PCAOB 13: The Auditor’s Responses to the Risks of Material Misstatement1

EFFECTIVE DATE AND APPLICABILITY

Effective Date This standard currently is effective.
Applicability All audit planning.

DEFINITIONS OF TERMS

Dual-purpose test. A substantive test of a transaction that is performed concurrently with a test of a control relevant to that transaction.

Professional skepticism. An attitude that includes a questioning mind and a critical assessment of the appropriateness and sufficiency of audit evidence.

OBJECTIVES OF PCAOB STANDARD 13

PCAOB Auditing Standard 13 sets the objective of addressing the risks of material misstatement through appropriate overall audit responses and audit procedures.

FUNDAMENTAL REQUIREMENTS

Responding to the Risks of Material Misstatement

The auditor must design and implement audit responses addressing the risks of material misstatement that are identified and assessed in accordance with Auditing Standard 12, Identifying and Assessing Risks of Material Misstatement.

Overall Responses

The auditor should design and implement overall responses to address the assessed risks of material misstatement with the following actions:

1. Ensure that the knowledge, skill, and ability of engagement team members with significant engagement responsibilities should be commensurate with the assessed risks of material misstatement.
2. Provide the extent of supervision appropriate for the circumstances, including the assessed risks of material misstatement.
3. Incorporate an element of unpredictability in the selection of auditing procedures to be performed from year to year. Examples of such unpredictability are procedures not normally performed based on their amount or risk assessment, varying the timing of audit procedures, selecting test items that are outside of customary selection parameters, performing audit procedures on an unannounced basis, and varying the location or the nature, timing, or extent of audit procedures at related locations or business units.
4. Evaluate whether the company’s selection and application of significant accounting principles, especially those related to subjective measurements and complex transactions, are indicative of bias that could lead to material misstatement of the financial statements.

The auditor should determine whether it is necessary to make pervasive changes to the nature, timing, or extent of audit procedures in order to adequately address assessed risks of material misstatement. Examples of such changes are increasing the substantive testing of the valuation of significant accounts because of deteriorating market conditions, and obtaining more persuasive audit evidence from substantive procedures because of the identification of pervasive weaknesses in the control environment.

The auditor should exercise professional skepticism in gathering and evaluating audit evidence, particularly for fraud risks. Examples of the application of professional skepticism are modifying planned audit procedures to obtain more reliable evidence regarding assertions, obtaining evidence to corroborate management’s explanations or representations, use of a specialist, or examining documentation from independent sources.

Responses Involving the Nature, Timing, and Extent of Audit Procedures

The auditor should design and perform audit procedures to address the assessed risks of material misstatement for each assertion of each significant amount and disclosure. In designing these procedures, the auditor should do the following:

  • Obtain more persuasive audit evidence where there is a higher assessment of risk.
  • Take into account the types of potential misstatements that could result from the identified risks, as well as the magnitude of potential misstatement.
  • For an integrated audit, design the testing of controls to accomplish the objectives of both audits at once, which are to obtain sufficient evidence to support the control risk assessments for the audit of financial statements as well as to obtain sufficient evidence to support the opinion on internal control over financial reporting as of year-end.

Responses to Significant Risks

The auditor should perform substantive procedures for significant risks, including tests of details that are specifically responsive to the assessed risks.

NOTE: See Auditing Standard 12 for a discussion of the identification of significant risks.

Responses to Fraud Risks

The audit procedures used to address the assessed fraud risks depend upon the types of risks and the relevant assertions that might be affected. If the auditor identifies deficiencies in the controls that are intended to address assessed fraud risks, the auditor should take the deficiencies into account when designing a response to those risks.

NOTE: See Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 for requirements regarding addressing assessed fraud risks in the audit of internal control over financial reporting.

In the audit of financial statements, the auditor should perform substantive tests, including tests of details that are specifically responsive to the assessed fraud risks. The following are examples of ways to modify planned audit procedures to address assessed fraud risks:

1. Changing the nature of audit procedures to obtain evidence that is more reliable, or to obtain corroborating information
2. Changing the timing of audit procedures to be closer to the end of the period or to the date when fraudulent transactions are more likely to occur
3. Changing the extent of audit procedures to obtain more evidence

The auditor should perform audit procedures to specifically address the risk of management override of controls. They should include:

1. Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud
2. Reviewing accounting estimates for biases that could result in material misstatement due to fraud
3. Evaluating the business rationale for significant unusual transactions

Testing Controls

Testing Controls in an Audit of Financial Statements

If the auditor plans to assess control risk at less than the maximum by relying on controls, and the timing, nature, and extent of the procedures are based on that lower assessment, then the auditor must obtain evidence that the controls selected for testing are designed effectively and operated effectively during the entire period when reliance is placed on the controls. The auditor is not required to assess control risk at less than the maximum level for all relevant assertions, and may choose not to do so.

The auditor must perform tests in the audit of financial statements for each relevant assertion for which substantive procedures by themselves cannot provide sufficient audit evidence, and when necessary to support the auditor’s reliance on the accuracy and completeness of the financial information used in performing other audit procedures.

NOTE: When information supporting an assertion is electronically initiated, recorded, processed, or reported, the sufficiency and appropriateness of the audit evidence usually depends on the effectiveness of controls over their accuracy and completeness.

The evidence needed to support the auditor’s control risk assessment depends on the degree of reliance the auditor plans to place on the effectiveness of a control. If the auditor places greater reliance on the effectiveness of the control, he or she should obtain more persuasive audit evidence. This is also the case for each relevant assertion for which the audit approach consists primarily of tests of controls, including situations where substantive procedures alone do not provide sufficient audit evidence.

Testing Design Effectiveness

The auditor should test the design effectiveness of any controls selected for testing by determining whether the controls, if they are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company’s control objectives and can effectively prevent or detect error or fraud that could result in material misstatements in the financial statements.

NOTE: A less complex or smaller company might achieve its control objectives in a different manner than a more complex or larger firm, since the less complex or smaller company may have fewer employees in the accounting department, which limits its ability to segregate duties. The result may be the use of alternative controls to achieve its control objectives. The auditor should examine whether these alternative controls are effective.

Procedures that an auditor can perform to test design effectiveness include a mix of inquiry of personnel, observation of company operations, and inspection of documentation. Walkthroughs including these procedures are usually sufficient for evaluating design effectiveness.

Testing Operating Effectiveness

The auditor should test the operating effectiveness of a control that has been selected for testing by determining whether the control is operating as designed, and whether the person performing the control possesses the authority and competence to perform the control effectively. Procedures that the auditor can perform to test operating effectiveness include a mix of inquiry of personnel, observation of company operations, inspection of documentation, and the reperformance of the control.

Obtaining Evidence from Tests of Controls

The evidence provided by the auditor’s tests of the effectiveness of controls depends upon the mix of the nature, timing, and extent of the auditor’s procedures. For an individual control, different combinations of these factors might provide sufficient evidence in relation to the degree of reliance in an audit of financial statements.

NOTE: The effectiveness of a control cannot be inferred from the absence of misstatements detected by substantive procedures.

Nature of Tests of Controls

The following tests that the auditor could perform are presented in the order of the evidence that they should produce, from least to most: inquiry, observation, inspection of documentation, and reperformance of a control. It is not sufficient to only use inquiry to support a conclusion about the effectiveness of a control.

The type of tests of controls to use depends on the nature of the control to be tested, as well as whether operation of the control results in documentary evidence of its operation.

Extent of Tests of Controls

More evidence is obtained from a test when it is more extensively tested. Issues that can affect the extent of testing in relation to the amount of reliance on a control include:

  • The number of times the company performed the control
  • The length of time that the auditor is relying on the effectiveness of the control.
  • The expected rate of deviation from the control
  • The relevance and reliability of the evidence to be obtained from the effectiveness of the control
  • The extent to which audit evidence is obtained from other control tests related to the assertion
  • The nature of the control, including whether it is a manual or automated control
  • The effectiveness of information technology general controls

Timing of Tests of Controls

The auditor must obtain evidence that those controls selected for testing are designed and operated effectively through the entire period of reliance.

If the auditor obtains evidence about the operating effectiveness of controls through an interim date, he or she should determine what additional evidence is needed concerning the operation of the controls through the remainder of the period of reliance. This additional evidence depends on the following factors:

  • The possibility of significant changes in internal control over financial reporting subsequent to the interim date
  • The inherent risk associated with the related accounts or assertions
  • The control tested prior to year-end, and the risk that it is no longer effective during the remaining period
  • The planned amount of reliance on the control
  • The sufficiency of evidence of the effectiveness obtained at the interim date
  • The length of the remaining period since the interim date

When the auditor relies on controls that have been tested in past audits, and he or she plans to use evidence about the effectiveness of those controls that was collected in prior years, then they should take the following factors into account to determine the evidence needed during the current year audit:

  • The nature and materiality of misstatements that the control was designed to prevent or detect
  • The inherent risk associated with the related account or assertion
  • The existence of any changes in the volume or nature of a transaction that might affect the control
  • A history of errors at the account level
  • The effectiveness of entity-level controls tested by the auditor, in particular those controls that monitor other controls
  • The nature of controls and their frequency of operation
  • The extent of reliance by a control on the effectiveness of other controls
  • The competence of the personnel who perform the control or monitor it, as well as changes in key personnel who operate in this capacity
  • Whether a control relies on manual or automated monitoring
  • The complexity of the control and the significance of judgments made in connection with it
  • The planned degree of reliance on a control
  • The nature, timing, and extent of the procedures performed in past audits
  • The results of the previous years’ control testing
  • Any changes in the control or the process with which it is associated
  • For integrated audits, the effectiveness of any controls examined during the audit of internal control

Access Control Risk

The auditor should evaluate control risk for assertions by evaluating the evidence obtained from all sources, including the test of controls for the audit of internal control and the audit of financial statements, misstatements detected during the audit, and control deficiencies.

The auditor should assess control risk at the maximum level for relevant assertions when controls needed to address the assessed risk of material misstatement are missing or ineffective, or when there is no sufficient appropriate evidence to support a control risk assessment that is below the maximum level.

If the auditor detects deficiencies in the control on which he or she intends to rely, there should be an evaluation of the severity of the deficiencies and the effect on the control risk assessments. If the controls are ineffective, the auditor should:

  • Test other controls related to the same assertion as the ineffective controls
  • Revise the control risk assessment and modify the substantive procedures in light of the increased risk assessment

Testing Controls in an Audit of Internal Control

The objective of the tests of controls in an audit of internal control is to obtain evidence concerning the effectiveness of those controls used to support the auditor’s opinion on a company’s internal control over financial reporting.

Substantive Controls

The auditor should perform substantive procedures for each assertion of each significant account and disclosure, irrespective of the assessed level of control risk. As the assessed risk of material misstatement increases, the auditor should obtain an increased amount of evidence from substantive procedures. This evidence depends on the nature, timing, and extent of the procedures. Different combinations of testing may be sufficient for the testing of an individual assertion.

Internal controls over financial reporting have limitations that can affect the evidence needed from substantive procedures. Thus, more evidence from substantive procedures is needed for assertions that are subject to management override or lapses in judgment.

Nature of Substantive Procedures

Substantive procedures usually provide persuasive evidence when they are designed and performed to obtain relevant and reliable evidence. The auditor should take into account the types of potential misstatements in the assertions that could arise from identified risks, which may help to determine the types and combinations of procedures needed to detect material misstatements in the assertions. The assertions must include the following audit procedures for the period-end financial reporting process:

  • Reconcile the financial statements with the accounting records
  • Examine material adjustments to the financial statements

Extent of Substantive Procedures

The extent of usage of a substantive audit procedure depends on the materiality of the account or disclosure, as well as the assessed risk of material misstatement, and the necessary degree of assurance from the procedure. Increasing the extent of an audit procedure may not adequately address an assessed risk of material misstatement unless any evidence obtained by doing so is reliable and relevant.

Timing of Substantive Procedures

The auditor can perform some substantive procedures at interim dates for early consideration of issues affecting the year-end financial statements. However, doing so without performing procedures at a later date increases the risk of a material misstatement within the year-end financial statements that would not be detected. This increases if there is a longer interval between the interim date and the year-end.

To determine whether to perform substantive procedures at an interim date, the auditor should consider the following:

1. The assessed risk of material misstatement, which includes the assessment of control risk, conditions or circumstances that may pressure management to misstate the financial statements, and the effects of changes in the company or its environment or controls over financial reporting during the remaining time period
2. The nature of substantive procedures
3. The nature of the account or disclosure, and the relevant assertion
4. The auditor’s ability to perform procedures for the remaining time period

If the auditor performs substantive tests at an interim date, he or she should address the remaining period by performing substantive procedures, or such procedures in combination with tests of controls that create a reasonable basis for extending the audit conclusions for the period from the interim date to the period end. These procedures should compare information about the account balance at the interim date with comparable information at the end of the period to identify unusual amounts, and perform audit procedures for the remaining period.

If these actions result in evidence that contradicts the evidence on which the auditor based his or her original risk assessments, this may result in revising the related risk assessments and modifying the planned nature, timing, or extent of those substantive procedures covering the remaining time period.

Dual-Purpose Tests

When the auditor conducts a dual-purpose test, he or she should design the test to achieve the objectives of both the test of the control and of the substantive test. Also, the auditor should evaluate the results of the test when forming conclusions about both the assertion and the effectiveness of the control being tested.

1 Practitioners should reference the additional guidance listed in the section “Other PCAOB Guid-ance” in this volume’s chapter PCAOB 1.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.181.75