple locations or business units, the auditor should identify significant amounts and disclosures, as well as their relevant assertions based on the consolidated financial statements.

Factors Relevant to Identifying Fraud Risks

The auditor should evaluate whether the information gathered from the risk assessment procedures indicates that fraud risk factors are present, and should be taken into account in identifying and assessing fraud risks. The auditor may conclude that a fraud risk exists even when only one fraud condition exists (see the “Definitions of Terms” section).

The auditor’s consideration of fraud risk factors should include an evaluation of how fraud could be perpetrated or concealed by presenting incomplete or inaccurate disclosures, or by omitting disclosures that are necessary for the financial statements to be presented fairly in conformity with the applicable financial reporting framework.

The auditor should presume that there is a fraud risk involving improper revenue recognition, and evaluate the types of revenue, related transactions, or assertions giving rise to these risks.

The auditor should include the risk of management override of controls in the identification of fraud risks.

Factors Relevant to Identifying Significant Risks

The auditor must determine whether an identified risk is a significant risk from the perspective of a material misstatement, and so should evaluate whether the risk requires special consideration. Factors to evaluate in determining which risks are significant include:

• The effect of quantitative and qualitative risk factors on the likelihood and potential magnitude of misstatements
• Whether the risk is a fraud risk
• Whether the risk is related to recent significant economic, accounting, and other developments
• The complexity of the transactions
• Whether the risk involves significant transactions with related parties
• The degree of complexity or judgment in the recognition or measurement of financial information related to the risk
• Whether the risk involves significant transactions that are outside the normal course of business for the company or that appear to be unusual due to their timing, size, or nature

Further Consideration of Controls

When the auditor concludes that a significant risk exists, he or she should evaluate the design of the company’s controls that are targeted at fraud risks and other significant risks to determine whether those controls have been implemented. Controls that address fraud risk include:

• Specific controls designed to mitigate specific risks of fraud
• Controls designed to prevent, deter, and detect fraud

Such controls include those addressing the risk of management override of other controls.

Revision of Risk Assessment

The auditor’s assessment of the risks of material misstatement, including fraud risks, should continue throughout an audit. If evidence arises during the course of the audit that contradicts the audit evidence on which the auditor originally based a risk assessment, he or she should revise the assessment and modify planned audit procedures or perform additional ones in response to the revised risk assessments.

1 Practitioners should reference the additional guidance listed in the section “Other PCAOB Guidance” in this volume’s chapter PCAOB 1.