The Auditor's Responses to the Risks of Material Misstatement
Effective Date: For audits of fiscal years beginning on or after Dec. 15, 2010
Final Rule: PCAOB Release No. 2010-004
Summary Table of Contents
- (1) Introduction
- (2) Objective
- (3–4) Responding to the Risks of Material Misstatement
- (5–7) Overall Responses
- (8–15) Responses Involving the Nature, Timing, and Extent of Audit Procedures
- (16–35) Testing Controls
- (36–47) Substantive Procedures
- Appendix A—Definitions
1. This standard establishes requirements regarding designing and implementing appropriate responses to the risks of material misstatement.
2. The objective of the auditor is to address the risks of material misstatement through appropriate overall audit responses and audit procedures.
3. To meet the objective in the preceding paragraph, the auditor must design and implement audit responses that address the risks of material misstatement that are identified and assessed in accordance with Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement.
4. This standard discusses the following types of audit responses:
- Responses that have an overall effect on how the audit is conducted ("overall responses"), as described in paragraphs 5–7; and
- Responses involving the nature, timing, and extent of the audit procedures to be performed, as described in paragraphs 8–46.
5. The auditor should design and implement overall responses to address the assessed risks of material misstatement as follows:
- Making appropriate assignments of significant engagement responsibilities. The knowledge, skill, and ability of engagement team members with significant engagement responsibilities should be commensurate with the assessed risks of material misstatement. 1/
- Providing the extent of supervision that is appropriate for the circumstances, including, in particular, the assessed risks of material misstatement. (See paragraphs 5—6 of Auditing Standard No. 10, Supervision of the Audit Engagement.)
- Incorporating elements of unpredictability in the selection of audit procedures to be performed. As part of the auditor's response to the assessed risks of material misstatement, including the assessed risks of material misstatement due to
fraud ("fraud risks"), the auditor should incorporate an element of unpredictability in the selection of auditing procedures to be performed from year to year. Examples of ways to incorporate an element of unpredictability include:
(1) Performing audit procedures related to accounts, disclosures, and assertions that would not otherwise be tested based on their amount or the auditor's assessment of risk; (2) Varying the timing of the audit procedures; (3) Selecting items for testing that have lower amounts or are otherwise outside customary selection parameters; (4) Performing audit procedures on an unannounced basis; and (5) In multi-location audits, varying the location or the nature, timing, and extent of audit procedures at related locations or business units from year to year.2/
- Evaluating the company's selection and application of significant accounting principles. The auditor should evaluate whether the company's selection and application of significant accounting principles, particularly those related to subjective measurements and complex transactions,3/ are indicative of bias that could lead to material misstatement of the financial statements.
6. The auditor also should determine whether it is necessary to make pervasive changes to the nature, timing, or extent of audit procedures to adequately address the assessed risks of material misstatement. Examples of such pervasive changes include modifying the audit strategy to:
- Increase the substantive testing of the valuation of numerous significant accounts at year end because of significantly deteriorating market conditions, and
- Obtain more persuasive audit evidence from substantive procedures due to the identification of pervasive weaknesses in the company's control environment.
7. Due professional care requires the auditor to exercise professional skepticism.4/ Professional skepticism is an attitude that includes a questioning mind and a critical assessment of the appropriateness and sufficiency of audit evidence. The auditor's responses to the assessed risks of material misstatement, particularly fraud risks, should involve the application of professional skepticism in gathering and evaluating audit evidence. 5/ Examples of the application of professional skepticism in response to the assessed fraud risks are (a) modifying the planned audit procedures to obtain more reliable evidence regarding relevant assertions and (b) obtaining sufficient appropriate evidence to corroborate management's explanations or representations concerning important matters, such as through third-party confirmation, use of a specialist engaged or employed by the auditor, or examination of documentation from independent sources.
8. The auditor should design and perform audit procedures in a manner that addresses the assessed risks of material misstatement for each relevant assertion of each significant account and disclosure.
9. In designing the audit procedures to be performed, the auditor should:
- Obtain more persuasive audit evidence the higher the auditor's assessment of risk;
- Take into account the types of potential misstatements that could result from the identified risks and the likelihood and magnitude of potential misstatement;6/
- In an integrated audit, design the testing of controls to accomplish the objectives of both audits simultaneously:
(1) To obtain sufficient evidence to support the auditor's control risk7/ assessments for purposes of the audit of financial statements;8/ and (2) To obtain sufficient evidence to support the auditor's opinion on internal control over financial reporting as of year-end.
Note: Auditing Standard No. 5 establishes requirements for tests of controls in the audit of internal control over financial reporting.
10. The audit procedures performed in response to the assessed risks of material misstatement can be classified into two categories: (1) tests of controls and (2) substantive procedures.9/ Paragraphs 16-35 of this standard discuss tests of controls, and paragraphs 36-46 discuss substantive procedures.
Note: Paragraphs 16–17 of this standard discuss when tests of controls are necessary in a financial statement audit. Ordinarily, tests of controls are performed for relevant assertions for which the auditor chooses to rely on controls to modify his or her substantive procedures.
Responses to Significant Risks
11. For significant risks, the auditor should perform substantive procedures, including tests of details, that are specifically responsive to the assessed risks.
Note: Auditing Standard No. 12 discusses identification of significant risks10/ and states that fraud risks are significant risks.
11A. Responding to Risks Associated with Significant Unusual Transactions. Paragraph 71.g. of Auditing Standard No. 12 indicates that one of the factors to be evaluated in determining significant risks is whether the risk involves significant unusual transactions. Also, AU secs. 316.66–.67A establish requirements for performing procedures to respond to fraud risks regarding significant unusual transactions. Because significant unusual transactions can affect the risks of material misstatement due to error or fraud, the auditor should take into account the types of potential misstatements that could result from significant unusual transactions in designing and performing further audit procedures, including procedures performed pursuant to AU secs. 316.66–.67A.
Responses to Fraud Risks
12. The audit procedures that are necessary to address the assessed fraud risks depend upon the types of risks and the relevant assertions that might be affected.
Note: If the auditor identifies deficiencies in controls that are intended to address assessed fraud risks, the auditor should take into account those deficiencies when designing his or her response to those fraud risks.
Note: Auditing Standard No. 5 establishes requirements for addressing assessed fraud risks in the audit of internal control over financial reporting.11/
13. Addressing Fraud Risks in the Audit of Financial Statements. In the audit of financial statements, the auditor should perform substantive procedures, including tests of details, that are specifically responsive to the assessed fraud risks. If the auditor selects certain controls intended to address the assessed fraud risks for testing in accordance with paragraphs 16–17 of this standard, the auditor should perform tests of those controls.
14. The following are examples of ways in which planned audit procedures may be modified to address assessed fraud risks:
- Changing the nature of audit procedures to obtain evidence that is more reliable or to obtain additional corroborative information;
- Changing the timing of audit procedures to be closer to the end of the period or to the points during the period in which fraudulent transactions are more likely to occur; and
- Changing the extent of the procedures applied to obtain more evidence, e.g., by increasing sample sizes or applying computer-assisted audit techniques to all of the items in an account.
Note: AU secs. 316.54–.67 provide additional examples of responses to assessed fraud risks relating to fraudulent financial reporting (e.g., revenue recognition, inventory quantities, and management estimates) and misappropriation of assets in the audit of financial statements.
15. Also, AU sec. 316 indicates that the auditor should perform audit procedures to specifically address the risk of management override of controls including:
- Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud (AU secs. 316.58–.62);
- Reviewing accounting estimates for biases that could result in material misstatement due to fraud (AU secs. 316.63–.65); and
- Evaluating whether the business purpose for significant transactions that are outside the normal course of business for the company or that otherwise appear to be unusual due to their timing, size, or nature ("significant unusual transactions") indicates that the transactions may have been entered into to engage in fraudulent financial reporting or conceal misappropriation of assets (AU secs. 316.66–.67A).
[The following subparagraph c. is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here.]
Testing Controls in an Audit of Financial Statements
16. Controls to be Tested. If the auditor plans to assess control risk at less than the maximum by relying on controls,12/ and the nature, timing, and extent of planned substantive procedures are based on that lower assessment, the auditor must obtain evidence that the controls selected for testing are designed effectively and operated effectively during the entire period of reliance.13/ However, the auditor is not required to assess control risk at less than the maximum for all relevant assertions and, for a variety of reasons, the auditor may choose not to do so.
17. Also, tests of controls must be performed in the audit of financial statements for each relevant assertion for which substantive procedures alone cannot provide sufficient appropriate audit evidence and when necessary to support the auditor's reliance on the accuracy and completeness of financial information used in performing other audit procedures.14/
Note: When a significant amount of information supporting one or more relevant assertions is electronically initiated, recorded, processed, or reported, it might be impossible to design effective substantive tests that, by themselves, would provide sufficient appropriate evidence regarding the assertions. For such assertions, significant audit evidence may be available only in electronic form. In such cases, the sufficiency and appropriateness of the audit evidence usually depend on the effectiveness of controls over their accuracy and completeness. Furthermore, the potential for improper initiation or alteration of information to occur and not be detected may be greater if information is initiated, recorded, processed, or reported only in electronic form and appropriate controls are not operating effectively.
18. Evidence about the Effectiveness of Controls in the Audit of Financial Statements. In designing and performing tests of controls for the audit of financial statements, the evidence necessary to support the auditor's control risk assessment depends on the degree of reliance the auditor plans to place on the effectiveness of a control. The auditor should obtain more persuasive audit evidence from tests of controls the greater the reliance the auditor places on the effectiveness of a control. The auditor also should obtain more persuasive evidence about the effectiveness of controls for each relevant assertion for which the audit approach consists primarily of tests of controls, including situations in which substantive procedures alone cannot provide sufficient appropriate audit evidence.
Testing Design Effectiveness
19. The auditor should test the design effectiveness of the controls selected for testing by determining whether the company's controls, if they are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company's control objectives and can effectively prevent or detect error or fraud that could result in material misstatements in the financial statements.
Note: A smaller, less complex company might achieve its control objectives in a different manner from a larger, more complex organization. For example, a smaller, less complex company might have fewer employees in the accounting function, limiting opportunities to segregate duties and leading the company to implement alternative controls to achieve its control objectives. In such circumstances, the auditor should evaluate whether those alternative controls are effective.
20. Procedures the auditor performs to test design effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.15/
Testing Operating Effectiveness
21. The auditor should test the operating effectiveness of a control selected for testing by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively.
22. Procedures the auditor performs to test operating effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, inspection of relevant documentation, and re-performance of the control.
Obtaining Evidence from Tests of Controls
23. The evidence provided by the auditor's tests of the effectiveness of controls depends upon the mix of the nature, timing, and extent of the auditor's procedures. Further, for an individual control, different combinations of the nature, timing, and extent of testing might provide sufficient evidence in relation to the degree of reliance in an audit of financial statements.
Note: To obtain evidence about whether a control is effective, the control must be tested directly; the effectiveness of a control cannot be inferred from the absence of misstatements detected by substantive procedures.
Nature of Tests of Controls
24. Some types of tests, by their nature, produce greater evidence of the effectiveness of controls than other tests. The following tests that the auditor might perform are presented in the order of the evidence that they ordinarily would produce, from least to most: inquiry, observation, inspection of relevant documentation, and re-performance of a control.
Note: Inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a control.
25. The nature of the tests of controls that will provide appropriate evidence depends, to a large degree, on the nature of the control to be tested, including whether the operation of the control results in documentary evidence of its operation. Documentary evidence of the operation of some controls, such as management's philosophy and operating style, might not exist.
Note: A smaller, less complex company or unit might have less formal documentation regarding the operation of its controls. In those situations, testing controls through inquiry combined with other procedures, such as observation of activities, inspection of less formal documentation, or re-performance of certain controls, might provide sufficient evidence about whether the control is effective.
Extent of Tests of Controls
26. The more extensively a control is tested, the greater the evidence obtained from that test.
27. Matters that could affect the necessary extent of testing of a control in relation to the degree of reliance on a control include the following:
- The frequency of the performance of the control by the company during the audit period;
- The length of time during the audit period that the auditor is relying on the operating effectiveness of the control;
- The expected rate of deviation from a control;
- The relevance and reliability of the audit evidence to be obtained regarding the operating effectiveness of the control;
- The extent to which audit evidence is obtained from tests of other controls related to the assertion;
- The nature of the control, including, in particular, whether it is a manual control or an automated control; and
- For an automated control, the effectiveness of relevant information technology general controls.
Note: AU sec. 350, Audit Sampling, establishes requirements regarding the use of sampling in tests of controls.
Timing of Tests of Controls
28. The timing of tests of controls relates to when the evidence about the operating effectiveness of the controls is obtained and the period of time to which it applies. Paragraph 16 of this standard indicates that the auditor must obtain evidence that the controls selected for testing are designed effectively and operated effectively during the entire period of reliance.
29. Using Audit Evidence Obtained during an Interim Period. When the auditor obtains evidence about the operating effectiveness of controls as of or through an interim date, he or she should determine what additional evidence is necessary concerning the operation of the controls for the remaining period of reliance.
30. The additional evidence that is necessary to update the results of testing from an interim date through the remaining period of reliance depends on the following factors:
- The possibility that there have been any significant changes in internal control over financial reporting subsequent to the interim date;
Note: If there have been significant changes to the control since the interim date, the auditor should obtain evidence about the effectiveness of the new or modified control;
- The inherent risk associated with the related account(s) or assertion(s);
- The specific control tested prior to year end, including the nature of the control and the risk that the control is no longer effective during the remaining period, and the results of the tests of the control;
- The planned degree of reliance on the control;
- The sufficiency of the evidence of effectiveness obtained at an interim date; and
- The length of the remaining period.
31. Using Audit Evidence Obtained in Past Audits. For audits of financial statements, the auditor should obtain evidence during the current year audit about the design and operating effectiveness of controls upon which the auditor relies. When controls on which the auditor plans to rely have been tested in past audits and the auditor plans to use evidence about the effectiveness of those controls that was obtained in prior years, the auditor should take into account the following factors to determine the evidence needed during the current year audit to support the auditor's control risk assessments:
- The nature and materiality of misstatements that the control is intended to prevent or detect;
- The inherent risk associated with the related account(s) or assertion(s);
- Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness;
- Whether the account has a history of errors;
- The effectiveness of entity-level controls that the auditor has tested, especially controls that monitor other controls;
- The nature of the controls and the frequency with which they operate;
- The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or information technology general controls);
- The competence of the personnel who perform the control or monitor its performance and whether there have been changes in key personnel who perform the control or monitor its performance;
- Whether the control relies on performance by an individual or is automated (i.e., an automated control would generally be expected to be lower risk if relevant information technology general controls are effective);16/
- The complexity of the control and the significance of the judgments that must be made in connection with its operation;
- The planned degree of reliance on the control;
- The nature, timing, and extent of procedures performed in past audits;
- The results of the previous years' testing of the control;
- Whether there have been changes in the control or the process in which it operates since the previous audit; and
- For integrated audits, the evidence regarding the effectiveness of the controls obtained during the audit of internal control.
Assessing Control Risk
32. The auditor should assess control risk for relevant assertions by evaluating the evidence obtained from all sources, including the auditor's testing of controls for the audit of internal control and the audit of financial statements, misstatements detected during the financial statement audit, and any identified control deficiencies.
33. Control risk should be assessed at the maximum level for relevant assertions (1) for which controls necessary to sufficiently address the assessed risk of material misstatement in those assertions are missing or ineffective or (2) when the auditor has not obtained sufficient appropriate evidence to support a control risk assessment below the maximum level.
34. When deficiencies affecting the controls on which the auditor intends to rely are detected, the auditor should evaluate the severity of the deficiencies and the effect on the auditor's control risk assessments. If the auditor plans to rely on controls relating to an assertion but the controls that the auditor tests are ineffective because of control deficiencies, the auditor should:
- Perform tests of other controls related to the same assertion as the ineffective controls, or
- Revise the control risk assessment and modify the planned substantive procedures as necessary in light of the increased assessment of risk.
Note: Auditing Standard No. 5 establishes requirements for evaluating the severity of a control deficiency and communicating identified control deficiencies to management and the audit committee in an integrated audit. AU sec. 325, Communications About Control Deficiencies in an Audit of Financial Statements, establishes requirements for communicating significant deficiencies and material weaknesses in an audit of financial statements only.
Testing Controls in an Audit of Internal Control
35. Auditing Standard No. 5 states that the objective of the tests of controls in an audit of internal control is to obtain evidence about the effectiveness of controls to support the auditor's opinion on the company's internal control over financial reporting. The auditor's opinion relates to the effectiveness of the company's internal control over financial reporting as of a point in time and taken as a whole.17/ Auditing Standard No. 5 establishes requirements regarding the selection of controls to be tested and the necessary nature, timing, and extent of tests of controls in an audit of internal control over financial reporting.
36. The auditor should perform substantive procedures for each relevant assertion of each significant account and disclosure, regardless of the assessed level of control risk.
37. As the assessed risk of material misstatement increases, the evidence from substantive procedures that the auditor should obtain also increases. The evidence provided by the auditor's substantive procedures depends upon the mix of the nature, timing, and extent of those procedures. Further, for an individual assertion, different combinations of the nature, timing, and extent of testing might provide sufficient appropriate evidence to respond to the assessed risk of material misstatement.
38. Internal control over financial reporting has inherent limitations,18/ which, in turn, can affect the evidence that is needed from substantive procedures. For example, more evidence from substantive procedures ordinarily is needed for relevant assertions that have a higher susceptibility to management override or to lapses in judgment or breakdowns resulting from human failures.19/
Nature of Substantive Procedures
39. Substantive procedures generally provide persuasive evidence when they are designed and performed to obtain evidence that is relevant and reliable. Also, some types of substantive procedures, by their nature, produce more persuasive evidence than others. Inquiry alone does not provide sufficient appropriate evidence to support a conclusion about a relevant assertion.
Note: Auditing Standard No. 15 discusses certain types of substantive procedures and the relevance and reliability of audit evidence.
40. Taking into account the types of potential misstatements in the relevant assertions that could result from identified risks, as required by paragraph 9.b., can help the auditor determine the types and combination of substantive audit procedures that are necessary to detect material misstatements in the respective assertions.
41. Substantive Procedures Related to the Period-end Financial Reporting Process. The auditor's substantive procedures must include the following audit procedures related to the period-end financial reporting process:
- Reconciling the financial statements with the underlying accounting records; and
- Examining material adjustments made during the course of preparing the financial statements.
Note: AU secs. 316.58–.62 establish requirements for examining journal entries and other adjustments for evidence of possible material misstatement due to fraud.
Extent of Substantive Procedures
42. The more extensively a substantive procedure is performed, the greater the evidence obtained from the procedure. The necessary extent of a substantive audit procedure depends on the materiality of the account or disclosure, the assessed risk of material misstatement, and the necessary degree of assurance from the procedure. However, increasing the extent of an audit procedure cannot adequately address an assessed risk of material misstatement unless the evidence to be obtained from the procedure is reliable and relevant.
Timing of Substantive Procedures
43. Performing certain substantive procedures at interim dates may permit early consideration of matters affecting the year-end financial statements, e.g., testing material transactions involving higher risks of misstatement. However, performing substantive procedures at an interim date without performing procedures at a later date increases the risk that a material misstatement could exist in the year-end financial statements that would not be detected by the auditor. This risk increases as the period between the interim date and year end increases.
44. In determining whether it is appropriate to perform substantive procedures at an interim date, the auditor should take into account the following:
- The assessed risk of material misstatement, including:
(1) The auditor's assessment of control risk, as discussed in paragraphs 32–34; (2) The existence of conditions or circumstances, if any, that create incentives or pressures on management to misstate the financial statements between the interim test date and the end of the period covered by the financial statements; (3) The effects of known or expected changes in the company, its environment, or its internal control over financial reporting during the remaining period;
- The nature of the substantive procedures;
- The nature of the account or disclosure and relevant assertion; and
- The ability of the auditor to perform the necessary audit procedures to cover the remaining period.
45. When substantive procedures are performed at an interim date, the auditor should cover the remaining period by performing substantive procedures, or substantive procedures combined with tests of controls, that provide a reasonable basis for extending the audit conclusions from the interim date to the period end. Such procedures should include (a) comparing relevant information about the account balance at the interim date with comparable information at the end of the period to identify amounts that appear unusual and investigating such amounts and (b) performing audit procedures to test the remaining period.
46. If the auditor obtains evidence that contradicts the evidence on which the original risk assessments were based, including evidence of misstatements that he or she did not expect, the auditor should revise the related risk assessments and modify the planned nature, timing, or extent of substantive procedures covering the remaining period as necessary. Examples of such modifications include extending or repeating at the period end the procedures performed at the interim date.
47. In some situations, the auditor might perform a substantive test of a transaction concurrently with a test of a control relevant to that transaction (a "dual-purpose test"). In those situations, the auditor should design the dual-purpose test to achieve the objectives of both the test of the control and the substantive test. Also, when performing a dual-purpose test, the auditor should evaluate the results of the test in forming conclusions about both the assertion and the effectiveness of the control being tested.20/
1/ See also paragraph .06 of AU sec. 230, Due Professional Care in the Performance of Work.
2/ For integrated audits, paragraphs 61 and B13 of Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, establish requirements for introducing unpredictability in testing of controls from year to year and in multi-location audits.
[The following footnote is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here
3/ Paragraphs 12–13 of Auditing Standard No. 12 discuss the auditor's responsibilities regarding obtaining an understanding of the company's selection and application of accounting principles. See also paragraphs .66.–67A of AU sec. 316, Consideration of Fraud in a Financial Statement Audit, and paragraphs .04 and .06 of AU sec. 411, The Meaning of Present Fairly in Conformity With Generally Accepted Accounting Principles.
4/ AU secs. 230.07–.09.
5/ AU sec. 316.13.
6/ For example, potential misstatements regarding disclosures include omission of required disclosures or presentation of inaccurate or incomplete disclosures.
7/ See paragraph 7.b. of Auditing Standard No. 8, Audit Risk, for a definition of control risk.
8/ For purposes of this standard, the term "audit of financial statements" refers to the financial statement portion of the integrated audit and to the audit of financial statements only.
9/ Substantive procedures consist of (a) tests of details of accounts and disclosures and (b) substantive analytical procedures.
10/ See paragraph 71 of Auditing Standard No. 12 for factors that the auditor should evaluate in determining which risks are significant risks.
11/ Paragraphs 14–15 of Auditing Standard No. 5.
12/ Reliance on controls that is supported by sufficient and appropriate audit evidence allows the auditor to assess control risk at less than the maximum, which results in a lower assessed risk of material misstatement. In turn, this allows the auditor to modify the nature, timing, and extent of planned substantive procedures.
13/ Terms defined in Appendix A, Definitions, are set in boldface type the first time they appear.
14/ Paragraph 10 of Auditing Standard No. 15, Audit Evidence, and paragraph .16 of AU sec. 329, Substantive Analytical Procedures.
15/ Paragraphs 37–38 of Auditing Standard No. 12 discuss performing a walkthrough.
16/ The auditor also may use a benchmarking strategy, when appropriate, for automated application controls in subsequent years' audits. Benchmarking is described further beginning at paragraph B28 of Auditing Standard No. 5.
17/ Paragraph B1 of Auditing Standard No. 5.
18/ Paragraph A5 of Auditing Standard No. 5.
19/ See, e.g., paragraph .14 of AU sec. 328, Auditing Fair Value Measurements and Disclosures.
20/ Paragraph .44 of AU sec. 350 discusses applying audit sampling in dual-purpose tests.