[The following paragraphs were effective for audits of financial statements for periods beginning on or after December 15, 2002. They were deleted, effective for audits of fiscal years beginning on or after December 15, 2010. See PCAOB Release No. 2010-004
.Return to the current version
Discussion Among Engagement Personnel Regarding the Risks of Material Misstatement Due to Fraud
Prior to or in conjunction with the information-gathering procedures described in paragraphs .19 through .34 of this section, members of the audit team should discuss the potential for material misstatement due to fraud. The discussion should include:
- An exchange of ideas or "brainstorming" among the audit team members, including the auditor with final responsibility for the audit, about how and where they believe the entity's financial statements might be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated. (See paragraph .15.)
- An emphasis on the importance of maintaining the proper state of mind throughout the audit regarding the potential for material misstatement due to fraud. (See paragraph .16.)
The discussion among the audit team members about the susceptibility of the entity's financial statements to material misstatement due to fraud should include a consideration of the known external and internal factors affecting the entity that might (a) create incentives/pressures for management and others to commit fraud, (b) provide the opportunity for fraud to be perpetrated, and (c) indicate a culture or environment that enables management to rationalize committing fraud. The discussion should occur with an attitude that includes a questioning mind as described in paragraph .16 and, for this purpose, setting aside any prior beliefs the audit team members may have that management is honest and has integrity. In this regard, the discussion should include a consideration of the risk of management override of controls. fn 8 Finally, the discussion should include how the auditor might respond to the susceptibility of the entity's financial statements to material misstatement due to fraud.
The discussion among the audit team members should emphasize the need to maintain a questioning mind and to exercise professional skepticism in gathering and evaluating evidence throughout the audit, as described in paragraph .13. This should lead the audit team members to continually be alert for information or other conditions (such as those presented in paragraph .68) that indicate a material misstatement due to fraud may have occurred. It should also lead audit team members to thoroughly probe the issues, acquire additional evidence as necessary, and consult with other team members and, if appropriate, experts in the firm, rather than rationalize or dismiss information or other conditions that indicate a material misstatement due to fraud may have occurred.
Although professional judgment should be used in determining which audit team members should be included in the discussion, the discussion ordinarily should involve the key members of the audit team. A number of factors will influence the extent of the discussion and how it should occur. For example, if the audit involves more than one location, there could be multiple discussions with team members in differing locations. Another factor to consider in planning the discussions is whether to include specialists assigned to the audit team. For example, if the auditor has determined that a professional possessing information technology skills is needed on the audit team (see section 319.32), it may be useful to include that individual in the discussion.
Communication among the audit team members about the risks of material misstatement due to fraud also should continue throughout the audit—for example, in evaluating the risks of material misstatement due to fraud at or near the completion of the field work. (See paragraph .74 and footnote 28.)
Obtaining the Information Needed to Identify the Risks of Material Misstatement Due to Fraud
Section 311.06–.08 provides guidance about how the auditor obtains knowledge about the entity's business and the industry in which it operates. In performing that work, information may come to the auditor's attention that should be considered in identifying risks of material misstatement due to fraud. As part of this work, the auditor should perform the following procedures to obtain information that is used (as described in paragraphs .35 through .42) to identify the risks of material misstatement due to fraud:
- Make inquiries of management and others within the entity to obtain their views about the risks of fraud and how they are addressed. (See paragraphs .20 through .27.)
- Consider any unusual or unexpected relationships that have been identified in performing analytical procedures in planning the audit. (See paragraphs .28 through .30.)
- Consider whether one or more fraud risk factors exist. (See paragraphs .31 through .33, and the Appendix [paragraph .85].)
- Consider other information that may be helpful in the identification of risks of material misstatement due to fraud. (See paragraph .34.)
Making Inquiries of Management and Others Within the Entity About the Risks of Fraud
The auditor should inquire of management about: fn 9
- Whether management has knowledge of any fraud or suspected fraud affecting the entity
- Whether management is aware of allegations of fraud or suspected fraud affecting the entity, for example, received in communications from employees, former employees, analysts, regulators, short sellers, or others
- Management's understanding about the risks of fraud in the entity, including any specific fraud risks the entity has identified or account balances or classes of transactions for which a risk of fraud may be likely to exist
- Programs and controls fn 10 the entity has established to mitigate specific fraud risks the entity has identified, or that otherwise help to prevent, deter, and detect fraud, and how management monitors those programs and controls. For examples of programs and controls an entity may implement to prevent, deter, and detect fraud, see the exhibit titled "Management Antifraud Programs and Controls" [paragraph .88] at the end of this section.
- For an entity with multiple locations, (a) the nature and extent of monitoring of operating locations or business segments, and (b) whether there are particular operating locations or business segments for which a risk of fraud may be more likely to exist
- Whether and how management communicates to employees its views on business practices and ethical behavior
The inquiries of management also should include whether management has reported to the audit committee or others with equivalent authority and responsibility fn 11 (hereafter referred to as the audit committee) on how the entity's internal control fn 12 serves to prevent, deter, or detect material misstatements due to fraud.
The auditor also should inquire directly of the audit committee (or at least its chair) regarding the audit committee's views about the risks of fraud and whether the audit committee has knowledge of any fraud or suspected fraud affecting the entity. An entity's audit committee sometimes assumes an active role in oversight of the entity's assessment of the risks of fraud and the programs and controls the entity has established to mitigate these risks. The auditor should obtain an understanding of how the audit committee exercises oversight activities in that area.
For entities that have an internal audit function, the auditor also should inquire of appropriate internal audit personnel about their views about the risks of fraud, whether they have performed any procedures to identify or detect fraud during the year, whether management has satisfactorily responded to any findings resulting from these procedures, and whether the internal auditors have knowledge of any fraud or suspected fraud.
In addition to the inquiries outlined in paragraphs .20 through .23, the auditor should inquire of others within the entity about the existence or suspicion of fraud. The auditor should use professional judgment to determine those others within the entity to whom inquiries should be directed and the extent of such inquiries. In making this determination, the auditor should consider whether others within the entity may be able to provide information that will be helpful to the auditor in identifying risks of material misstatement due to fraud—for example, others who may have additional knowledge about or be able to corroborate risks of fraud identified in the discussions with management (see paragraph .20) or the audit committee (see paragraph .22).
Examples of others within the entity to whom the auditor may wish to direct these inquiries include:
- Employees with varying levels of authority within the entity, including, for example, entity personnel with whom the auditor comes into contact during the course of the audit in obtaining (a) an understanding of the entity's systems and internal control, (b) in observing inventory or performing cutoff procedures, or (c) in obtaining explanations for fluctuations noted as a result of analytical procedures
- Operating personnel not directly involved in the financial reporting process
- Employees involved in initiating, recording, or processing complex or unusual transactions—for example, a sales transaction with multiple elements, or a significant related party transaction
- In-house legal counsel
The auditor's inquiries of management and others within the entity are important because fraud often is uncovered through information received in response to inquiries. One reason for this is that such inquiries may provide individuals with an opportunity to convey information to the auditor that otherwise might not be communicated. Making inquiries of others within the entity, in addition to management, may be useful in providing the auditor with a perspective that is different from that of individuals involved in the financial reporting process. The responses to these other inquiries might serve to corroborate responses received from management, or alternatively, might provide information regarding the possibility of management override of controls—for example, a response from an employee indicating an unusual change in the way transactions have been processed. In addition, the auditor may obtain information from these inquiries regarding how effectively management has communicated standards of ethical behavior to individuals throughout the organization.
The auditor should be aware when evaluating management's responses to the inquiries discussed in paragraph .20 that management is often in the best position to perpetrate fraud. The auditor should use professional judgment in deciding when it is necessary to corroborate responses to inquiries with other information. However, when responses are inconsistent among inquiries, the auditor should obtain additional audit evidence to resolve the inconsistencies.
Considering the Results of the Analytical Procedures Performed in Planning the Audit
Section 329, Analytical Procedures, paragraphs .04 and .06, requires that analytical procedures be performed in planning the audit with an objective of identifying the existence of unusual transactions or events, and amounts, ratios, and trends that might indicate matters that have financial statement and audit planning implications. In performing analytical procedures in planning the audit, the auditor develops expectations about plausible relationships that are reasonably expected to exist, based on the auditor's understanding of the entity and its environment. When comparison of those expectations with recorded amounts or ratios developed from recorded amounts yields unusual or unexpected relationships, the auditor should consider those results in identifying the risks of material misstatement due to fraud.
In planning the audit, the auditor also should perform analytical procedures relating to revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that may indicate a material misstatement due to fraudulent financial reporting. An example of such an analytical procedure that addresses this objective is a comparison of sales volume, as determined from recorded revenue amounts, with production capacity. An excess of sales volume over production capacity may be indicative of recording fictitious sales. As another example, a trend analysis of revenues by month and sales returns by month during and shortly after the reporting period may indicate the existence of undisclosed side agreements with customers to return goods that would preclude revenue recognition. fn 13
Analytical procedures performed during planning may be helpful in identifying the risks of material misstatement due to fraud. However, because such analytical procedures generally use data aggregated at a high level, the results of those analytical procedures provide only a broad initial indication about whether a material misstatement of the financial statements may exist. Accordingly, the results of analytical procedures performed during planning should be considered along with other information gathered by the auditor in identifying the risks of material misstatement due to fraud.
Considering Fraud Risk Factors
Because fraud is usually concealed, material misstatements due to fraud are difficult to detect. Nevertheless, the auditor may identify events or conditions that indicate incentives/pressures to perpetrate fraud, opportunities to carry out the fraud, or attitudes/rationalizations to justify a fraudulent action. Such events or conditions are referred to as "fraud risk factors." Fraud risk factors do not necessarily indicate the existence of fraud; however, they often are present in circumstances where fraud exists.
When obtaining information about the entity and its environment, the auditor should consider whether the information indicates that one or more fraud risk factors are present. The auditor should use professional judgment in determining whether a risk factor is present and should be considered in identifying and assessing the risks of material misstatement due to fraud.
Examples of fraud risk factors related to fraudulent financial reporting and misappropriation of assets are presented in the Appendix [paragraph .85]. These illustrative risk factors are classified based on the three conditions generally present when fraud exists: incentive/pressure to perpetrate fraud, an opportunity to carry out the fraud, and attitude/rationalization to justify the fraudulent action. Although the risk factors cover a broad range of situations, they are only examples and, accordingly, the auditor may wish to consider additional or different risk factors. Not all of these examples are relevant in all circumstances, and some may be of greater or lesser significance in entities of different size or with different ownership characteristics or circumstances. Also, the order of the examples of risk factors provided is not intended to reflect their relative importance or frequency of occurrence.
Considering Other Information That May Be Helpful in Identifying Risks of Material Misstatement Due to Fraud
The auditor should consider other information that may be helpful in identifying risks of material misstatement due to fraud. Specifically, the discussion among the engagement team members (see paragraphs .14 through .18) may provide information helpful in identifying such risks. In addition, the auditor should consider whether information from the results of (a) procedures relating to the acceptance and continuance of clients and engagements fn 14 and (b) reviews of interim financial statements may be relevant in the identification of such risks. Finally, as part of the consideration of audit risk at the individual account balance or class of transaction level (see section 312.24 through .33), the auditor should consider whether identified inherent risks would provide useful information in identifying the risks of material misstatement due to fraud (see paragraph .39).
Identifying Risks That May Result in a Material Misstatement Due to Fraud
Using the Information Gathered to Identify Risk of Material Misstatements Due to Fraud
In identifying risks of material misstatement due to fraud, it is helpful for the auditor to consider the information that has been gathered (see paragraphs .19 through .34) in the context of the three conditions present when a material misstatement due to fraud occurs—that is, incentives/pressures, opportunities, and attitudes/rationalizations (see paragraph .07). However, the auditor should not assume that all three conditions must be observed or evident before concluding that there are identified risks. Although the risk of material misstatement due to fraud may be greatest when all three fraud conditions are observed or evident, the auditor cannot assume that the inability to observe one or two of these conditions means there is no risk of material misstatement due to fraud. In fact, observing that individuals have the requisite attitude to commit fraud, or identifying factors that indicate a likelihood that management or other employees will rationalize committing a fraud, is difficult at best.
In addition, the extent to which each of the three conditions referred to above are present when fraud occurs may vary. In some instances the significance of incentives/pressures may result in a risk of material misstatement due to fraud, apart from the significance of the other two conditions. For example, an incentive/pressure to achieve an earnings level to preclude a loan default, or to "trigger" incentive compensation plan awards, may alone result in a risk of material misstatement due to fraud. In other instances, an easy opportunity to commit the fraud because of a lack of controls may be the dominant condition precipitating the risk of fraud, or an individual's attitude or ability to rationalize unethical actions may be sufficient to motivate that individual to engage in fraud, even in the absence of significant incentives/pressures or opportunities.
The auditor's identification of fraud risks also may be influenced by characteristics such as the size, complexity, and ownership attributes of the entity. For example, in the case of a larger entity, the auditor ordinarily considers factors that generally constrain improper conduct by management, such as the effectiveness of the audit committee and the internal audit function, and the existence and enforcement of a formal code of conduct. In the case of a smaller entity, some or all of these considerations may be inapplicable or less important, and management may have developed a culture that emphasizes the importance of integrity and ethical behavior through oral communication and management by example. Also, the risks of material misstatement due to fraud may vary among operating locations or business segments of an entity, requiring an identification of the risks related to specific geographic areas or business segments, as well as for the entity as a whole. fn 15
The auditor should evaluate whether identified risks of material misstatement due to fraud can be related to specific financial-statement account balances or classes of transactions and related assertions, or whether they relate more pervasively to the financial statements as a whole. Relating the risks of material misstatement due to fraud to the individual accounts, classes of transactions, and assertions will assist the auditor in subsequently designing appropriate auditing procedures.
Certain accounts, classes of transactions, and assertions that have high inherent risk because they involve a high degree of management judgment and subjectivity also may present risks of material misstatement due to fraud because they are susceptible to manipulation by management. For example, liabilities resulting from a restructuring may be deemed to have high inherent risk because of the high degree of subjectivity and management judgment involved in their estimation. Similarly, revenues for software developers may be deemed to have high inherent risk because of the complex accounting principles applicable to the recognition and measurement of software revenue transactions. Assets resulting from investing activities may be deemed to have high inherent risk because of the subjectivity and management judgment involved in estimating fair values of those investments.
In summary, the identification of a risk of material misstatement due to fraud involves the application of professional judgment and includes the consideration of the attributes of the risk, including:
- The type of risk that may exist, that is, whether it involves fraudulent financial reporting or misappropriation of assets
- The significance of the risk, that is, whether it is of a magnitude that could lead to result in a possible material misstatement of the financial statements
- The likelihood of the risk, that is, the likelihood that it will result in a material misstatement in the financial statements fn 16 .
- The pervasiveness of the risk, that is, whether the potential risk is pervasive to the financial statements as a whole or specifically related to a particular assertion, account, or class of transactions.
A Presumption That Improper Revenue Recognition Is a Fraud Risk
Material misstatements due to fraudulent financial reporting often result from an overstatement of revenues (for example, through premature revenue recognition or recording fictitious revenues) or an understatement of revenues (for example, through improperly shifting revenues to a later period). Therefore, the auditor should ordinarily presume that there is a risk of material misstatement due to fraud relating to revenue recognition. (See paragraph .54 for examples of auditing procedures related to the risk of improper revenue recognition.) fn 17
A Consideration of the Risk of Management Override of Controls
Even if specific risks of material misstatement due to fraud are not identified by the auditor, there is a possibility that management override of controls could occur, and accordingly, the auditor should address that risk (see paragraph .57) apart from any conclusions regarding the existence of more specifically identifiable risks.
Assessing the Identified Risks After Taking Into Account an Evaluation of the Entity's Programs and Controls That Address the Risks
Section 319 requires the auditor to obtain an understanding of each of the five components of internal control sufficient to plan the audit. It also notes that such knowledge should be used to identify types of potential misstatements, consider factors that affect the risk of material misstatement, design tests of controls when applicable, and design substantive tests. Additionally, section 319 notes that controls, whether manual or automated, can be circumvented by collusion of two or more people or inappropriate management override of internal control.
As part of the understanding of internal control sufficient to plan the audit, the auditor should evaluate whether entity programs and controls that address identified risks of material misstatement due to fraud have been suitably designed and placed in operation. fn 18 These programs and controls may involve (a) specific controls designed to mitigate specific risks of fraud—for example, controls to address specific assets susceptible to misappropriation, and (b) broader programs designed to prevent, deter, and detect fraud—for example, programs to promote a culture of honesty and ethical behavior. The auditor should consider whether such programs and controls mitigate the identified risks of material misstatement due to fraud or whether specific control deficiencies may exacerbate the risks (see paragraph .80). The exhibit at the end of this section [paragraph .88] discusses examples of programs and controls an entity might implement to create a culture of honesty and ethical behavior, and that help to prevent, deter, and detect fraud.
After the auditor has evaluated whether the entity's programs and controls that address identified risks of material misstatement due to fraud have been suitably designed and placed in operation, the auditor should assess these risks taking into account that evaluation. This assessment should be considered when developing the auditor's response to the identified risks of material misstatement due to fraud (see paragraphs .46 through .67). fn 19