Effective Date | This standard currently is effective. |
Applicability | All audit planning. |
Fraud risk factors. Events or conditions that indicate an incentive or pressure to perpetrate fraud, an opportunity to carry out fraud, or an attitude or rationalization that justifies the fraudulent action. Fraud risk factors do not necessarily indicate the existence of fraud. However, they are frequently present where fraud exists.
Public Company Accounting Oversight Board (PCAOB) Auditing Standard 12 sets the objective of identifying and appropriately assessing the risk of material misstatement, thereby providing a basis for designing and implementing responses to that risk.
The auditor should perform sufficient risk assessment procedures to provide a reasonable basis for identifying and assessing the risks of material misstatement due to error or fraud, and to design further audit procedures.
There are a variety of sources from which the risk of material misstatement can arise, including both internal and external factors. These factors can affect the judgments involved in the determination of accounting estimates, or create pressure to manipulate the financial statements in order to achieve financial goals. This standard addresses the following risk assessment procedures:
In the case of an integrated audit, the risks of material misstatement of the financial statements are the same for both the audit of internal control over financial reporting and the audit of financial statements. Thus, the auditor’s risk assessment procedures should apply to both the audit of internal control over financial reporting and the audit of financial statements.
The auditor should obtain an understanding of the company and its environment that might reasonably be expected to have a significant effect on the risks of material misstatement. Obtaining this understanding includes:
The auditor should evaluate whether significant changes in the company from prior periods, including any changes in its internal control over financial reporting, affect the risks of material misstatement.
The auditor should obtain an understanding of the relevant industry, regulatory, and other external factors, including the competitive environment, technological developments, regulatory environment, legal and political environment, and general economic conditions.
The auditor should obtain an understanding of the nature of the company, which should include:
The auditor should consider performing the following procedures:
The auditor should evaluate whether the company’s selection and application of accounting principles are appropriate for its business and are consistent with the applicable financial reporting framework. The auditor should also identify and assess the risks of material misstatement related to omitted, incomplete, or inaccurate disclosures by developing expectations about the disclosures necessary for the company’s financial statements to be presented fairly in conformity with the applicable financial reporting framework.
If the following matters are present, they are relevant to the auditor’s understanding of the accounting principles that the company has selected:
The auditor obtains an understanding of a company’s objectives, strategies, and related business risks in order to identify those business risks that could reasonably be expected to result in material misstatement of the company’s financial statements.
Following are examples of situations in which business risks may result in the material misstatement of a company’s financial statements:
The reason for obtaining an understanding of a company’s performance measures is to identify any performance measures that affect the risks of material misstatement. The following are examples of performance measurements that may affect the risks of material misstatement:
The auditor should have a sufficient understanding of each component of internal control over financial reporting to identify the types of potential misstatements, assess the factors that affect the risks of material misstatement, and design further audit procedures.
The timing, nature, and extent of the procedures used to obtain an understanding of internal control depend on:
The auditor should obtain an understanding of the design of controls that are relevant to the audit, and determine whether the controls have been implemented. This step can include the inquiry of appropriate personnel, observation of the company’s operations, and the inspection of relevant documentation. To determine if a control has been implemented, the auditor should determine whether the control exists, and whether the company is using it. This step can include inquiry of appropriate personnel, combined with the observation of the application of controls or the inspection of documentation.
Internal control over financial reporting consists of the following components:
Management may use an internal control framework containing components that differ from the components just noted. In evaluating the design of controls and determining whether they have been implemented in an audit of financial statements, the auditor may use the framework used by management, or another suitable framework. For an integrated audit, Auditing Standard No. 5 states that the auditor should use the same control framework to perform the audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company’s internal control over financial reporting.
If the auditor uses a suitable internal control framework with components that differ from those just listed in this section, he or she should adapt the requirements in the following section to conform to the components in the framework used.
The auditor should obtain an understanding of the company’s control environment, including the policies and actions of management, the board of directors, and the audit committee concerning the company’s control environment. Obtaining this understanding includes assessing the following:
If the auditor identifies a control deficiency in the control environment of a company, he or she should evaluate the extent to which this deficiency is indicative of a fraud risk factor, as discussed later in this standard.
The auditor should obtain an understanding of management’s process for identifying risks relevant to financial reporting objectives, assessing the likelihood and significant of misstatements resulting from those risks, and deciding about actions to address those risks. Obtaining an understanding of a company’s risk assessment process includes obtaining an understanding of the risks of material misstatement that have been identified and assessed by management, as well as the actions taken to address those risks.
The auditor should obtain an understanding of the information system of a company, including the related business processes that are relevant to financial reporting. This understanding should include the following:
The auditor should also obtain an understanding of how information technology affects the company’s flow of transactions. This is an integral part of the approach used to identify significant accounts and disclosures, and their relevant assertions, as well as the selection of controls to test.
A company’s business processes are those activities designed to develop, purchase, produce, sell, and distribute a company’s products or services, record information, and ensure compliance with laws and regulations relevant to the financial statements.
A company’s period-end financial reporting process includes the following activities:
The auditor should understand how the company communicates financial reporting roles and responsibilities and significant matters relating to financial reporting to company personnel and others, including communications between management, the audit committee, and the board of directors, as well as to such external parties as regulatory authorities and shareholders.
The auditor should gain an understanding of control activities that is sufficient to assess the factors that affect the risks of material misstatement, as well as to design further audit procedures. The auditor should use this knowledge of the presence or absence of control activities to determine the extent to which he or she should devote additional attention to understanding control activities to assess the factors affecting the risks of material misstatement, as well as to design further audit procedures.
The auditor should understand the major types of activities that a company uses to monitor the effectiveness of its internal control over financial reporting, as well as how the company initiates corrective actions related to its controls. This understanding includes understanding the source of the information used in the monitoring activities.
The auditor may perform walk-throughs while obtaining an understanding of internal control over financial reporting. When performing a walk-through, the auditor tracks a transaction from its origination through the company’s processes until it is reflected in the company’s financial records, using the same documents and information technology that the company uses. This activity can include a combination of inquiries, observations, document inspections, and the reperformance of controls.
At the points in a process walk-through where important processes occur, the auditor should question company personnel about their understanding of what is required by the company’s procedures and controls. These questions, combined with other walk-through procedures, improve the auditor’s understanding of the process and enable him or her to identify important points at which a control is missing or not designed properly. These questions also allow the auditor to understand the different types of transactions handled by the process.
The auditor may obtain an understanding of internal control while performing tests of controls if he or she obtains sufficient appropriate evidence to achieve the objectives of both procedures. The auditor should take into account the evidence obtained from understanding internal control when assessing control risk and (in the audit of internal control over financial reporting) forming an opinion about the effectiveness of internal control over financial reporting.
The procedures performed by the auditor to understand certain components of internal control in accordance with Auditing Standard No. 5 (e.g., the control environment, the company’s risk assessment process, information and communication, and monitoring of controls) may provide evidence that is relevant to the auditor’s evaluation of entity-level controls. The auditor should take this evidence into account when determining the timing, nature, and extent of procedures necessary to support the auditor’s conclusions about the effectiveness of entity-level controls in the audit of internal control over financial reporting.
The auditor should evaluate whether the information obtained from the client acceptance and retention evaluation process or audit planning activities is relevant to identifying risks of material misstatement. Such risks identified during those activities should be assessed as discussed later in the “Identifying and Assessing the Risks of Material Misstatement” section.
In subsequent years, the auditor should incorporate the knowledge obtained during past audits to update his or her process for identifying the risks of material misstatement, including when identifying significant ongoing matters that affect the risks of material misstatement or determining how changes in the company or its environment affect the risks of material misstatement.
If the auditor plans to limit the nature, timing, or extent of the risk assessment procedures by relying on such information from past audits, the auditor should evaluate whether the information from prior years remains relevant and reliable.
When the auditor has conducted a review of interim financial information as per AU 722, Interim Financial Information, he or she should evaluate whether information from the review is relevant to identifying the risks of material misstatement in the year-end audit.
The auditor should understand the nature of the services that have been performed for the company by the auditor or affiliates of the firm, and should take into account any relevant information obtained from those engagements to identify risks of material misstatement.
The analytical procedures that the auditor performs should be designed to enhance the auditor’s understanding of the client’s business and the significant transactions and events that occurred after the prior year-end, as well as to identify areas that might represent specific risks relevant to the audit, including the existence of unusual transactions and events, amounts, ratios, and trends.
When applying analytical procedures as risk assessment procedures, the auditor should perform analytical procedures for revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that might indicate a material misstatement, which includes material misstatement due to fraud. Further, when the auditor has performed a review of interim financial information in accordance with AU 722, he or she should take account of the analytical procedures used in that review when designing and applying analytical procedures as risk assessment procedures.
When performing an analytical procedure, the auditor should use his or her understanding of the company to create expectations about plausible relationships among the data to be used in the procedure. When the comparison of those expectations with relationships from recorded amounts results in unusual or unexpected results, the auditor should factor in those results in identifying the risks of material misstatement.
Key members of the engagement team should discuss the company’s selection and application of accounting principles and disclosure requirements, as well as the susceptibility of the company’s financial statements to material misstatement due to error or fraud. Members of the key engagement team should include those who have significant engagement responsibilities; this includes the engagement partner. The engagement partner or other key engagement team members should communicate the important matters from the discussion to those engagement team members not involved in the discussion. This communication should continue throughout the audit, including when conditions change.
When members of the key engagement team discuss the potential for material misstatement due to fraud, they should do so with a questioning mind, and should set aside any prior beliefs that management is honest and has integrity. This discussion should include the following:
The auditor should point out the following matters to all members of the engagement team:
The auditor should make inquiries of the audit committee or its equivalent, management, the internal audit function, and any others within the company who might be expected to have information important to the identification and assessment of risks of material misstatement. These inquiries should address fraud risks.
The auditor should employ his or her knowledge of the company and its environment, plus information from other risk assessment procedures, to determine the nature of the inquiries about risks of material misstatement.
Inquiries by the auditor concerning fraud risks should include the following items:
In addition to the inquiries just noted, the auditor should make inquiries of others within the company regarding their views about fraud risk, including any knowledge of alleged, suspected, or actual fraud. The auditor should identify others within the company to whom to make these inquiries, and determine the extent of the inquiries by considering whether others in the company may have additional information on this topic, or can corroborate fraud risks identified in discussions with management or the audit committee. These people may include:
When evaluating responses to inquiries about fraud risks and determining when to corroborate their responses, the auditor should account for the fact that management is commonly in the best position to commit fraud. Further, the auditor should compile evidence to address inconsistencies in the responses to his or her inquiries.
The auditor should identify and assess the risks of material misstatement at both the financial statement level and the assertion level. In identifying these risks of misstatement, the auditor should:
To identify significant accounts and disclosures and relevant assertions, the auditor should evaluate the qualitative and quantitative risk factors related to the financial statement line items and disclosures. The risk factors relevant to the identification of significant accounts and disclosures and relevant assertions include:
The auditor should also determine the likely sources of potential misstatements that could cause the financial statements to be materially misstated. The auditor may determine the likely sources of potential misstatements by asking “what could go wrong” within a significant account or disclosure.
The auditor should evaluate risk factors in the identification of significant accounts and disclosures and their relevant assertions that are the same in the audit of internal control over financial reporting as for the audit of the financial statements. Thus, significant accounts and disclosures and their relevant assertions are the same for both types of audits.
The components of a potential significant account or disclosure might be subject to significantly differing risks.
When a company has multiple locations or business units, the auditor should identify significant amounts and disclosures, as well as their relevant assertions based on the consolidated financial statements.
The auditor should evaluate whether the information gathered from the risk assessment procedures indicates that fraud risk factors are present, and should be taken into account in identifying and assessing fraud risks. The auditor may conclude that a fraud risk exists even when only one fraud condition exists (see the “Definitions of Terms” section).
The auditor’s consideration of fraud risk factors should include an evaluation of how fraud could be perpetrated or concealed by presenting incomplete or inaccurate disclosures, or by omitting disclosures that are necessary for the financial statements to be presented fairly in conformity with the applicable financial reporting framework.
The auditor should presume that there is a fraud risk involving improper revenue recognition, and evaluate the types of revenue, related transactions, or assertions giving rise to these risks.
The auditor should include the risk of management override of controls in the identification of fraud risks.
The auditor must determine whether an identified risk is a significant risk from the perspective of a material misstatement, and so should evaluate whether the risk requires special consideration. Factors to evaluate in determining which risks are significant include:
When the auditor concludes that a significant risk exists, he or she should evaluate the design of the company’s controls that are targeted at fraud risks and other significant risks to determine whether those controls have been implemented. Controls that address fraud risk include:
Such controls include those addressing the risk of management override of other controls.
The auditor’s assessment of the risks of material misstatement, including fraud risks, should continue throughout an audit. If evidence arises during the course of the audit that contradicts the audit evidence on which the auditor originally based a risk assessment, he or she should revise the assessment and modify planned audit procedures or perform additional ones in response to the revised risk assessments.
1 Practitioners should reference the additional guidance listed in the section “Other PCAOB Guidance” in this volume’s chapter PCAOB 1.
3.142.35.54