Effective Date | This standard currently is effective. |
Applicability | All audit planning. |
Dual-purpose test. A substantive test of a transaction that is performed concurrently with a test of a control relevant to that transaction.
Professional skepticism. An attitude that includes a questioning mind and a critical assessment of the appropriateness and sufficiency of audit evidence.
PCAOB Auditing Standard 13 sets the objective of addressing the risks of material misstatement through appropriate overall audit responses and audit procedures.
The auditor must design and implement audit responses addressing the risks of material misstatement that are identified and assessed in accordance with Auditing Standard 12, Identifying and Assessing Risks of Material Misstatement.
The auditor should design and implement overall responses to address the assessed risks of material misstatement with the following actions:
The auditor should determine whether it is necessary to make pervasive changes to the nature, timing, or extent of audit procedures in order to adequately address assessed risks of material misstatement. Examples of such changes are increasing the substantive testing of the valuation of significant accounts because of deteriorating market conditions, and obtaining more persuasive audit evidence from substantive procedures because of the identification of pervasive weaknesses in the control environment.
The auditor should exercise professional skepticism in gathering and evaluating audit evidence, particularly for fraud risks. Examples of the application of professional skepticism are modifying planned audit procedures to obtain more reliable evidence regarding assertions, obtaining evidence to corroborate management’s explanations or representations, use of a specialist, or examining documentation from independent sources.
The auditor should design and perform audit procedures to address the assessed risks of material misstatement for each assertion of each significant amount and disclosure. In designing these procedures, the auditor should do the following:
The auditor should perform substantive procedures for significant risks, including tests of details that are specifically responsive to the assessed risks.
The audit procedures used to address the assessed fraud risks depend upon the types of risks and the relevant assertions that might be affected. If the auditor identifies deficiencies in the controls that are intended to address assessed fraud risks, the auditor should take the deficiencies into account when designing a response to those risks.
In the audit of financial statements, the auditor should perform substantive tests, including tests of details that are specifically responsive to the assessed fraud risks. The following are examples of ways to modify planned audit procedures to address assessed fraud risks:
The auditor should perform audit procedures to specifically address the risk of management override of controls. They should include:
If the auditor plans to assess control risk at less than the maximum by relying on controls, and the timing, nature, and extent of the procedures are based on that lower assessment, then the auditor must obtain evidence that the controls selected for testing are designed effectively and operated effectively during the entire period when reliance is placed on the controls. The auditor is not required to assess control risk at less than the maximum level for all relevant assertions, and may choose not to do so.
The auditor must perform tests in the audit of financial statements for each relevant assertion for which substantive procedures by themselves cannot provide sufficient audit evidence, and when necessary to support the auditor’s reliance on the accuracy and completeness of the financial information used in performing other audit procedures.
The evidence needed to support the auditor’s control risk assessment depends on the degree of reliance the auditor plans to place on the effectiveness of a control. If the auditor places greater reliance on the effectiveness of the control, he or she should obtain more persuasive audit evidence. This is also the case for each relevant assertion for which the audit approach consists primarily of tests of controls, including situations where substantive procedures alone do not provide sufficient audit evidence.
The auditor should test the design effectiveness of any controls selected for testing by determining whether the controls, if they are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company’s control objectives and can effectively prevent or detect error or fraud that could result in material misstatements in the financial statements.
Procedures that an auditor can perform to test design effectiveness include a mix of inquiry of personnel, observation of company operations, and inspection of documentation. Walkthroughs including these procedures are usually sufficient for evaluating design effectiveness.
The auditor should test the operating effectiveness of a control that has been selected for testing by determining whether the control is operating as designed, and whether the person performing the control possesses the authority and competence to perform the control effectively. Procedures that the auditor can perform to test operating effectiveness include a mix of inquiry of personnel, observation of company operations, inspection of documentation, and the reperformance of the control.
The evidence provided by the auditor’s tests of the effectiveness of controls depends upon the mix of the nature, timing, and extent of the auditor’s procedures. For an individual control, different combinations of these factors might provide sufficient evidence in relation to the degree of reliance in an audit of financial statements.
The following tests that the auditor could perform are presented in the order of the evidence that they should produce, from least to most: inquiry, observation, inspection of documentation, and reperformance of a control. It is not sufficient to only use inquiry to support a conclusion about the effectiveness of a control.
The type of tests of controls to use depends on the nature of the control to be tested, as well as whether operation of the control results in documentary evidence of its operation.
More evidence is obtained from a test when it is more extensively tested. Issues that can affect the extent of testing in relation to the amount of reliance on a control include:
The auditor must obtain evidence that those controls selected for testing are designed and operated effectively through the entire period of reliance.
If the auditor obtains evidence about the operating effectiveness of controls through an interim date, he or she should determine what additional evidence is needed concerning the operation of the controls through the remainder of the period of reliance. This additional evidence depends on the following factors:
When the auditor relies on controls that have been tested in past audits, and he or she plans to use evidence about the effectiveness of those controls that was collected in prior years, then they should take the following factors into account to determine the evidence needed during the current year audit:
The auditor should evaluate control risk for assertions by evaluating the evidence obtained from all sources, including the test of controls for the audit of internal control and the audit of financial statements, misstatements detected during the audit, and control deficiencies.
The auditor should assess control risk at the maximum level for relevant assertions when controls needed to address the assessed risk of material misstatement are missing or ineffective, or when there is no sufficient appropriate evidence to support a control risk assessment that is below the maximum level.
If the auditor detects deficiencies in the control on which he or she intends to rely, there should be an evaluation of the severity of the deficiencies and the effect on the control risk assessments. If the controls are ineffective, the auditor should:
The objective of the tests of controls in an audit of internal control is to obtain evidence concerning the effectiveness of those controls used to support the auditor’s opinion on a company’s internal control over financial reporting.
The auditor should perform substantive procedures for each assertion of each significant account and disclosure, irrespective of the assessed level of control risk. As the assessed risk of material misstatement increases, the auditor should obtain an increased amount of evidence from substantive procedures. This evidence depends on the nature, timing, and extent of the procedures. Different combinations of testing may be sufficient for the testing of an individual assertion.
Internal controls over financial reporting have limitations that can affect the evidence needed from substantive procedures. Thus, more evidence from substantive procedures is needed for assertions that are subject to management override or lapses in judgment.
Substantive procedures usually provide persuasive evidence when they are designed and performed to obtain relevant and reliable evidence. The auditor should take into account the types of potential misstatements in the assertions that could arise from identified risks, which may help to determine the types and combinations of procedures needed to detect material misstatements in the assertions. The assertions must include the following audit procedures for the period-end financial reporting process:
The extent of usage of a substantive audit procedure depends on the materiality of the account or disclosure, as well as the assessed risk of material misstatement, and the necessary degree of assurance from the procedure. Increasing the extent of an audit procedure may not adequately address an assessed risk of material misstatement unless any evidence obtained by doing so is reliable and relevant.
The auditor can perform some substantive procedures at interim dates for early consideration of issues affecting the year-end financial statements. However, doing so without performing procedures at a later date increases the risk of a material misstatement within the year-end financial statements that would not be detected. This increases if there is a longer interval between the interim date and the year-end.
To determine whether to perform substantive procedures at an interim date, the auditor should consider the following:
If the auditor performs substantive tests at an interim date, he or she should address the remaining period by performing substantive procedures, or such procedures in combination with tests of controls that create a reasonable basis for extending the audit conclusions for the period from the interim date to the period end. These procedures should compare information about the account balance at the interim date with comparable information at the end of the period to identify unusual amounts, and perform audit procedures for the remaining period.
If these actions result in evidence that contradicts the evidence on which the auditor based his or her original risk assessments, this may result in revising the related risk assessments and modifying the planned nature, timing, or extent of those substantive procedures covering the remaining time period.
When the auditor conducts a dual-purpose test, he or she should design the test to achieve the objectives of both the test of the control and of the substantive test. Also, the auditor should evaluate the results of the test when forming conclusions about both the assertion and the effectiveness of the control being tested.
1 Practitioners should reference the additional guidance listed in the section “Other PCAOB Guid-ance” in this volume’s chapter PCAOB 1.
3.137.181.75