Skip Ribbon Commands
Skip to main content
Stay Connected: Twitter Facebook Flickr RSS E-Mail

Click Plus Sign Icon to expand menu items
Click Minus Sign Icon to collapse menu items

Skip Navigation Links.
ExpandAS No. 1: References in Auditors’ Reports to the Standards of the Public Company Accounting Oversight Board
ExpandAS No. 3: Audit Documentation
ExpandAS No. 4: Reporting on Whether a Previously Reported Material Weakness Continues to Exist
ExpandAS No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
ExpandAS No. 6: Evaluating Consistency of Financial Statements
ExpandAS No. 7: Engagement Quality Review
ExpandAS No. 8: Audit Risk
ExpandAS No. 9: Audit Planning
ExpandAS No. 10: Supervision of the Audit Engagement
ExpandAS No. 11: Consideration of Materiality in Planning and Performing an Audit
CollapseAS No. 12: Identifying and Assessing Risks of Material Misstatement
Auditing Standard No. 12
Appendix A: Definitions
Appendix B: Consideration of Manual and Automated Systems and Controls
ExpandAS No. 13: The Auditor's Responses to the Risks of Material Misstatement
ExpandAS No. 14: Evaluating Audit Results
ExpandAS No. 15: Audit Evidence
ExpandAS No. 16: Communications with Audit Committees
ExpandAS No. 17: Auditing Supplemental Information Accompanying Audited Financial Statements
ExpandAU Section 100 - Statements on Auditing Standards -- Introduction
ExpandAU Section 200 - The General Standards
ExpandAU Section 300 - The Standards of Field Work
ExpandAU Section 400 - The First, Second, and Third Standards of Reporting
ExpandAU Section 500 - The Fourth Standard of Reporting
ExpandAU Section 600 - Other Types of Reports
ExpandAU Section 700 - Special Topics
ExpandAU Section 800 - Compliance Auditing
ExpandAU Section 900 - Special Reports of the Committee on Auditing Procedures

Auditing Standard No. 12

Identifying and Assessing Risks of Material Misstatement

Effective Date: For audits of fiscal years beginning on or after Dec. 15, 2010

Final Rule: PCAOB Release No. 2010-004

Summary Table of Contents

Introduction

1.     This standard establishes requirements regarding the process of identifying and assessing risks of material misstatement1/ of the financial statements.

2.     Paragraphs 4-58 of this standard discuss the auditor's responsibilities for performing risk assessment procedures.2/ Paragraphs 59-73 of this standard discuss identifying and assessing the risks of material misstatement using information obtained from performing risk assessment procedures.

Objective

3.     The objective of the auditor is to identify and appropriately assess the risks of material misstatement, thereby providing a basis for designing and implementing responses to the risks of material misstatement.

Performing Risk Assessment Procedures

4.     The auditor should perform risk assessment procedures that are sufficient to provide a reasonable basis for identifying and assessing the risks of material misstatement, whether due to error or fraud,3/ and designing further audit procedures.4/

5.     Risks of material misstatement can arise from a variety of sources, including external factors, such as conditions in the company's industry and environment, and company-specific factors, such as the nature of the company, its activities, and internal control over financial reporting. For example, external or company-specific factors can affect the judgments involved in determining accounting estimates or create pressures to manipulate the financial statements to achieve certain financial targets. Also, risks of material misstatement may relate to, e.g., personnel who lack the necessary financial reporting competencies, information systems that fail to accurately capture business transactions, or financial reporting processes that are not adequately aligned with the requirements in the applicable financial reporting framework. Thus, the audit procedures that are necessary to identify and appropriately assess the risks of material misstatement include consideration of both external factors and company-specific factors. This standard discusses the following risk assessment procedures:

  1. Obtaining an understanding of the company and its environment (paragraphs 7-17);
  2. Obtaining an understanding of internal control over financial reporting (paragraphs 18-40);
  3. Considering information from the client acceptance and retention evaluation, audit planning activities, past audits, and other engagements performed for the company (paragraphs 41-45);
  4. Performing analytical procedures (paragraphs 46-48);
  5. Conducting a discussion among engagement team members regarding the risks of material misstatement (paragraphs 49-53); and
  6. Inquiring of the audit committee, management, and others within the company about the risks of material misstatement (paragraphs 54-58).

    Note:  This standard describes an approach to identifying and assessing risks of material misstatement that begins at the financial statement level and with the auditor's overall understanding of the company and its environment and works down to the significant accounts and disclosures and their relevant assertions.5/

6.     In an integrated audit, the risks of material misstatement of the financial statements are the same for both the audit of internal control over financial reporting and the audit of financial statements. The auditor's risk assessment procedures should apply to both the audit of internal control over financial reporting and the audit of financial statements.

Obtaining an Understanding of the Company and Its Environment

7.     The auditor should obtain an understanding of the company and its environment ("understanding of the company") to understand the events, conditions, and company activities that might reasonably be expected to have a significant effect on the risks of material misstatement. Obtaining an understanding of the company includes understanding:

  1. Relevant industry, regulatory, and other external factors;
  2. The nature of the company;
  3. The company's selection and application of accounting principles, including related disclosures;
  4. The company's objectives and strategies and those related business risks that might reasonably be expected to result in risks of material misstatement; and
  5. The company's measurement and analysis of its financial performance.

8.     In obtaining an understanding of the company, the auditor should evaluate whether significant changes in the company from prior periods, including changes in its internal control over financial reporting, affect the risks of material misstatement.

Industry, Regulatory, and Other External Factors

9.     Obtaining an understanding of relevant industry, regulatory, and other external factors encompasses industry factors, including the competitive environment and technological developments; the regulatory environment, including the applicable financial reporting framework6/ and the legal and political environment;7/ and external factors, including general economic conditions.

Nature of the Company

10.      Obtaining an understanding of the nature of the company includes understanding:

  • The company's organizational structure and management personnel;
  • The sources of funding of the company's operations and investment activities, including the company's capital structure, noncapital funding (e.g., subordinated debt or dependencies on supplier financing), and other debt instruments;
  • The company's significant investments, including equity method investments, joint ventures, and variable interest entities;
  • The company's operating characteristics, including its size and complexity;

    Note:  The size and complexity of a company might affect the risks of misstatement and how the company addresses those risks.

  • The sources of the company's earnings, including the relative profitability of key products and services; and
  • Key supplier and customer relationships.

    Note:  The auditor should take into account the information gathered while obtaining an understanding of the nature of the company when determining the existence of related parties in accordance with AU sec. 334, Related Parties.

11.      As part of obtaining an understanding of the company as required by paragraph 7, the auditor should consider performing the following procedures and the extent to which the procedures should be performed:

  • Reading public information about the company relevant to the evaluation of the likelihood of material financial statement misstatements and, in an integrated audit, the effectiveness of the company's internal control over financial reporting, e.g., company-issued press releases, company-prepared presentation materials for analysts or investor groups, and analyst reports;
  • Observing or reading transcripts of earnings calls and, to the extent publicly available, other meetings with investors or rating agencies;
  • Obtaining an understanding of compensation arrangements with senior management, including incentive compensation arrangements, changes or adjustments to those arrangements, and special bonuses; and
  • Obtaining information about trading activity in the company's securities and holdings in the company's securities by significant holders to identify potentially significant unusual developments (e.g., from Forms 3, 4, 5, 13D, and 13G).

Selection and Application of Accounting Principles, Including Related Disclosures

12.      As part of obtaining an understanding of the company's selection and application of accounting principles, including related disclosures, the auditor should evaluate whether the company's selection and application of accounting principles are appropriate for its business and consistent with the applicable financial reporting framework and accounting principles used in the relevant industry. Also, to identify and assess risks of material misstatement related to omitted, incomplete, or inaccurate disclosures, the auditor should develop expectations about the disclosures that are necessary for the company's financial statements to be presented fairly in conformity with the applicable financial reporting framework.

13.      The following matters, if present, are relevant to the necessary understanding of the company's selection and application of accounting principles, including related disclosures:

  • Significant changes in the company's accounting principles, financial reporting policies, or disclosures and the reasons for such changes;
  • The financial reporting competencies of personnel involved in selecting and applying significant new or complex accounting principles;
  • The accounts or disclosures for which judgment is used in the application of significant accounting principles, especially in determining management's estimates and assumptions;
  • The effect of significant accounting principles in controversial or emerging areas for which there is a lack of authoritative guidance or consensus;
  • The methods the company uses to account for significant and unusual transactions; and
  • Financial reporting standards and laws and regulations that are new to the company, including when and how the company will adopt such requirements.

Company Objectives, Strategies, and Related Business Risks

14.      The purpose of obtaining an understanding of the company's objectives, strategies, and related business risks is to identify business risks that could reasonably be expected to result in material misstatement of the financial statements.

Note:  Some relevant business risks might be identified through other risk assessment procedures, such as obtaining an understanding of the nature of the company and understanding industry, regulatory, and other external factors.

15.      The following are examples of situations in which business risks might result in material misstatement of the financial statements:

  • Industry developments (a potential related business risk might be, e.g., that the company does not have the personnel or expertise to deal with the changes in the industry.)
  • New products and services (a potential related business risk might be, e.g., that the new product or service will not be successful.)
  • Use of information technology ("IT") (a potential related business risk might be, e.g., that systems and processes are incompatible.)
  • New accounting requirements (a potential related business risk might be, e.g., incomplete or improper implementation of a new accounting requirement.)
  • Expansion of the business (a potential related business risk might be, e.g., that the demand for the company's products or services has not been accurately estimated.)
  • The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements (a potential related business risk might be, e.g., incomplete or improper implementation of the strategy.)
  • Current and prospective financing requirements (a potential related business risk might be, e.g., the loss of financing due to the company's inability to meet financing requirements.)
  • Regulatory requirements (a potential related business risk might be, e.g., that there is increased legal exposure.)

    Note:  Business risks could affect risks of material misstatement at the financial statement level, which would affect many accounts and disclosures in the financial statements. For example, a company's loss of financing or declining conditions affecting the company's industry could affect its ability to settle its obligations when due. This, in turn, could affect the risks of material misstatement related to, e.g., the classification of long-term liabilities or valuation of long-term assets, or it could result in substantial doubt about the company's ability to continue as a going concern. Other business risks could affect the risks of material misstatement for particular accounts, disclosures, or assertions. For example, an unsuccessful new product or service or failed business expansion might affect the risks of material misstatement related to the valuation of inventory and other related assets.

Company Performance Measures

16.      The purpose of obtaining an understanding of the company's performance measures is to identify performance measures, whether external or internal, that affect the risks of material misstatement.

17.      The following are examples of performance measures that might affect the risks of material misstatement:

  • Measures that form the basis for contractual commitments or incentive compensation arrangements;
  • Measures used by external parties, such as analysts and rating agencies, to review the company's performance; and
  • Measures the company uses to monitor its operations that highlight unexpected results or trends that prompt management to investigate their cause and take corrective action, including correction of misstatements.

    Note:  The first two examples represent performance measures that can affect the risks of material misstatement by creating incentives or pressures for management of the company to manipulate certain accounts or disclosures to achieve certain performance targets (or conceal a failure to achieve those targets). The third example represents performance measures that management might use to monitor risks affecting the financial statements.

    Note:  Smaller companies might have less formal processes to measure and review financial performance. In such cases, the auditor might identify relevant performance measures by considering the information that the company uses to manage the business.

Obtaining an Understanding of Internal Control Over Financial Reporting

18.      The auditor should obtain a sufficient understanding of each component8/ of internal control over financial reporting ("understanding of internal control") to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures.  

19.      The nature, timing, and extent of procedures that are necessary to obtain an understanding of internal control depend on the size and complexity of the company;9/ the auditor's existing knowledge of the company's internal control over financial reporting; the nature of the company's controls, including the company's use of IT; the nature and extent of changes in systems and operations; and the nature of the company's documentation of its internal control over financial reporting.

Note:  The auditor also might obtain an understanding of certain controls that are not part of internal control over financial reporting, e.g., controls over the completeness and accuracy of operating or other nonfinancial information used as audit evidence.10/

20.      Obtaining an understanding of internal control includes evaluating the design of controls that are relevant to the audit and determining whether the controls have been implemented.

Note:  Procedures the auditor performs to obtain evidence about design effectiveness include inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs, as described in paragraphs 37-38, that include these procedures ordinarily are sufficient to evaluate design effectiveness.

Note:  Determining whether a control has been implemented means determining whether the control exists and whether the company is using it. The procedures to determine whether a control has been implemented may be performed in connection with the evaluation of its design. Procedures performed to determine whether a control has been implemented include inquiry of appropriate personnel, in combination with observation of the application of controls or inspection of documentation. Walkthroughs, as described in paragraphs 37-38, that include these procedures ordinarily are sufficient to determine whether a control has been implemented.

21.      Internal control over financial reporting can be described as consisting of the following components:11/

  • The control environment,
  • The company's risk assessment process,
  • Information and communication,
  • Control activities, and
  • Monitoring of controls.

22.      Management might use an internal control framework with components that differ from the components identified in the preceding paragraph when establishing and maintaining the company's internal control over financial reporting. In evaluating the design of controls and determining whether they have been implemented in an audit of financial statements only, the auditor may use the framework used by management or another suitable, recognized framework.12/ For integrated audits, Auditing Standard No. 5, states, "The auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting."13/ If the auditor uses a suitable, recognized internal control framework with components that differ from those listed in the preceding paragraph, the auditor should adapt the requirements in paragraphs 23-36 of this standard to conform to the components in the framework used.

Control Environment

23.      The auditor should obtain an understanding of the company's control environment, including the policies and actions of management, the board, and the audit committee concerning the company's control environment.

24.      Obtaining an understanding of the control environment includes assessing:

  • Whether management's philosophy and operating style promote effective internal control over financial reporting;
  • Whether sound integrity and ethical values, particularly of top management, are developed and understood; and
  • Whether the board or audit committee understands and exercises oversight responsibility over financial reporting and internal control.

    Note:  In an audit of financial statements only, this assessment may be based on the evidence obtained in understanding the control environment, in accordance with paragraph 23, and the other relevant knowledge possessed by the auditor. In an integrated audit of financial statements and internal control over financial reporting, Auditing Standard No. 514/ describes the auditor's responsibility for evaluating the control environment.

25.      If the auditor identifies a control deficiency15/ in the company's control environment, the auditor should evaluate the extent to which this control deficiency is indicative of a fraud risk factor, as discussed in paragraphs 65-66 of this standard.

The Company's Risk Assessment Process

26.      The auditor should obtain an understanding of management's process for:

  1. Identifying risks relevant to financial reporting objectives, including risks of material misstatement due to fraud ("fraud risks");
  2. Assessing the likelihood and significance of misstatements resulting from those risks; and
  3. Deciding about actions to address those risks.

27.      Obtaining an understanding of the company's risk assessment process includes obtaining an understanding of the risks of material misstatement identified and assessed by management and the actions taken to address those risks.

Information and Communication

28.      Information System Relevant to Financial Reporting. The auditor should obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including:

  1. The classes of transactions in the company's operations that are significant to the financial statements;
  2. The procedures, within both automated and manual systems, by which those transactions are initiated, authorized, processed, recorded, and reported;
  3. The related accounting records, supporting information, and specific accounts in the financial statements that are used to initiate, authorize, process, and record transactions;
  4. How the information system captures events and conditions, other than transactions,16/ that are significant to the financial statements; and
  5. The period-end financial reporting process.

    Note:  Appendix B discusses additional considerations regarding manual and automated systems and controls.

29.      The auditor also should obtain an understanding of how IT affects the company's flow of transactions. (See Appendix B.)

Note:  The identification of risks and controls within IT is not a separate evaluation. Instead, it is an integral part of the approach used to identify significant accounts and disclosures and their relevant assertions and, when applicable, to select the controls to test, as well as to assess risk and allocate audit effort.

30.      A company's business processes are the activities designed to:

  1. Develop, purchase, produce, sell and distribute a company's products or services;
  2. Record information, including accounting and financial reporting information; and
  3. Ensure compliance with laws and regulations relevant to the financial statements.

31.      Obtaining an understanding of the company's business processes assists the auditor in obtaining an understanding of how transactions are initiated, authorized, processed, and recorded.

32.      A company's period-end financial reporting process, as referred to in paragraph 28.e., includes the following:

  • Procedures used to enter transaction totals into the general ledger;
  • Procedures related to the selection and application of accounting principles;17/
  • Procedures used to initiate, authorize, record, and process journal entries in the general ledger;
  • Procedures used to record recurring and nonrecurring adjustments to the annual financial statements (and quarterly financial statements, if applicable); and
  • Procedures for preparing annual financial statements and related disclosures (and quarterly financial statements, if applicable).

33.      Communication. The auditor should obtain an understanding of how the company communicates financial reporting roles and responsibilities and significant matters relating to financial reporting to relevant company personnel and others, including:

  • Communications between management, the audit committee, and the board of directors; and
  • Communications to external parties, including regulatory authorities and shareholders.

Control Activities

34.      The auditor should obtain an understanding of control activities that is sufficient to assess the factors that affect the risks of material misstatement and to design further audit procedures, as described in paragraph 18 of this standard.18/ As the auditor obtains an understanding of the other components of internal control over financial reporting, he or she is also likely to obtain knowledge about some control activities. The auditor should use his or her knowledge about the presence or absence of control activities obtained from the understanding of the other components of internal control over financial reporting in determining the extent to which it is necessary to devote additional attention to obtaining an understanding of control activities to assess the factors that affect the risks of material misstatement and to design further audit procedures.

Note:  A broader understanding of control activities is needed for relevant assertions for which the auditor plans to rely on controls. Also, in the audit of internal control over financial reporting, the auditor's understanding of control activities encompasses a broader range of accounts and disclosures than what is normally obtained in a financial statement audit.

Monitoring of Controls

35.      The auditor should obtain an understanding of the major types of activities that the company uses to monitor the effectiveness of its internal control over financial reporting and how the company initiates corrective actions related to its controls.19/

36.      An understanding of the company's monitoring activities includes understanding the source of the information used in the monitoring activities.

Performing Walkthroughs

37.      As discussed in paragraph 20, the auditor may perform walkthroughs as part of obtaining an understanding of internal control over financial reporting. For example, the auditor may perform walkthroughs in connection with understanding the flow of transactions in the information system relevant to financial reporting, evaluating the design of controls relevant to the audit, and determining whether those controls have been implemented. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and IT that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls.

Note:  For integrated audits, Auditing Standard No. 5 establishes certain objectives that the auditor should achieve to further understand likely sources of potential misstatements and as part of selecting the controls to test. Auditing Standard No. 5 states that performing walkthroughs will frequently be the most effective way of achieving those objectives.20/

38.      In performing a walkthrough, at the points at which important processing procedures occur, the auditor questions the company's personnel about their understanding of what is required by the company's prescribed procedures and controls. These probing questions, combined with the other walkthrough procedures, allow the auditor to gain a sufficient understanding of the process and to be able to identify important points at which a necessary control is missing or not designed effectively. Additionally, probing questions that go beyond a narrow focus on the single transaction used as the basis for the walkthrough allow the auditor to gain an understanding of the different types of significant transactions handled by the process.

Relationship of Understanding of Internal Control to Tests of Controls

39.      The objective of obtaining an understanding of internal control, as discussed in paragraph 18 of this standard, is different from testing controls for the purpose of assessing control risk21/ or for the purpose of expressing an opinion on internal control over financial reporting in the audit of internal control over financial reporting.22/ The auditor may obtain an understanding of internal control concurrently with performing tests of controls if he or she obtains sufficient appropriate evidence to achieve the objectives of both procedures. Also, the auditor should take into account the evidence obtained from understanding internal control when assessing control risk and, in the audit of internal control over financial reporting, forming an opinion about the effectiveness of internal control over financial reporting.

40.      Relationship of Understanding of Internal Control to Evaluating Entity-Level Controls in an Audit of Internal Control Over Financial Reporting. Auditing Standard No. 5 states, "The auditor must test those entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting."23/ The procedures performed to obtain an understanding of certain components of internal control in accordance with this standard, e.g., the control environment, the company's risk assessment process, information and communication, and monitoring of controls, might provide evidence that is relevant to the auditor's evaluation of entity-level controls.24/ The auditor should take into account the evidence obtained from understanding internal control when determining the nature, timing, and extent of procedures necessary to support the auditor's conclusions about the effectiveness of entity-level controls in the audit of internal control over financial reporting.

Considering Information from the Client Acceptance and Retention Evaluation, Audit Planning Activities, Past Audits, and Other Engagements

41.      Client Acceptance and Retention and Audit Planning Activities. The auditor should evaluate whether information obtained from the client acceptance and retention evaluation process or audit planning activities is relevant to identifying risks of material misstatement. Risks of material misstatement identified during those activities should be assessed as discussed beginning in paragraph 59 of this standard.

42.      Past Audits. In subsequent years, the auditor should incorporate knowledge obtained during past audits into the auditor's process for identifying risks of material misstatement, including when identifying significant ongoing matters that affect the risks of material misstatement or determining how changes in the company or its environment affect the risks of material misstatement, as discussed in paragraph 8 of this standard.

43.      If the auditor plans to limit the nature, timing, or extent of his or her risk assessment procedures by relying on information from past audits, the auditor should evaluate whether the prior years' information remains relevant and reliable.

44.      Other Engagements. When the auditor has performed a review of interim financial information in accordance with AU sec. 722, Interim Financial Information, the auditor should evaluate whether information obtained during the review is relevant to identifying risks of material misstatement in the year-end audit.

45.      The auditor should obtain an understanding of the nature of the services that have been performed for the company by the auditor or affiliates of the firm25/ and should take into account relevant information obtained from those engagements in identifying risks of material misstatement.26/

Performing Analytical Procedures

46.      The auditor should perform analytical procedures that are designed to:

  1. Enhance the auditor's understanding of the client's business and the significant transactions and events that have occurred since the prior year end; and
  2. Identify areas that might represent specific risks relevant to the audit, including the existence of unusual transactions and events, and amounts, ratios, and trends that warrant investigation.

47.      In applying analytical procedures as risk assessment procedures, the auditor should perform analytical procedures relating to revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that might indicate a material misstatement, including material misstatement due to fraud. Also, when the auditor has performed a review of interim financial information in accordance with AU sec. 722, he or she should take into account the analytical procedures applied in that review when designing and applying analytical procedures as risk assessment procedures.

48.      When performing an analytical procedure, the auditor should use his or her understanding of the company to develop expectations about plausible relationships among the data to be used in the procedure.27/ When comparison of those expectations with relationships derived from recorded amounts yields unusual or unexpected results, the auditor should take into account those results in identifying the risks of material misstatement.

Note:  Analytical procedures performed as risk assessment procedures often use data that is preliminary or data that is aggregated at a high level, and, in those instances, such analytical procedures are not designed with the level of precision necessary for substantive analytical procedures.

Conducting a Discussion among Engagement Team Members Regarding Risks of Material Misstatement

49.      The key engagement team members should discuss (1) the company's selection and application of accounting principles, including related disclosure requirements, and (2) the susceptibility of the company's financial statements to material misstatement due to error or fraud.

Note:  The key engagement team members should discuss the potential for material misstatement due to fraud either as part of the discussion regarding risks of material misstatement or in a separate discussion.28/

Note:  As discussed in paragraph 67, the financial statements might be susceptible to misstatement through omission of required disclosures or presentation of inaccurate or incomplete disclosures.

50.      Key engagement team members include all engagement team members who have significant engagement responsibilities, including the engagement partner. The manner in which the discussion is conducted depends on the individuals involved and the circumstances of the engagement. For example, if the audit involves more than one location, there could be multiple discussions with team members in differing locations. The engagement partner or other key engagement team members should communicate the important matters from the discussion to engagement team members who are not involved in the discussion.

Note:  If the audit is performed entirely by the engagement partner, that engagement partner, having personally conducted the planning of the audit, is responsible for evaluating the susceptibility of the company's financial statements to material misstatement.

51.      Communication among the engagement team members about significant matters affecting the risks of material misstatement should continue throughout the audit, including when conditions change.29/

Discussion of the Potential for Material Misstatement Due to Fraud

52.      The discussion among the key engagement team members about the potential for material misstatement due to fraud should occur with an attitude that includes a questioning mind, and the key engagement team members should set aside any prior beliefs they might have that management is honest and has integrity. The discussion among the key engagement team members should include:

  • An exchange of ideas, or "brainstorming," among the key engagement team members, including the engagement partner, about how and where they believe the company's financial statements might be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets of the company could be misappropriated, including (a) the susceptibility of the financial statements to material misstatement through related party transactions and (b) how fraud might be perpetrated or concealed by omitting or presenting incomplete or inaccurate disclosures;
  • A consideration of the known external and internal factors affecting the company that might (a) create incentives or pressures for management and others to commit fraud, (b) provide the opportunity for fraud to be perpetrated, and (c) indicate a culture or environment that enables management to rationalize committing fraud;
  • A consideration of the risk of management override; and
  • A consideration of the potential audit responses to the susceptibility of the company's financial statements to material misstatement due to fraud.

53.      The auditor should emphasize the following matters to all engagement team members:

  • The need to maintain a questioning mind throughout the audit and to exercise professional skepticism in gathering and evaluating evidence, as described in AU sec. 316;30/
  • The need to be alert for information or other conditions (such as those matters presented in Appendix C of Auditing Standard No. 14) that might affect the assessment of fraud risks; and
  • If information or other conditions indicate that a material misstatement due to fraud might have occurred, the need to probe the issues, acquire additional evidence as necessary, and consult with other team members and, if appropriate, others in the firm including specialists.31/

Inquiring of the Audit Committee, Management, and Others within the Company about the Risks of Material Misstatement

54.      The auditor should inquire of the audit committee, or equivalent (or its chair), management, the internal audit function, and others within the company who might reasonably be expected to have information that is important to the identification and assessment of risks of material misstatement.

Note:  The auditor's inquiries about risks of material misstatement should include inquiries regarding fraud risks.

55.      The auditor should use his or her knowledge of the company and its environment, as well as information from other risk assessment procedures, to determine the nature of the inquiries about risks of material misstatement.

Inquiries Regarding Fraud Risks

56.      The auditor's inquiries regarding fraud risks should include the following:

  1. Inquiries of management regarding:
    (1) Whether management has knowledge of fraud, alleged fraud, or suspected fraud affecting the company;
    (2) Management's process for identifying and responding to fraud risks in the company, including any specific fraud risks the company has identified or account balances or disclosures for which a fraud risk is likely to exist, and the nature, extent, and frequency of management's fraud risk assessment process;
    (3) Controls that the company has established to address fraud risks the company has identified, or that otherwise help to prevent and detect fraud, including how management monitors those controls;
    (4) For a company with multiple locations (a) the nature and extent of monitoring of operating locations or business segments and (b) whether there are particular operating locations or business segments for which a fraud risk might be more likely to exist;
    (5) Whether and how management communicates to employees its views on business practices and ethical behavior;
    (6) Whether management has received tips or complaints regarding the company's financial reporting (including those received through the audit committee's internal whistleblower program, if such program exists) and, if so, management's responses to such tips and complaints; and
    (7) Whether management has reported to the audit committee on how the company's internal control serves to prevent and detect material misstatements due to fraud.
  2. Inquiries of the audit committee, or equivalent, or its chair regarding:
    (1) The audit committee's views about fraud risks in the company;
    (2) Whether the audit committee has knowledge of fraud, alleged fraud, or suspected fraud affecting the company;
    (3) Whether the audit committee is aware of tips or complaints regarding the company's financial reporting (including those received through the audit committee's internal whistleblower program, if such program exists) and, if so, the audit committee's responses to such tips and complaints; and
    (4) How the audit committee exercises oversight of the company's assessment of fraud risks and the establishment of controls to address fraud risks.
  3. If the company has an internal audit function, inquiries of appropriate internal audit personnel regarding:
    (1) The internal auditors' views about fraud risks in the company;
    (2) Whether the internal auditors have knowledge of fraud, alleged fraud, or suspected fraud affecting the company;
    (3) Whether internal auditors have performed procedures to identify or detect fraud during the year, and whether management has satisfactorily responded to the findings resulting from those procedures; and
    (4) Whether internal auditors are aware of instances of management override of controls and the nature and circumstances of such overrides.

57.      In addition to the inquiries outlined in the preceding paragraph, the auditor should inquire of others within the company about their views regarding fraud risks, including, in particular, whether they have knowledge of fraud, alleged fraud, or suspected fraud. The auditor should identify other individuals within the company to whom inquiries should be directed and determine the extent of such inquiries by considering whether others in the company might have additional knowledge about fraud, alleged fraud, or suspected fraud or might be able to corroborate fraud risks identified in discussions with management or the audit committee. Examples of other individuals within the company to whom inquiries might be directed include:

  • Employees with varying levels of authority within the company, including, e.g., company personnel with whom the auditor comes into contact during the course of the audit (a) in obtaining an understanding of internal control, (b) in observing inventory or performing cutoff procedures, or (c) in obtaining explanations for significant differences identified when performing analytical procedures;
  • Operating personnel not directly involved in the financial reporting process;
  • Employees involved in initiating, recording, or processing complex or unusual transactions, e.g., a sales transaction with multiple elements or a significant related party transaction; and
  • In-house legal counsel.

58.      When evaluating management's responses to inquiries about fraud risks and determining when it is necessary to corroborate management's responses, the auditor should take into account the fact that management is often in the best position to commit fraud. Also, the auditor should obtain evidence to address inconsistencies in responses to the inquiries.

Identifying and Assessing the Risks of Material Misstatement

59.      The auditor should identify and assess the risks of material misstatement at the financial statement level and the assertion level. In identifying and assessing risks of material misstatement, the auditor should:

  1. Identify risks of misstatement using information obtained from performing risk assessment procedures (as discussed in paragraphs 4-58) and considering the characteristics of the accounts and disclosures in the financial statements.

    Note:  Factors relevant to identifying fraud risks are discussed in paragraphs 65-69 of this standard.

  2. Evaluate whether the identified risks relate pervasively to the financial statements as a whole and potentially affect many assertions.
  3. Evaluate the types of potential misstatements that could result from the identified risks and the accounts, disclosures, and assertions that could be affected.

    Note:  In identifying and assessing risks at the assertion level, the auditor should evaluate how risks at the financial statement level could affect risks of misstatement at the assertion level.

  4. Assess the likelihood of misstatement, including the possibility of multiple misstatements, and the magnitude of potential misstatement to assess the possibility that the risk could result in material misstatement of the financial statements.

    Note:  In assessing the likelihood and magnitude of potential misstatement, the auditor may take into account the planned degree of reliance on controls selected to test.32/

  5. Identify significant accounts and disclosures33/ and their relevant assertions34/ (paragraphs 60-64 of this standard).

    Note:  The determination of whether an account or disclosure is significant or whether an assertion is a relevant assertion is based on inherent risk, without regard to the effect of controls.

  6. Determine whether any of the identified and assessed risks of material misstatement are significant risks (paragraphs 70-71 of this standard).

Identifying Significant Accounts and Disclosures and Their Relevant Assertions

60.      To identify significant accounts and disclosures and their relevant assertions in accordance with paragraph 59.e., the auditor should evaluate the qualitative and quantitative risk factors related to the financial statement line items and disclosures. Risk factors relevant to the identification of significant accounts and disclosures and their relevant assertions include:

  • Size and composition of the account;
  • Susceptibility to misstatement due to error or fraud;
  • Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure;
  • Nature of the account or disclosure;
  • Accounting and reporting complexities associated with the account or disclosure;
  • Exposure to losses in the account;
  • Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure;
  • Existence of related party transactions in the account; and
  • Changes from the prior period in account and disclosure characteristics.

61.      As part of identifying significant accounts and disclosures and their relevant assertions, the auditor also should determine the likely sources of potential misstatements that would cause the financial statements to be materially misstated. The auditor might determine the likely sources of potential misstatements by asking himself or herself "what could go wrong?" within a given significant account or disclosure.

62.      The risk factors that the auditor should evaluate in the identification of significant accounts and disclosures and their relevant assertions are the same in the audit of internal control over financial reporting as in the audit of the financial statements; accordingly, significant accounts and disclosures and their relevant assertions are the same for both audits.

Note:  In the financial statement audit, the auditor might perform substantive auditing procedures on financial statement accounts, disclosures, and assertions that are not determined to be significant accounts and disclosures and relevant assertions.35/

63.      The components of a potential significant account or disclosure might be subject to significantly differing risks.

64.      When a company has multiple locations or business units, the auditor should identify significant accounts and disclosures and their relevant assertions based on the consolidated financial statements.

Factors Relevant to Identifying Fraud Risks

65.      The auditor should evaluate whether the information gathered from the risk assessment procedures indicates that one or more fraud risk factors are present and should be taken into account in identifying and assessing fraud risks. Fraud risk factors are events or conditions that indicate (1) an incentive or pressure to perpetrate fraud, (2) an opportunity to carry out the fraud, or (3) an attitude or rationalization that justifies the fraudulent action. Fraud risk factors do not necessarily indicate the existence of fraud; however, they often are present in circumstances in which fraud exists. Examples of fraud risk factors related to fraudulent financial reporting and misappropriation of assets are listed in AU sec. 316.85. These illustrative risk factors are classified based on the three conditions discussed in this paragraph, which generally are present when fraud exists.

Note:  The factors listed in AU sec. 316.85 cover a broad range of situations and are only examples. Accordingly, the auditor might identify additional or different fraud risk factors.

66.      All three conditions discussed in the preceding paragraph are not required to be observed or evident to conclude that a fraud risk exists. The auditor might conclude that a fraud risk exists even when only one of these three conditions is present.

67.      Consideration of the Risk of Omitted, Incomplete, or Inaccurate Disclosures. The auditor's evaluation of fraud risk factors in accordance with paragraph 65 should include evaluation of how fraud could be perpetrated or concealed by presenting incomplete or inaccurate disclosures or by omitting  disclosures that are necessary for the financial statements to be presented fairly in conformity with the applicable financial reporting framework.

68.      Presumption of Fraud Risk Involving Improper Revenue Recognition. The auditor should presume that there is a fraud risk involving improper revenue recognition and evaluate which types of revenue, revenue transactions, or assertions may give rise to such risks.

69.      Consideration of the Risk of Management Override of Controls. The auditor's identification of fraud risks should include the risk of management override of controls.

Note:  Controls over management override are important to effective internal control over financial reporting for all companies, and may be particularly important at smaller companies because of the increased involvement of senior management in performing controls and in the period-end financial reporting process. For smaller companies, the controls that address the risk of management override might be different from those at a larger company. For example, a smaller company might rely on more detailed oversight by the audit committee that focuses on the risk of management override.

Factors Relevant to Identifying Significant Risks

70.      To determine whether an identified and assessed risk is a significant risk, the auditor should evaluate whether the risk requires special audit consideration because of the nature of the risk or the likelihood and potential magnitude of misstatement related to the risk.

Note:  The determination of whether a risk of material misstatement is a significant risk is based on inherent risk, without regard to the effect of controls.

71.      Factors that should be evaluated in determining which risks are significant risks include:

  1. The effect of the quantitative and qualitative risk factors discussed in paragraph 60 on the likelihood and potential magnitude of misstatements;
  2. Whether the risk is a fraud risk;

    Note:  A fraud risk is a significant risk.

  3. Whether the risk is related to recent significant economic, accounting, or other developments;
  4. The complexity of transactions;
  5. Whether the risk involves significant transactions with related parties;
  6. The degree of complexity or judgment in the recognition or measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and
  7. Whether the risk involves significant transactions that are outside the normal course of business for the company or that otherwise appear to be unusual due to their timing, size, or nature.

Further Consideration of Controls

72.      When the auditor has determined that a significant risk, including a fraud risk, exists, the auditor should evaluate the design of the company's controls that are intended to address fraud risks and other significant risks and determine whether those controls have been implemented, if the auditor has not already done so when obtaining an understanding of internal control, as described in paragraphs 18-40 of this standard.36/ /

73.      Controls that address fraud risks include (a) specific controls designed to mitigate specific risks of fraud, e.g., controls to address risks of intentional misstatement of specific accounts and (b) controls designed to prevent, deter, and detect fraud, e.g., controls to promote a culture of honesty and ethical behavior.37/ Such controls also include those that address the risk of management override of other controls.

Revision of Risk Assessment

74.      The auditor's assessment of the risks of material misstatement, including fraud risks, should continue throughout the audit. When the auditor obtains audit evidence during the course of the audit that contradicts the audit evidence on which the auditor originally based his or her risk assessment, the auditor should revise the risk assessment and modify planned audit procedures or perform additional procedures in response to the revised risk assessments.38/

1/ Paragraphs 5-8 of Auditing Standard No. 8, Audit Risk.

2/ Terms defined in Appendix A, Definitions, are set in boldface type the first time they appear.

3/ AU sec. 316, Consideration of Fraud in a Financial Statement Audit, discusses fraud, its characteristics, and the types of misstatements due to fraud that are relevant to the audit, i.e., misstatements arising from fraudulent financial reporting and misstatements arising from asset misappropriation.

4/ Auditing Standard No. 15, Audit Evidence, describes further audit procedures as consisting of tests of controls and substantive procedures.

5/ Paragraph 11 of Auditing Standard No. 15 discusses financial statement assertions.

6/ The auditor should look to the requirements of the Securities and Exchange Commission for the company under audit with respect to the accounting principles applicable to that company.

7/ AU sec. 317, Illegal Acts by Clients, discusses the auditor's consideration of laws and regulations relevant to the audit.

8/ Paragraphs 21-22 of this standard discuss components of internal control over financial reporting.

9/ Paragraph 13 of Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements, states, "The size and complexity of the company, its business processes, and business units, may affect the way in which the company achieves many of its control objectives. The size and complexity of the company also might affect the risks of misstatement and the controls necessary to address those risks."

10/ Paragraph 10 of Auditing Standard No. 15.

11/ Different internal control frameworks use different terms and approaches to describe the components of internal control over financial reporting.

12/ See Securities Exchange Act Release No. 34-47986 (June 5, 2003) for a description of the characteristics of a suitable, recognized framework.

13/ Paragraph 5 of Auditing Standard No. 5.

14/ Paragraph 25 of Auditing Standard No. 5.

15/ Paragraph A3 of Auditing Standard No. 5.

16/ Examples of such events and conditions include depreciation and amortization and conditions affecting the recoverability of assets.

17/ Paragraphs 12-13 of this standard.

18/ Also see paragraph B5 of Appendix B of this standard.

19/ In some companies, internal auditors or others performing an equivalent function contribute to the monitoring of controls. AU sec. 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, establishes requirements regarding the auditor's consideration and use of the work of the internal audit function.

20/ See paragraphs 34-38 of Auditing Standard No. 5.

21/ Paragraphs 16-35 of Auditing Standard No. 13, The Auditor's Responses to the Risks of Material Misstatement.

22/ Paragraph B1 of Auditing Standard No. 5.

23/ Paragraph 22 of Auditing Standard No. 5.

24/ The entity-level controls included in paragraph 24 of Auditing Standard No. 5 include controls related to the control environment; the company's risk assessment process; centralized processing and controls; controls over the period-end financial reporting process; and controls to monitor other controls.

25/ See PCAOB Rule 3501(a)(i), which defines "affiliate of the accounting firm."

26/ Paragraph 7 of Auditing Standard No. 9, Audit Planning.

27/ Analytical procedures consist of evaluations of financial information made by a study of plausible relationships among both financial and nonfinancial data.

28/ Paragraphs 52-53 of this standard.

29/ See also paragraph 29 of Auditing Standard No. 14, Evaluating Audit Results.

30/ AU sec. 316.13.

31/ Paragraphs 20-23 of Auditing Standard No. 14 establish further requirements for evaluating whether misstatements might be indicative of fraud and determining the necessary procedures to be performed in those situations.

32/ Paragraphs 16-35 of Auditing Standard No. 13.

33/ Paragraph A10 of Auditing Standard No. 5 states:

An account or disclosure is a significant account or disclosure if there is a reasonable possibility that the account or disclosure could contain a misstatement that, individually or when aggregated with others, has a material effect on the financial statements, considering the risks of both overstatement and understatement. The determination of whether an account or disclosure is significant is based on inherent risk, without regard to the effect of controls.

34/ Paragraph A9 of Auditing Standard No. 5 states:

A relevant assertion is a financial statement assertion that has a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated. The determination of whether an assertion is a relevant assertion is based on inherent risk, without regard to the effect of controls.

35/ The auditor might perform substantive auditing procedures because his or her assessment of the risk that undetected misstatement would cause the financial statements to be materially misstated is unacceptably high or as a means of introducing unpredictability in the procedures performed. See paragraphs 11, 14, and 25 of Auditing Standard No. 14, for further discussion about undetected misstatement. See paragraph 61 of Auditing Standard No. 5 and paragraph 5.c. of Auditing Standard No. 13, for further discussion about the unpredictability of auditing procedures.

36/ Auditing Standard No. 13 discusses the auditor's response to fraud risks and other significant risks.

37/ AU sec. 316.88 and paragraph 14 of Auditing Standard No. 5 present examples of controls that address fraud risks.

38/ See also paragraph 46 of Auditing Standard No. 13.

[Effective pursuant to SEC Release No. 34-63606, File No. PCAOB-2010-01 (December 23, 2010)]