The Auditor's Responses to the Risks of Material MisstatementEffective Date: For audits of fiscal years beginning on or after Dec. 15, 2010Final Rule: PCAOB Release No. 2010-004Summary Table of Contents
Introduction1. This standard establishes requirements regarding designing and implementing appropriate responses to the risks of material misstatement. Show
Objective2. The objective of the auditor is to address the risks of material misstatement through appropriate overall audit responses and audit procedures. Responding to the Risks of Material Misstatement3. To meet the objective in the preceding paragraph, the auditor must design and implement audit responses that address the risks of material misstatement that are identified and assessed in accordance with Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement. 4. This standard discusses the following types of audit responses:
Overall Responses5. The auditor should design and implement overall responses to address the assessed risks of material misstatement as follows:
6. The auditor also should determine whether it is necessary to make pervasive changes to the nature, timing, or extent of audit procedures to adequately address the assessed risks of material misstatement. Examples of such pervasive changes include modifying the audit strategy to:
7. Due professional care requires the auditor to exercise professional skepticism.4/ Professional skepticism is an attitude that includes a questioning mind and a critical assessment of the appropriateness and sufficiency of audit evidence. The auditor's responses to the assessed risks of material misstatement, particularly fraud risks, should involve the application of professional skepticism in gathering and evaluating audit evidence. 5/ Examples of the application of professional skepticism in response to the assessed fraud risks are (a) modifying the planned audit procedures to obtain more reliable evidence regarding relevant assertions and (b) obtaining sufficient appropriate evidence to corroborate management's explanations or representations concerning important matters, such as through third-party confirmation, use of a specialist engaged or employed by the auditor, or examination of documentation from independent sources. Responses Involving the Nature, Timing, and Extent of Audit Procedures8. The auditor should design and perform audit procedures in a manner that addresses the assessed risks of material misstatement for each relevant assertion of each significant account and disclosure. 9. In designing the audit procedures to be performed, the auditor should:
10. The audit procedures performed in response to the assessed risks of material misstatement can be classified into two categories: (1) tests of controls and (2) substantive procedures.9/ Paragraphs 16-35 of this standard discuss tests of controls, and paragraphs 36-46 discuss substantive procedures.
Responses to Significant Risks11. For significant risks, the auditor should perform substantive procedures, including tests of details, that are specifically responsive to the assessed risks.
[The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002.] 11A. Responding to Risks Associated with Significant Unusual Transactions. Paragraph 71.g. of Auditing Standard No. 12 indicates that one of the factors to be evaluated in determining significant risks is whether the risk involves significant unusual transactions. Also, AU secs. 316.66–.67A establish requirements for performing procedures to respond to fraud risks regarding significant unusual transactions. Because significant unusual transactions can affect the risks of material misstatement due to error or fraud, the auditor should take into account the types of potential misstatements that could result from significant unusual transactions in designing and performing further audit procedures, including procedures performed pursuant to AU secs. 316.66–.67A. Responses to Fraud Risks12. The audit procedures that are necessary to address the assessed fraud risks depend upon the types of risks and the relevant assertions that might be affected.
13. Addressing Fraud Risks in the Audit of Financial Statements. In the audit of financial statements, the auditor should perform substantive procedures, including tests of details, that are specifically responsive to the assessed fraud risks. If the auditor selects certain controls intended to address the assessed fraud risks for testing in accordance with paragraphs 16–17 of this standard, the auditor should perform tests of those controls. 14. The following are examples of ways in which planned audit procedures may be modified to address assessed fraud risks:
15. Also, AU sec. 316 indicates that the auditor should perform audit procedures to specifically address the risk of management override of controls including:
[The following subparagraph c. is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here.] Testing ControlsTesting Controls in an Audit of Financial Statements16. Controls to be Tested. If the auditor plans to assess control risk at less than the maximum by relying on controls,12/ and the nature, timing, and extent of planned substantive procedures are based on that lower assessment, the auditor must obtain evidence that the controls selected for testing are designed effectively and operated effectively during the entire period of reliance.13/ However, the auditor is not required to assess control risk at less than the maximum for all relevant assertions and, for a variety of reasons, the auditor may choose not to do so. 17. Also, tests of controls must be performed in the audit of financial statements for each relevant assertion for which substantive procedures alone cannot provide sufficient appropriate audit evidence and when necessary to support the auditor's reliance on the accuracy and completeness of financial information used in performing other audit procedures.14/
18. Evidence about the Effectiveness of Controls in the Audit of Financial Statements. In designing and performing tests of controls for the audit of financial statements, the evidence necessary to support the auditor's control risk assessment depends on the degree of reliance the auditor plans to place on the effectiveness of a control. The auditor should obtain more persuasive audit evidence from tests of controls the greater the reliance the auditor places on the effectiveness of a control. The auditor also should obtain more persuasive evidence about the effectiveness of controls for each relevant assertion for which the audit approach consists primarily of tests of controls, including situations in which substantive procedures alone cannot provide sufficient appropriate audit evidence. Testing Design Effectiveness19. The auditor should test the design effectiveness of the controls selected for testing by determining whether the company's controls, if they are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company's control objectives and can effectively prevent or detect error or fraud that could result in material misstatements in the financial statements.
20. Procedures the auditor performs to test design effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.15/ Testing Operating Effectiveness21. The auditor should test the operating effectiveness of a control selected for testing by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively. 22. Procedures the auditor performs to test operating effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, inspection of relevant documentation, and re-performance of the control. Obtaining Evidence from Tests of Controls23. The evidence provided by the auditor's tests of the effectiveness of controls depends upon the mix of the nature, timing, and extent of the auditor's procedures. Further, for an individual control, different combinations of the nature, timing, and extent of testing might provide sufficient evidence in relation to the degree of reliance in an audit of financial statements.
Nature of Tests of Controls24. Some types of tests, by their nature, produce greater evidence of the effectiveness of controls than other tests. The following tests that the auditor might perform are presented in the order of the evidence that they ordinarily would produce, from least to most: inquiry, observation, inspection of relevant documentation, and re-performance of a control.
25. The nature of the tests of controls that will provide appropriate evidence depends, to a large degree, on the nature of the control to be tested, including whether the operation of the control results in documentary evidence of its operation. Documentary evidence of the operation of some controls, such as management's philosophy and operating style, might not exist.
Extent of Tests of Controls26. The more extensively a control is tested, the greater the evidence obtained from that test. 27. Matters that could affect the necessary extent of testing of a control in relation to the degree of reliance on a control include the following:
Timing of Tests of Controls28. The timing of tests of controls relates to when the evidence about the operating effectiveness of the controls is obtained and the period of time to which it applies. Paragraph 16 of this standard indicates that the auditor must obtain evidence that the controls selected for testing are designed effectively and operated effectively during the entire period of reliance. 29. Using Audit Evidence Obtained during an Interim Period. When the auditor obtains evidence about the operating effectiveness of controls as of or through an interim date, he or she should determine what additional evidence is necessary concerning the operation of the controls for the remaining period of reliance. 30. The additional evidence that is necessary to update the results of testing from an interim date through the remaining period of reliance depends on the following factors:
31. Using Audit Evidence Obtained in Past Audits. For audits of financial statements, the auditor should obtain evidence during the current year audit about the design and operating effectiveness of controls upon which the auditor relies. When controls on which the auditor plans to rely have been tested in past audits and the auditor plans to use evidence about the effectiveness of those controls that was obtained in prior years, the auditor should take into account the following factors to determine the evidence needed during the current year audit to support the auditor's control risk assessments:
Assessing Control Risk32. The auditor should assess control risk for relevant assertions by evaluating the evidence obtained from all sources, including the auditor's testing of controls for the audit of internal control and the audit of financial statements, misstatements detected during the financial statement audit, and any identified control deficiencies. 33. Control risk should be assessed at the maximum level for relevant assertions (1) for which controls necessary to sufficiently address the assessed risk of material misstatement in those assertions are missing or ineffective or (2) when the auditor has not obtained sufficient appropriate evidence to support a control risk assessment below the maximum level. 34. When deficiencies affecting the controls on which the auditor intends to rely are detected, the auditor should evaluate the severity of the deficiencies and the effect on the auditor's control risk assessments. If the auditor plans to rely on controls relating to an assertion but the controls that the auditor tests are ineffective because of control deficiencies, the auditor should:
Testing Controls in an Audit of Internal Control35. Auditing Standard No. 5 states that the objective of the tests of controls in an audit of internal control is to obtain evidence about the effectiveness of controls to support the auditor's opinion on the company's internal control over financial reporting. The auditor's opinion relates to the effectiveness of the company's internal control over financial reporting as of a point in time and taken as a whole.17/ Auditing Standard No. 5establishes requirements regarding the selection of controls to be tested and the necessary nature, timing, and extent of tests of controls in an audit of internal control over financial reporting. Substantive Procedures36. The auditor should perform substantive procedures for each relevant assertion of each significant account and disclosure, regardless of the assessed level of control risk. 37. As the assessed risk of material misstatement increases, the evidence from substantive procedures that the auditor should obtain also increases. The evidence provided by the auditor's substantive procedures depends upon the mix of the nature, timing, and extent of those procedures. Further, for an individual assertion, different combinations of the nature, timing, and extent of testing might provide sufficient appropriate evidence to respond to the assessed risk of material misstatement. 38. Internal control over financial reporting has inherent limitations,18/ which, in turn, can affect the evidence that is needed from substantive procedures. For example, more evidence from substantive procedures ordinarily is needed for relevant assertions that have a higher susceptibility to management override or to lapses in judgment or breakdowns resulting from human failures.19/ Nature of Substantive Procedures39. Substantive procedures generally provide persuasive evidence when they are designed and performed to obtain evidence that is relevant and reliable. Also, some types of substantive procedures, by their nature, produce more persuasive evidence than others. Inquiry alone does not provide sufficient appropriate evidence to support a conclusion about a relevant assertion.
40. Taking into account the types of potential misstatements in the relevant assertions that could result from identified risks, as required by paragraph 9.b., can help the auditor determine the types and combination of substantive audit procedures that are necessary to detect material misstatements in the respective assertions. 41. Substantive Procedures Related to the Period-end Financial Reporting Process. The auditor's substantive procedures must include the following audit procedures related to the period-end financial reporting process:
Extent of Substantive Procedures42. The more extensively a substantive procedure is performed, the greater the evidence obtained from the procedure. The necessary extent of a substantive audit procedure depends on the materiality of the account or disclosure, the assessed risk of material misstatement, and the necessary degree of assurance from the procedure. However, increasing the extent of an audit procedure cannot adequately address an assessed risk of material misstatement unless the evidence to be obtained from the procedure is reliable and relevant. Timing of Substantive Procedures43. Performing certain substantive procedures at interim dates may permit early consideration of matters affecting the year-end financial statements, e.g., testing material transactions involving higher risks of misstatement. However, performing substantive procedures at an interim date without performing procedures at a later date increases the risk that a material misstatement could exist in the year-end financial statements that would not be detected by the auditor. This risk increases as the period between the interim date and year end increases. 44. In determining whether it is appropriate to perform substantive procedures at an interim date, the auditor should take into account the following:
45. When substantive procedures are performed at an interim date, the auditor should cover the remaining period by performing substantive procedures, or substantive procedures combined with tests of controls, that provide a reasonable basis for extending the audit conclusions from the interim date to the period end. Such procedures should include (a) comparing relevant information about the account balance at the interim date with comparable information at the end of the period to identify amounts that appear unusual and investigating such amounts and (b) performing audit procedures to test the remaining period. 46. If the auditor obtains evidence that contradicts the evidence on which the original risk assessments were based, including evidence of misstatements that he or she did not expect, the auditor should revise the related risk assessments and modify the planned nature, timing, or extent of substantive procedures covering the remaining period as necessary. Examples of such modifications include extending or repeating at the period end the procedures performed at the interim date. Dual-purpose Tests47. In some situations, the auditor might perform a substantive test of a transaction concurrently with a test of a control relevant to that transaction (a "dual-purpose test"). In those situations, the auditor should design the dual-purpose test to achieve the objectives of both the test of the control and the substantive test. Also, when performing a dual-purpose test, the auditor should evaluate the results of the test in forming conclusions about both the assertion and the effectiveness of the control being tested.20/ Which of the following is the best method for an IS auditor to verify that critical production servers are running the latest security updates released by the vendor?Which of the following is the BEST method for an IS auditor to verify that critical production servers are running the latest security updates released by the vendor? Run an automated tool to verify the security patches on production servers.
Which of the following is an effective preventive control to ensure that a database administrator DBA complies with the custodianship of the enterprise's data?Which of the following is an effective preventive control to ensure that a database administrator complies with the custodianship of the enterprise's data? Segregation of duties is correct.
What is the result of segmenting a highly sensitive database?A. Segmenting data reduces the quantity of data exposed as a result of a particular event.
|