(Supersedes SAS No. 82)
Source: SAS No. 99.
Effective for audits of financial statements for periods beginning on or after December 15, 2002.
Section 110, Responsibilities and Functions of the Independent Auditor, paragraph .02, states, "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. [footnote omitted]" fn 1 This section establishes standards and provides guidance to auditors in fulfilling that responsibility, as it relates to fraud, in an audit of financial statements conducted in accordance with generally accepted auditing standards (GAAS). fn 2
[The following note is effective for audits of fiscal years ending on or after November 15, 2007. See PCAOB Release 2007-005. For audits of fiscal years ending before November 15, 2007, click here.]
Note: When performing an integrated audit of financial statements and internal control over financial reporting, refer to paragraphs 14-15 of PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, regarding fraud considerations, in addition to the fraud consideration set forth in this section.
The following is an overview of the organization and content of this section:
Description and characteristics of fraud. This section describes fraud and its characteristics. (See paragraphs .05 through .12.)
The importance of exercising professional skepticism. This section discusses the need for auditors to exercise professional skepticism when considering the possibility that a material misstatement due to fraud could be present. (See paragraph .13.)
Discussion among engagement personnel regarding the risks of material misstatement due to fraud. This section requires, as part of planning the audit, that there be a discussion among the audit team members to consider how and where the entity's financial statements might be susceptible to material misstatement due to fraud and to reinforce the importance of adopting an appropriate mindset of professional skepticism. (See paragraphs .14 through .18.)
Obtaining the information needed to identify risks of material misstatement due to fraud. This section requires the auditor to gather information necessary to identify risks of material misstatement due to fraud, by
a. Inquiring of management and others within the entity about the risks of fraud. (See paragraphs .20 through .27.)
b. Considering the results of the analytical procedures performed in planning the audit. (See paragraphs .28 through .30.)
c. Considering fraud risk factors. (See paragraphs .31 through .33, and the Appendix, "Examples of Fraud Risk Factors" [paragraph .85].)
d. Considering certain other information. (See paragraph .34.)
Identifying risks that may result in a material misstatement due to fraud. This section requires the auditor to use the information gathered to identify risks that may result in a material misstatement due to fraud. (See paragraphs .35 through .42.)
Assessing the identified risks after taking into account an evaluation of the entity's programs and controls. This section requires the auditor to evaluate the entity's programs and controls that address the identified risks of material misstatement due to fraud, and to assess the risks taking into account this evaluation. (See paragraphs .43 through .45.)
Responding to the results of the assessment. This section emphasizes that the auditor's response to the risks of material misstatement due to fraud involves the application of professional skepticism when gathering and evaluating audit evidence. (See paragraph .46 through .49.) The section requires the auditor to respond to the results of the risk assessment in three ways:
a. A response that has an overall effect on how the audit is conducted, that is, a response involving more general considerations apart from the specific procedures otherwise planned. (See paragraph .50.)
b. A response to identified risks that involves the nature, timing, and extent of the auditing procedures to be performed. (See paragraphs .51 through .56.)
c. A response involving the performance of certain procedures to further address the risk of material misstatement due to fraud involving management override of controls. (See paragraphs .57 through .67.)
Evaluating audit evidence. This section requires the auditor to assess the risks of material misstatement due to fraud throughout the audit and to evaluate at the completion of the audit whether the accumulated results of auditing procedures and other observations affect the assessment. (See paragraphs .68 through .74.) It also requires the auditor to consider whether identified misstatements may be indicative of fraud and, if so, directs the auditor to evaluate their implications. (See paragraphs .75 through .78.)
Communicating about fraud to management, the audit committee, and others. This section provides guidance regarding the auditor's communications about fraud to management, the audit committee, and others. (See paragraphs .79 through .82.)
Documenting the auditor's consideration of fraud. This section describes related documentation requirements. (See paragraph .83.)
The requirements and guidance set forth in this section are intended to be integrated into an overall audit process, in a logical manner that is consistent with the requirements and guidance provided in other sections, including section 311, Planning and Supervision; section 312, Audit Risk and Materiality in Conducting an Audit; and section 319, Consideration of Internal Control in a Financial Statement Audit. Even though some requirements and guidance set forth in this section are presented in a manner that suggests a sequential audit process, auditing in fact involves a continuous process of gathering, updating, and analyzing information throughout the audit. Accordingly the sequence of the requirements and guidance in this section may be implemented differently among audit engagements.
Although this section focuses on the auditor's consideration of fraud in an audit of financial statements, it is management's responsibility to design and implement programs and controls to prevent, deter, and detect fraud. fn 3 That responsibility is described in section 110.03, which states, "Management is responsible for adopting sound accounting policies and for establishing and maintaining internal control that will, among other things, initiate, record, process, and report transactions (as well as events and conditions) consistent with management's assertions embodied in the financial statements." Management, along with those who have responsibility for oversight of the financial reporting process (such as the audit committee, board of trustees, board of directors, or the owner in owner-managed entities), should set the proper tone; create and maintain a culture of honesty and high ethical standards; and establish appropriate controls to prevent, deter, and detect fraud. When management and those responsible for the oversight of the financial reporting process fulfill those responsibilities, the opportunities to commit fraud can be reduced significantly.
Fraud is a broad legal concept and auditors do not make legal determinations of whether fraud has occurred. Rather, the auditor's interest specifically relates to acts that result in a material misstatement of the financial statements. The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional. For purposes of the section, fraud is an intentional act that results in a material misstatement in financial statements that are the subject of an audit. fn 4
Two types of misstatements are relevant to the auditor's consideration of fraud—misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets.
Misstatements arising from fraudulent financial reporting are intentional misstatements or omissions of amounts or disclosures in financial statements designed to deceive financial statement users where the effect causes the financial statements not to be presented, in all material respects, in conformity with generally accepted accounting principles (GAAP). fn 5 Fraudulent financial reporting may be accomplished by the following:
Manipulation, falsification, or alteration of accounting records or supporting documents from which financial statements are prepared
Misrepresentation in or intentional omission from the financial statements of events, transactions, or other significant information
Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure
Fraudulent financial reporting need not be the result of a grand plan or conspiracy. It may be that management representatives rationalize the appropriateness of a material misstatement, for example, as an aggressive rather than indefensible interpretation of complex accounting rules, or as a temporary misstatement of financial statements, including interim statements, expected to be corrected later when operational results improve.
Misstatements arising from misappropriation of assets (sometimes referred to as theft or defalcation) involve the theft of an entity's assets where the effect of the theft causes the financial statements not to be presented, in all material respects, in conformity with GAAP. Misappropriation of assets can be accomplished in various ways, including embezzling receipts, stealing assets, or causing an entity to pay for goods or services that have not been received. Misappropriation of assets may be accompanied by false or misleading records or documents, possibly created by circumventing controls. The scope of this section includes only those misappropriations of assets for which the effect of the misappropriation causes the financial statements not to be fairly presented, in all material respects, in conformity with GAAP.
Three conditions generally are present when fraud occurs. First, management or other employees have an incentive or are under pressure, which provides a reason to commit fraud. Second, circumstances exist—for example, the absence of controls, ineffective controls, or the ability of management to override controls—that provide an opportunity for a fraud to be perpetrated. Third, those involved are able to rationalize committing a fraudulent act. Some individuals possess an attitude, character, or set of ethical values that allow them to knowingly and intentionally commit a dishonest act. However, even otherwise honest individuals can commit fraud in an environment that imposes sufficient pressure on them. The greater the incentive or pressure, the more likely an individual will be able to rationalize the acceptability of committing fraud.
Management has a unique ability to perpetrate fraud because it frequently is in a position to directly or indirectly manipulate accounting records and present fraudulent financial information. Fraudulent financial reporting often involves management override of controls that otherwise may appear to be operating effectively. fn 6 Management can either direct employees to perpetrate fraud or solicit their help in carrying it out. In addition, management personnel at a component of the entity may be in a position to manipulate the accounting records of the component in a manner that causes a material misstatement in the consolidated financial statements of the entity. Management override of controls can occur in unpredictable ways.
Typically, management and employees engaged in fraud will take steps to conceal the fraud from the auditors and others within and outside the organization. Fraud may be concealed by withholding evidence or misrepresenting information in response to inquiries or by falsifying documentation. For example, management that engages in fraudulent financial reporting might alter shipping documents. Employees or members of management who misappropriate cash might try to conceal their thefts by forging signatures or falsifying electronic approvals on disbursement authorizations. An audit conducted in accordance with GAAS rarely involves the authentication of such documentation, nor are auditors trained as or expected to be experts in such authentication. In addition, an auditor may not discover the existence of a modification of documentation through a side agreement that management or a third party has not disclosed.
Fraud also may be concealed through collusion among management, employees, or third parties. Collusion may cause the auditor who has properly performed the audit to conclude that evidence provided is persuasive when it is, in fact, false. For example, through collusion, false evidence that controls have been operating effectively may be presented to the auditor, or consistent misleading explanations may be given to the auditor by more than one individual within the entity to explain an unexpected result of an analytical procedure. As another example, the auditor may receive a false confirmation from a third party that is in collusion with management.
Although fraud usually is concealed and management's intent is difficult to determine, the presence of certain conditions may suggest to the auditor the possibility that fraud may exist. For example, an important contract may be missing, a subsidiary ledger may not be satisfactorily reconciled to its control account, or the results of an analytical procedure performed during the audit may not be consistent with expectations. However, these conditions may be the result of circumstances other than fraud. Documents may legitimately have been lost or misfiled; the subsidiary ledger may be out of balance with its control account because of an unintentional accounting error; and unexpected analytical relationships may be the result of unanticipated changes in underlying economic factors. Even reports of alleged fraud may not always be reliable because an employee or outsider may be mistaken or may be motivated for unknown reasons to make a false allegation.
As indicated in paragraph .01, the auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error. fn 7 However, absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud. A material misstatement may not be detected because of the nature of audit evidence or because the characteristics of fraud as discussed above may cause the auditor to rely unknowingly on audit evidence that appears to be valid, but is, in fact, false and fraudulent. Furthermore, audit procedures that are effective for detecting an error may be ineffective for detecting fraud.
Due professional care requires the auditor to exercise professional skepticism. See section 230, Due Professional Care in the Performance of Work, paragraphs .07 through .09. Because of the characteristics of fraud, the auditor's exercise of professional skepticism is important when considering the risk of material misstatement due to fraud. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. The auditor should conduct the engagement with a mindset that recognizes the possibility that a material misstatement due to fraud could be present, regardless of any past experience with the entity and regardless of the auditor's belief about management's honesty and integrity. Furthermore, professional skepticism requires an ongoing questioning of whether the information and evidence obtained suggests that a material misstatement due to fraud has occurred. In exercising professional skepticism in gathering and evaluating evidence, the auditor should not be satisfied with less-than-persuasive evidence because of a belief that management is honest.
Prior to or in conjunction with the information-gathering procedures described in paragraphs .19 through .34 of this section, members of the audit team should discuss the potential for material misstatement due to fraud. The discussion should include:
An exchange of ideas or "brainstorming" among the audit team members, including the auditor with final responsibility for the audit, about how and where they believe the entity's financial statements might be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated. (See paragraph .15.)
An emphasis on the importance of maintaining the proper state of mind throughout the audit regarding the potential for material misstatement due to fraud. (See paragraph .16.)
The discussion among the audit team members about the susceptibility of the entity's financial statements to material misstatement due to fraud should include a consideration of the known external and internal factors affecting the entity that might (a) create incentives/pressures for management and others to commit fraud, (b) provide the opportunity for fraud to be perpetrated, and (c) indicate a culture or environment that enables management to rationalize committing fraud. The discussion should occur with an attitude that includes a questioning mind as described in paragraph .16 and, for this purpose, setting aside any prior beliefs the audit team members may have that management is honest and has integrity. In this regard, the discussion should include a consideration of the risk of management override of controls. fn 8 Finally, the discussion should include how the auditor might respond to the susceptibility of the entity's financial statements to material misstatement due to fraud.
The discussion among the audit team members should emphasize the need to maintain a questioning mind and to exercise professional skepticism in gathering and evaluating evidence throughout the audit, as described in paragraph .13. This should lead the audit team members to continually be alert for information or other conditions (such as those presented in paragraph .68) that indicate a material misstatement due to fraud may have occurred. It should also lead audit team members to thoroughly probe the issues, acquire additional evidence as necessary, and consult with other team members and, if appropriate, experts in the firm, rather than rationalize or dismiss information or other conditions that indicate a material misstatement due to fraud may have occurred.
Although professional judgment should be used in determining which audit team members should be included in the discussion, the discussion ordinarily should involve the key members of the audit team. A number of factors will influence the extent of the discussion and how it should occur. For example, if the audit involves more than one location, there could be multiple discussions with team members in differing locations. Another factor to consider in planning the discussions is whether to include specialists assigned to the audit team. For example, if the auditor has determined that a professional possessing information technology skills is needed on the audit team (see section 319.32), it may be useful to include that individual in the discussion.
Section 311.06–.08 provides guidance about how the auditor obtains knowledge about the entity's business and the industry in which it operates. In performing that work, information may come to the auditor's attention that should be considered in identifying risks of material misstatement due to fraud. As part of this work, the auditor should perform the following procedures to obtain information that is used (as described in paragraphs .35 through .42) to identify the risks of material misstatement due to fraud:
a. Make inquiries of management and others within the entity to obtain their views about the risks of fraud and how they are addressed. (See paragraphs .20 through .27.)
b. Consider any unusual or unexpected relationships that have been identified in performing analytical procedures in planning the audit. (See paragraphs .28 through .30.)
c. Consider whether one or more fraud risk factors exist. (See paragraphs .31 through .33, and the Appendix [paragraph .85].)
d. Consider other information that may be helpful in the identification of risks of material misstatement due to fraud. (See paragraph .34.)
The auditor should inquire of management about: fn 9
Whether management has knowledge of any fraud or suspected fraud affecting the entity
Whether management is aware of allegations of fraud or suspected fraud affecting the entity, for example, received in communications from employees, former employees, analysts, regulators, short sellers, or others
Management's understanding about the risks of fraud in the entity, including any specific fraud risks the entity has identified or account balances or classes of transactions for which a risk of fraud may be likely to exist
Programs and controls fn 10 the entity has established to mitigate specific fraud risks the entity has identified, or that otherwise help to prevent, deter, and detect fraud, and how management monitors those programs and controls. For examples of programs and controls an entity may implement to prevent, deter, and detect fraud, see the exhibit titled "Management Antifraud Programs and Controls" [paragraph .88] at the end of this section.
For an entity with multiple locations, (a) the nature and extent of monitoring of operating locations or business segments, and (b) whether there are particular operating locations or business segments for which a risk of fraud may be more likely to exist
Whether and how management communicates to employees its views on business practices and ethical behavior
The inquiries of management also should include whether management has reported to the audit committee or others with equivalent authority and responsibility fn 11 (hereafter referred to as the audit committee) on how the entity's internal control fn 12 serves to prevent, deter, or detect material misstatements due to fraud.
The auditor also should inquire directly of the audit committee (or at least its chair) regarding the audit committee's views about the risks of fraud and whether the audit committee has knowledge of any fraud or suspected fraud affecting the entity. An entity's audit committee sometimes assumes an active role in oversight of the entity's assessment of the risks of fraud and the programs and controls the entity has established to mitigate these risks. The auditor should obtain an understanding of how the audit committee exercises oversight activities in that area.
For entities that have an internal audit function, the auditor also should inquire of appropriate internal audit personnel about their views about the risks of fraud, whether they have performed any procedures to identify or detect fraud during the year, whether management has satisfactorily responded to any findings resulting from these procedures, and whether the internal auditors have knowledge of any fraud or suspected fraud.
In addition to the inquiries outlined in paragraphs .20 through .23, the auditor should inquire of others within the entity about the existence or suspicion of fraud. The auditor should use professional judgment to determine those others within the entity to whom inquiries should be directed and the extent of such inquiries. In making this determination, the auditor should consider whether others within the entity may be able to provide information that will be helpful to the auditor in identifying risks of material misstatement due to fraud—for example, others who may have additional knowledge about or be able to corroborate risks of fraud identified in the discussions with management (see paragraph .20) or the audit committee (see paragraph .22).
Examples of others within the entity to whom the auditor may wish to direct these inquiries include:
Employees with varying levels of authority within the entity, including, for example, entity personnel with whom the auditor comes into contact during the course of the audit in obtaining (a) an understanding of the entity's systems and internal control, (b) in observing inventory or performing cutoff procedures, or (c) in obtaining explanations for fluctuations noted as a result of analytical procedures
Operating personnel not directly involved in the financial reporting process
Employees involved in initiating, recording, or processing complex or unusual transactions—for example, a sales transaction with multiple elements, or a significant related party transaction
In-house legal counsel
The auditor's inquiries of management and others within the entity are important because fraud often is uncovered through information received in response to inquiries. One reason for this is that such inquiries may provide individuals with an opportunity to convey information to the auditor that otherwise might not be communicated. Making inquiries of others within the entity, in addition to management, may be useful in providing the auditor with a perspective that is different from that of individuals involved in the financial reporting process. The responses to these other inquiries might serve to corroborate responses received from management, or alternatively, might provide information regarding the possibility of management override of controls—for example, a response from an employee indicating an unusual change in the way transactions have been processed. In addition, the auditor may obtain information from these inquiries regarding how effectively management has communicated standards of ethical behavior to individuals throughout the organization.
The auditor should be aware when evaluating management's responses to the inquiries discussed in paragraph .20 that management is often in the best position to perpetrate fraud. The auditor should use professional judgment in deciding when it is necessary to corroborate responses to inquiries with other information. However, when responses are inconsistent among inquiries, the auditor should obtain additional audit evidence to resolve the inconsistencies.
Section 329, Analytical Procedures, paragraphs .04 and .06, requires that analytical procedures be performed in planning the audit with an objective of identifying the existence of unusual transactions or events, and amounts, ratios, and trends that might indicate matters that have financial statement and audit planning implications. In performing analytical procedures in planning the audit, the auditor develops expectations about plausible relationships that are reasonably expected to exist, based on the auditor's understanding of the entity and its environment. When comparison of those expectations with recorded amounts or ratios developed from recorded amounts yields unusual or unexpected relationships, the auditor should consider those results in identifying the risks of material misstatement due to fraud.
In planning the audit, the auditor also should perform analytical procedures relating to revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that may indicate a material misstatement due to fraudulent financial reporting. An example of such an analytical procedure that addresses this objective is a comparison of sales volume, as determined from recorded revenue amounts, with production capacity. An excess of sales volume over production capacity may be indicative of recording fictitious sales. As another example, a trend analysis of revenues by month and sales returns by month during and shortly after the reporting period may indicate the existence of undisclosed side agreements with customers to return goods that would preclude revenue recognition. fn 13
Analytical procedures performed during planning may be helpful in identifying the risks of material misstatement due to fraud. However, because such analytical procedures generally use data aggregated at a high level, the results of those analytical procedures provide only a broad initial indication about whether a material misstatement of the financial statements may exist. Accordingly, the results of analytical procedures performed during planning should be considered along with other information gathered by the auditor in identifying the risks of material misstatement due to fraud.
Because fraud is usually concealed, material misstatements due to fraud are difficult to detect. Nevertheless, the auditor may identify events or conditions that indicate incentives/pressures to perpetrate fraud, opportunities to carry out the fraud, or attitudes/rationalizations to justify a fraudulent action. Such events or conditions are referred to as "fraud risk factors." Fraud risk factors do not necessarily indicate the existence of fraud; however, they often are present in circumstances where fraud exists.
When obtaining information about the entity and its environment, the auditor should consider whether the information indicates that one or more fraud risk factors are present. The auditor should use professional judgment in determining whether a risk factor is present and should be considered in identifying and assessing the risks of material misstatement due to fraud.
Examples of fraud risk factors related to fraudulent financial reporting and misappropriation of assets are presented in the Appendix [paragraph .85]. These illustrative risk factors are classified based on the three conditions generally present when fraud exists: incentive/pressure to perpetrate fraud, an opportunity to carry out the fraud, and attitude/rationalization to justify the fraudulent action. Although the risk factors cover a broad range of situations, they are only examples and, accordingly, the auditor may wish to consider additional or different risk factors. Not all of these examples are relevant in all circumstances, and some may be of greater or lesser significance in entities of different size or with different ownership characteristics or circumstances. Also, the order of the examples of risk factors provided is not intended to reflect their relative importance or frequency of occurrence.
The auditor should consider other information that may be helpful in identifying risks of material misstatement due to fraud. Specifically, the discussion among the engagement team members (see paragraphs .14 through .18) may provide information helpful in identifying such risks. In addition, the auditor should consider whether information from the results of (a) procedures relating to the acceptance and continuance of clients and engagements fn 14 and (b) reviews of interim financial statements may be relevant in the identification of such risks. Finally, as part of the consideration of audit risk at the individual account balance or class of transaction level (see section 312.24 through .33), the auditor should consider whether identified inherent risks would provide useful information in identifying the risks of material misstatement due to fraud (see paragraph .39).
In identifying risks of material misstatement due to fraud, it is helpful for the auditor to consider the information that has been gathered (see paragraphs .19 through .34) in the context of the three conditions present when a material misstatement due to fraud occurs—that is, incentives/pressures, opportunities, and attitudes/rationalizations (see paragraph .07). However, the auditor should not assume that all three conditions must be observed or evident before concluding that there are identified risks. Although the risk of material misstatement due to fraud may be greatest when all three fraud conditions are observed or evident, the auditor cannot assume that the inability to observe one or two of these conditions means there is no risk of material misstatement due to fraud. In fact, observing that individuals have the requisite attitude to commit fraud, or identifying factors that indicate a likelihood that management or other employees will rationalize committing a fraud, is difficult at best.
In addition, the extent to which each of the three conditions referred to above are present when fraud occurs may vary. In some instances the significance of incentives/pressures may result in a risk of material misstatement due to fraud, apart from the significance of the other two conditions. For example, an incentive/pressure to achieve an earnings level to preclude a loan default, or to "trigger" incentive compensation plan awards, may alone result in a risk of material misstatement due to fraud. In other instances, an easy opportunity to commit the fraud because of a lack of controls may be the dominant condition precipitating the risk of fraud, or an individual's attitude or ability to rationalize unethical actions may be sufficient to motivate that individual to engage in fraud, even in the absence of significant incentives/pressures or opportunities.
The auditor's identification of fraud risks also may be influenced by characteristics such as the size, complexity, and ownership attributes of the entity. For example, in the case of a larger entity, the auditor ordinarily considers factors that generally constrain improper conduct by management, such as the effectiveness of the audit committee and the internal audit function, and the existence and enforcement of a formal code of conduct. In the case of a smaller entity, some or all of these considerations may be inapplicable or less important, and management may have developed a culture that emphasizes the importance of integrity and ethical behavior through oral communication and management by example. Also, the risks of material misstatement due to fraud may vary among operating locations or business segments of an entity, requiring an identification of the risks related to specific geographic areas or business segments, as well as for the entity as a whole. fn 15
The auditor should evaluate whether identified risks of material misstatement due to fraud can be related to specific financial-statement account balances or classes of transactions and related assertions, or whether they relate more pervasively to the financial statements as a whole. Relating the risks of material misstatement due to fraud to the individual accounts, classes of transactions, and assertions will assist the auditor in subsequently designing appropriate auditing procedures.
Certain accounts, classes of transactions, and assertions that have high inherent risk because they involve a high degree of management judgment and subjectivity also may present risks of material misstatement due to fraud because they are susceptible to manipulation by management. For example, liabilities resulting from a restructuring may be deemed to have high inherent risk because of the high degree of subjectivity and management judgment involved in their estimation. Similarly, revenues for software developers may be deemed to have high inherent risk because of the complex accounting principles applicable to the recognition and measurement of software revenue transactions. Assets resulting from investing activities may be deemed to have high inherent risk because of the subjectivity and management judgment involved in estimating fair values of those investments.
In summary, the identification of a risk of material misstatement due to fraud involves the application of professional judgment and includes the consideration of the attributes of the risk, including:
The type of risk that may exist, that is, whether it involves fraudulent financial reporting or misappropriation of assets
The significance of the risk, that is, whether it is of a magnitude that could lead to result in a possible material misstatement of the financial statements
The likelihood of the risk, that is, the likelihood that it will result in a material misstatement in the financial statements fn 16
The pervasiveness of the risk, that is, whether the potential risk is pervasive to the financial statements as a whole or specifically related to a particular assertion, account, or class of transactions.
Material misstatements due to fraudulent financial reporting often result from an overstatement of revenues (for example, through premature revenue recognition or recording fictitious revenues) or an understatement of revenues (for example, through improperly shifting revenues to a later period). Therefore, the auditor should ordinarily presume that there is a risk of material misstatement due to fraud relating to revenue recognition. (See paragraph .54 for examples of auditing procedures related to the risk of improper revenue recognition.) fn 17
Even if specific risks of material misstatement due to fraud are not identified by the auditor, there is a possibility that management override of controls could occur, and accordingly, the auditor should address that risk (see paragraph .57) apart from any conclusions regarding the existence of more specifically identifiable risks.
Section 319 requires the auditor to obtain an understanding of each of the five components of internal control sufficient to plan the audit. It also notes that such knowledge should be used to identify types of potential misstatements, consider factors that affect the risk of material misstatement, design tests of controls when applicable, and design substantive tests. Additionally, section 319 notes that controls, whether manual or automated, can be circumvented by collusion of two or more people or inappropriate management override of internal control.
As part of the understanding of internal control sufficient to plan the audit, the auditor should evaluate whether entity programs and controls that address identified risks of material misstatement due to fraud have been suitably designed and placed in operation. fn 18 These programs and controls may involve (a) specific controls designed to mitigate specific risks of fraud—for example, controls to address specific assets susceptible to misappropriation, and (b) broader programs designed to prevent, deter, and detect fraud—for example, programs to promote a culture of honesty and ethical behavior. The auditor should consider whether such programs and controls mitigate the identified risks of material misstatement due to fraud or whether specific control deficiencies may exacerbate the risks (see paragraph .80). The exhibit at the end of this section [paragraph .88] discusses examples of programs and controls an entity might implement to create a culture of honesty and ethical behavior, and that help to prevent, deter, and detect fraud.
After the auditor has evaluated whether the entity's programs and controls that address identified risks of material misstatement due to fraud have been suitably designed and placed in operation, the auditor should assess these risks taking into account that evaluation. This assessment should be considered when developing the auditor's response to the identified risks of material misstatement due to fraud (see paragraphs .46 through .67). fn 19
The auditor's response to the assessment of the risks of material misstatement due to fraud involves the application of professional skepticism in gathering and evaluating audit evidence. As noted in paragraph .13, professional skepticism is an attitude that includes a critical assessment of the competency and sufficiency of audit evidence. Examples of the application of professional skepticism in response to the risks of material misstatement due to fraud are (a) designing additional or different auditing procedures to obtain more reliable evidence in support of specified financial statement account balances, classes of transactions, and related assertions, and (b) obtaining additional corroboration of management's explanations or representations concerning material matters, such as through third-party confirmation, the use of a specialist, analytical procedures, examination of documentation from independent sources, or inquiries of others within or outside the entity.
The auditor's response to the assessment of the risks of material misstatement of the financial statements due to fraud is influenced by the nature and significance of the risks identified as being present (paragraphs .35 through .42) and the entity's programs and controls that address these identified risks (paragraphs .43 through .45).
The auditor responds to risks of material misstatement due to fraud in the following three ways:
a. A response that has an overall effect on how the audit is conducted—that is, a response involving more general considerations apart from the specific procedures otherwise planned (see paragraph .50).
b. A response to identified risks involving the nature, timing, and extent of the auditing procedures to be performed (see paragraphs .51 through .56).
c. A response involving the performance of certain procedures to further address the risk of material misstatement due to fraud involving management override of controls, given the unpredictable ways in which such override could occur (see paragraphs .57 through .67).
The auditor may conclude that it would not be practicable to design auditing procedures that sufficiently address the risks of material misstatement due to fraud. In that case, withdrawal from the engagement with communication to the appropriate parties may be an appropriate course of action (see paragraph .78).
Judgments about the risk of material misstatement due to fraud have an overall effect on how the audit is conducted in the following ways:
Assignment of personnel and supervision. The knowledge, skill, and ability of personnel assigned significant engagement responsibilities should be commensurate with the auditor's assessment of the risks of material misstatement due to fraud for the engagement (see section 210, Training and Proficiency of the Independent Auditor, paragraph .03). For example, the auditor may respond to an identified risk of material misstatement due to fraud by assigning additional persons with specialized skill and knowledge, such as forensic and information technology (IT) specialists, or by assigning more experienced personnel to the engagement. In addition, the extent of supervision should reflect the risks of material misstatement due to fraud (see section 311.11).
Accounting principles. The auditor should consider management's selection and application of significant accounting principles, particularly those related to subjective measurements and complex transactions. In this respect, the auditor may have a greater concern about whether the accounting principles selected and policies adopted are being applied in an inappropriate manner to create a material misstatement of the financial statements. In developing judgments about the quality of such principles (see section 380, Communication With Audit Committees, paragraph .11), the auditor should consider whether their collective application indicates a bias that may create such a material misstatement of the financial statements.
Predictability of auditing procedures. The auditor should incorporate an element of unpredictability in the selection from year to year of auditing procedures to be performed—for example, performing substantive tests of selected account balances and assertions not otherwise tested due to their materiality or risk, adjusting the timing of testing from that otherwise expected, using differing sampling methods, and performing procedures at different locations or at locations on an unannounced basis.
The auditing procedures performed in response to identified risks of material misstatement due to fraud will vary depending upon the types of risks identified and the account balances, classes of transactions, and related assertions that may be affected. These procedures may involve both substantive tests and tests of the operating effectiveness of the entity's programs and controls. However, because management may have the ability to override controls that otherwise appear to be operating effectively (see paragraph .08), it is unlikely that audit risk can be reduced to an appropriately low level by performing only tests of controls.
The auditor's responses to address specifically identified risks of material misstatement due to fraud may include changing the nature, timing, and extent of auditing procedures in the following ways:
The nature of auditing procedures performed may need to be changed to obtain evidence that is more reliable or to obtain additional corroborative information. For example, more evidential matter may be needed from independent sources outside the entity, such as public-record information about the existence and nature of key customers, vendors, or counterparties in a major transaction. Also, physical observation or inspection of certain assets may become more important (see section 326, Evidential Matter, paragraphs .15 through .21). Furthermore, the auditor may choose to employ computer-assisted audit techniques to gather more extensive evidence about data contained in significant accounts or electronic transaction files. Finally, inquiry of additional members of management or others may be helpful in identifying issues and corroborating other evidential matter (see paragraphs .24 through .26 and paragraph .53).
The timing of substantive tests may need to be modified. The auditor might conclude that substantive testing should be performed at or near the end of the reporting period to best address an identified risk of material misstatement due to fraud (see section 313, Substantive Tests Prior to the Balance-Sheet Date). That is, the auditor might conclude that, given the risks of intentional misstatement or manipulation, tests to extend audit conclusions from an interim date to the period-end reporting date would not be effective.
In contrast, because an intentional misstatement—for example, a misstatement involving inappropriate revenue recognition—may have been initiated in an interim period, the auditor might elect to apply substantive tests to transactions occurring earlier in or throughout the reporting period.
The extent of the procedures applied should reflect the assessment of the risks of material misstatement due to fraud. For example, increasing sample sizes or performing analytical procedures at a more detailed level may be appropriate (see section 350, Audit Sampling, paragraph .23, and section 329). Also, computer-assisted audit techniques may enable more extensive testing of electronic transactions and account files. Such techniques can be used to select sample transactions from key electronic files, to sort transactions with specific characteristics, or to test an entire population instead of a sample.
The following are examples of modification of the nature, timing, and extent of tests in response to identified risks of material misstatements due to fraud.
Performing procedures at locations on a surprise or unannounced basis, for example, observing inventory on unexpected dates or at unexpected locations or counting cash on a surprise basis.
Requesting that inventories be counted at the end of the reporting period or on a date closer to period end to minimize the risk of manipulation of balances in the period between the date of completion of the count and the end of the reporting period.
Making oral inquiries of major customers and suppliers in addition to sending written confirmations, or sending confirmation requests to a specific party within an organization.
Performing substantive analytical procedures using disaggregated data, for example, comparing gross profit or operating margins by location, line of business, or month to auditor-developed expectations. fn 20
Interviewing personnel involved in activities in areas where a risk of material misstatement due to fraud has been identified to obtain their insights about the risk and how controls address the risk (also see paragraph .24).
If other independent auditors are auditing the financial statements of one or more subsidiaries, divisions, or branches, discussing with them the extent of work that needs to be performed to address the risk of material misstatement due to fraud resulting from transactions and activities among these components.
The following are additional examples of responses to identified risks of material misstatements relating to fraudulent financial reporting:
Revenue recognition. Because revenue recognition is dependent on the particular facts and circumstances, as well as accounting principles and practices that can vary by industry, the auditor ordinarily will develop auditing procedures based on the auditor's understanding of the entity and its environment, including the composition of revenues, specific attributes of the revenue transactions, and unique industry considerations. If there is an identified risk of material misstatement due to fraud that involves improper revenue recognition, the auditor also may want to consider:
Performing substantive analytical procedures relating to revenue using disaggregated data, for example, comparing revenue reported by month and by product line or business segment during the current reporting period with comparable prior periods. Computer-assisted audit techniques may be useful in identifying unusual or unexpected revenue relationships or transactions.
Confirming with customers certain relevant contract terms and the absence of side agreements, because the appropriate accounting often is influenced by such terms or agreements. fn 21 For example, acceptance criteria, delivery and payment terms, the absence of future or continuing vendor obligations, the right to return the product, guaranteed resale amounts, and cancellation or refund provisions often are relevant in such circumstances.
Inquiring of the entity's sales and marketing personnel or in-house legal counsel regarding sales or shipments near the end of the period and their knowledge of any unusual terms or conditions associated with these transactions.
Being physically present at one or more locations at period end to observe goods being shipped or being readied for shipment (or returns awaiting processing) and performing other appropriate sales and inventory cutoff procedures.
For those situations for which revenue transactions are electronically initiated, processed, and recorded, testing controls to determine whether they provide assurance that recorded revenue transactions occurred and are properly recorded.
Inventory quantities. If there is an identified risk of material misstatement due to fraud that affects inventory quantities, examining the entity's inventory records may help identify locations or items that require specific attention during or after the physical inventory count. Such a review may lead to a decision to observe inventory counts at certain locations on an unannounced basis (see paragraph .53) or to conduct inventory counts at all locations on the same date. In addition, it may be appropriate for inventory counts to be conducted at or near the end of the reporting period to minimize the risk of inappropriate manipulation during the period between the count and the end of the reporting period.
It also may be appropriate for the auditor to perform additional procedures during the observation of the count, for example, more rigorously examining the contents of boxed items, the manner in which the goods are stacked (for example, hollow squares) or labeled, and the quality (that is, purity, grade, or concentration) of liquid substances such as perfumes or specialty chemicals. Using the work of a specialist may be helpful in this regard. fn 22 Furthermore, additional testing of count sheets, tags, or other records, or the retention of copies of these records, may be warranted to minimize the risk of subsequent alteration or inappropriate compilation.
Following the physical inventory count, the auditor may want to employ additional procedures directed at the quantities included in the priced out inventories to further test the reasonableness of the quantities counted—for example, comparison of quantities for the current period with prior periods by class or category of inventory, location or other criteria, or comparison of quantities counted with perpetual records. The auditor also may consider using computer-assisted audit techniques to further test the compilation of the physical inventory counts—for example, sorting by tag number to test tag controls or by item serial number to test the possibility of item omission or duplication.
Management estimates. The auditor may identify a risk of material misstatement due to fraud involving the development of management estimates. This risk may affect a number of accounts and assertions, including asset valuation, estimates relating to specific transactions (such as acquisitions, restructurings, or disposals of a segment of the business), and other significant accrued liabilities (such as pension and other postretirement benefit obligations, or environmental remediation liabilities). The risk may also relate to significant changes in assumptions relating to recurring estimates. As indicated in section 342, Auditing Accounting Estimates, estimates are based on subjective as well as objective factors and there is a potential for bias in the subjective factors, even when management's estimation process involves competent personnel using relevant and reliable data.
In addressing an identified risk of material misstatement due to fraud involving accounting estimates, the auditor may want to supplement the audit evidence otherwise obtained (see section 342.09 through .14). In certain circumstances (for example, evaluating the reasonableness of management's estimate of the fair value of a derivative), it may be appropriate to engage a specialist or develop an independent estimate for comparison to management's estimate. Information gathered about the entity and its environment may help the auditor evaluate the reasonableness of such management estimates and underlying judgments and assumptions.
A retrospective review of similar management judgments and assumptions applied in prior periods (see paragraphs .63 through .65) may also provide insight about the reasonableness of judgments and assumptions supporting management estimates.
The auditor may have identified a risk of material misstatement due to fraud relating to misappropriation of assets. For example, the auditor may conclude that the risk of asset misappropriation at a particular operating location is significant because a large amount of easily accessible cash is maintained at that location, or there are inventory items such as laptop computers at that location that can easily be moved and sold.
The auditor's response to a risk of material misstatement due to fraud relating to misappropriation of assets usually will be directed toward certain account balances. Although some of the audit responses noted in paragraphs .52 through .54 may apply in such circumstances, such as the procedures directed at inventory quantities, the scope of the work should be linked to the specific information about the misappropriation risk that has been identified. For example, if a particular asset is highly susceptible to misappropriation and a potential misstatement would be material to the financial statements, obtaining an understanding of the controls related to the prevention and detection of such misappropriation and testing the operating effectiveness of such controls may be warranted. In certain circumstances, physical inspection of such assets (for example, counting cash or securities) at or near the end of the reporting period may be appropriate. In addition, the use of substantive analytical procedures, such as the development by the auditor of an expected dollar amount at a high level of precision, to be compared with a recorded amount, may be effective in certain circumstances.
As noted in paragraph .08, management is in a unique position to perpetrate fraud because of its ability to directly or indirectly manipulate accounting records and prepare fraudulent financial statements by overriding established controls that otherwise appear to be operating effectively. By its nature, management override of controls can occur in unpredictable ways. Accordingly, in addition to overall responses (paragraph .50) and responses that address specifically identified risks of material misstatement due to fraud (see paragraphs .51 through .56), the procedures described in paragraphs .58 through .67 should be performed to further address the risk of management override of controls.
Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud. Material misstatements of financial statements due to fraud often involve the manipulation of the financial reporting process by (a) recording inappropriate or unauthorized journal entries throughout the year or at period end, or (b) making adjustments to amounts reported in the financial statements that are not reflected in formal journal entries, such as through consolidating adjustments, report combinations, and reclassifications. Accordingly, the auditor should design procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments (for example, entries posted directly to financial statement drafts) made in the preparation of the financial statements. More specifically, the auditor should:
a. Obtain an understanding of the entity's financial reporting process fn 23 and the controls over journal entries and other adjustments. (See paragraphs .59 and .60.)
b. Identify and select journal entries and other adjustments for testing. (See paragraph .61.)
c. Determine the timing of the testing. (See paragraph .62.)
d. Inquire of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments.
The auditor's understanding of the entity's financial reporting process may help in identifying the type, number, and monetary value of journal entries and other adjustments that typically are made in preparing the financial statements. For example, the auditor's understanding may include the sources of significant debits and credits to an account, who can initiate entries to the general ledger or transaction processing systems, what approvals are required for such entries, and how journal entries are recorded (for example, entries may be initiated and recorded online with no physical evidence, or may be created in paper form and entered in batch mode).
An entity may have implemented specific controls over journal entries and other adjustments. For example, an entity may use journal entries that are preformatted with account numbers and specific user approval criteria, and may have automated controls to generate an exception report for any entries that were unsuccessfully proposed for recording or entries that were recorded and processed outside of established parameters. The auditor should obtain an understanding of the design of such controls over journal entries and other adjustments and determine whether they are suitably designed and have been placed in operation.
The auditor should use professional judgment in determining the nature, timing, and extent of the testing of journal entries and other adjustments. For purposes of identifying and selecting specific entries and other adjustments for testing, and determining the appropriate method of examining the underlying support for the items selected, the auditor should consider:
The auditor's assessment of the risk of material misstatement due to fraud. The presence of fraud risk factors or other conditions may help the auditor to identify specific classes of journal entries for testing and indicate the extent of testing necessary.
The effectiveness of controls that have been implemented over journal entries and other adjustments. Effective controls over the preparation and posting of journal entries and adjustments may affect the extent of substantive testing necessary, provided that the auditor has tested the operating effectiveness of those controls. However, even though controls might be implemented and operating effectively, the auditor's procedures for testing journal entries and other adjustments should include the identification and testing of specific items.
The entity's financial reporting process and the nature of the evidence that can be examined. The auditor's procedures for testing journal entries and other adjustments will vary based on the nature of the financial reporting process. For many entities, routine processing of transactions involves a combination of manual and automated steps and procedures. Similarly, the processing of journal entries and other adjustments might involve both manual and automated procedures and controls. Regardless of the method, the auditor's procedures should include selecting from the general ledger journal entries to be tested and examining support for those items. In addition, the auditor should be aware that journal entries and other adjustments might exist in either electronic or paper form. When information technology (IT) is used in the financial reporting process, journal entries and other adjustments might exist only in electronic form. Electronic evidence often requires extraction of the desired data by an auditor with IT knowledge and skills or the use of an IT specialist. In an IT environment, it may be necessary for the auditor to employ computer-assisted audit techniques (for example, report writers, software or data extraction tools, or other systems-based techniques) to identify the journal entries and other adjustments to be tested.
The characteristics of fraudulent entries or adjustments. Inappropriate journal entries and other adjustments often have certain unique identifying characteristics. Such characteristics may include entries (a) made to unrelated, unusual, or seldom-used accounts, (b) made by individuals who typically do not make journal entries, (c) recorded at the end of the period or as post-closing entries that have little or no explanation or description, (d) made either before or during the preparation of the financial statements that do not have account numbers, or (e) containing round numbers or a consistent ending number.
The nature and complexity of the accounts. Inappropriate journal entries or adjustments may be applied to accounts that (a) contain transactions that are complex or unusual in nature, (b) contain significant estimates and period-end adjustments, (c) have been prone to errors in the past, (d) have not been reconciled on a timely basis or contain unreconciled differences, (e) contain intercompany transactions, or (f) are otherwise associated with an identified risk of material misstatement due to fraud. The auditor should recognize, however, that inappropriate journal entries and adjustments also might be made to other accounts. In audits of entities that have several locations or components, the auditor should consider the need to select journal entries from locations based on the factors set forth in section 312.18.
Journal entries or other adjustments processed outside the normal course of business. Standard journal entries used on a recurring basis to record transactions such as monthly sales, purchases, and cash disbursements, or to record recurring periodic accounting estimates generally are subject to the entity's internal controls. Nonstandard entries (for example, entries used to record nonrecurring transactions, such as a business combination, or entries used to record a nonrecurring estimate, such as an asset impairment) might not be subject to the same level of internal control. In addition, other adjustments such as consolidating adjustments, report combinations, and reclassifications generally are not reflected in formal journal entries and might not be subject to the entity's internal controls. Accordingly, the auditor should consider placing additional emphasis on identifying and testing items processed outside of the normal course of business.
Because fraudulent journal entries often are made at the end of a reporting period, the auditor's testing ordinarily should focus on the journal entries and other adjustments made at that time. However, because material misstatements in financial statements due to fraud can occur throughout the period and may involve extensive efforts to conceal how it is accomplished, the auditor should consider whether there also is a need to test journal entries throughout the period under audit.
Reviewing accounting estimates for biases that could result in material misstatement due to fraud. In preparing financial statements, management is responsible for making a number of judgments or assumptions that affect significant accounting estimates fn 24 and for monitoring the reasonableness of such estimates on an ongoing basis. Fraudulent financial reporting often is accomplished through intentional misstatement of accounting estimates. As discussed in section 312.36, the auditor should consider whether differences between estimates best supported by the audit evidence and the estimates included in the financial statements, even if they are individually reasonable, indicate a possible bias on the part of the entity's management, in which case the auditor should reconsider the estimates taken as a whole.
The auditor also should perform a retrospective review of significant accounting estimates reflected in the financial statements of the prior year to determine whether management judgments and assumptions relating to the estimates indicate a possible bias on the part of management. The significant accounting estimates selected for testing should include those that are based on highly sensitive assumptions or are otherwise significantly affected by judgments made by management. With the benefit of hindsight, a retrospective review should provide the auditor with additional information about whether there may be a possible bias on the part of management in making the current-year estimates. This review, however, is not intended to call into question the auditor's professional judgments made in the prior year that were based on information available at the time.
If the auditor identifies a possible bias on the part of management in making accounting estimates, the auditor should evaluate whether circumstances producing such a bias represent a risk of a material misstatement due to fraud. For example, information coming to the auditor's attention may indicate a risk that adjustments to the current-year estimates might be recorded at the instruction of management to arbitrarily achieve a specified earnings target.
Evaluating the business rationale for significant unusual transactions. During the course of the audit, the auditor may become aware of significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual given the auditor's understanding of the entity and its environment. The auditor should gain an understanding of the business rationale for such transactions and whether that rationale (or the lack thereof) suggests that the transactions may have been entered into to engage in fraudulent financial reporting or conceal misappropriation of assets.
In understanding the business rationale for the transactions, the auditor should consider:
Whether the form of such transactions is overly complex (for example, involves multiple entities within a consolidated group or unrelated third parties).
Whether management has discussed the nature of and accounting for such transactions with the audit committee or board of directors.
Whether management is placing more emphasis on the need for a particular accounting treatment than on the underlying economics of the transaction.
Whether transactions that involve unconsolidated related parties, including special purpose entities, have been properly reviewed and approved by the audit committee or board of directors.
Whether the transactions involve previously unidentified related parties fn 25 or parties that do not have the substance or the financial strength to support the transaction without assistance from the entity under audit.
Assessing risks of material misstatement due to fraud throughout the audit. The auditor's assessment of the risks of material misstatement due to fraud should be ongoing throughout the audit. Conditions may be identified during fieldwork that change or support a judgment regarding the assessment of the risks, such as the following:
Discrepancies in the accounting records, including:
Transactions that are not recorded in a complete or timely manner or are improperly recorded as to amount, accounting period, classification, or entity policy
Unsupported or unauthorized balances or transactions
Last-minute adjustments that significantly affect financial results
Evidence of employees' access to systems and records inconsistent with that necessary to perform their authorized duties
Tips or complaints to the auditor about alleged fraud
Conflicting or missing evidential matter, including:
Missing documents
Documents that appear to have been altered fn 26
Unavailability of other than photocopied or electronically transmitted documents when documents in original form are expected to exist
Significant unexplained items on reconciliations
Inconsistent, vague, or implausible responses from management or employees arising from inquiries or analytical procedures (See paragraph .72.)
Unusual discrepancies between the entity's records and confirmation replies
Missing inventory or physical assets of significant magnitude
Unavailable or missing electronic evidence, inconsistent with the entity's record retention practices or policies
Inability to produce evidence of key systems development and program change testing and implementation activities for current-year system changes and deployments
Problematic or unusual relationships between the auditor and management, including:
Denial of access to records, facilities, certain employees, customers, vendors, or others from whom audit evidence might be sought fn 27
Undue time pressures imposed by management to resolve complex or contentious issues
Complaints by management about the conduct of the audit or management intimidation of audit team members, particularly in connection with the auditor's critical assessment of audit evidence or in the resolution of potential disagreements with management
Unusual delays by the entity in providing requested information
Unwillingness to facilitate auditor access to key electronic files for testing through the use of computer-assisted audit techniques
Denial of access to key IT operations staff and facilities, including security, operations, and systems development personnel
An unwillingness to add or revise disclosures in the financial statements to make them more complete and transparent
Evaluating whether analytical procedures performed as substantive tests or in the overall review stage of the audit indicate a previously unrecognized risk of material misstatement due to fraud. As discussed in paragraphs .28 through .30, the auditor should consider whether analytical procedures performed in planning the audit result in identifying any unusual or unexpected relationships that should be considered in assessing the risks of material misstatement due to fraud. The auditor also should evaluate whether analytical procedures that were performed as substantive tests or in the overall review stage of the audit (see section 329) indicate a previously unrecognized risk of material misstatement due to fraud.
If not already performed during the overall review stage of the audit, the auditor should perform analytical procedures relating to revenue, as discussed in paragraph .29, through the end of the reporting period.
Determining which particular trends and relationships may indicate a risk of material misstatement due to fraud requires professional judgment. Unusual relationships involving year-end revenue and income often are particularly relevant. These might include, for example, (a) uncharacteristically large amounts of income being reported in the last week or two of the reporting period from unusual transactions, as well as (b) income that is inconsistent with trends in cash flow from operations.
Some unusual or unexpected analytical relationships may have been identified and may indicate a risk of material misstatement due to fraud because management or employees generally are unable to manipulate certain information to create seemingly normal or expected relationships. Some examples are as follows:
The relationship of net income to cash flows from operations may appear unusual because management recorded fictitious revenues and receivables but was unable to manipulate cash.
Changes in inventory, accounts payable, sales, or cost of sales from the prior period to the current period may be inconsistent, indicating a possible employee theft of inventory, because the employee was unable to manipulate all of the related accounts.
A comparison of the entity's profitability to industry trends, which management cannot manipulate, may indicate trends or differences for further consideration when identifying risks of material misstatement due to fraud.
A comparison of bad debt write-offs to comparable industry data, which employees cannot manipulate, may provide unexplained relationships that could indicate a possible theft of cash receipts.
An unexpected or unexplained relationship between sales volume as determined from the accounting records and production statistics maintained by operations personnel—which may be more difficult for management to manipulate—may indicate a possible misstatement of sales.
The auditor also should consider whether responses to inquiries throughout the audit about analytical relationships have been vague or implausible, or have produced evidence that is inconsistent with other evidential matter accumulated during the audit.
Evaluating the risks of material misstatement due to fraud at or near the completion of fieldwork. At or near the completion of fieldwork, the auditor should evaluate whether the accumulated results of auditing procedures and other observations (for example, conditions and analytical relationships noted in paragraphs .69 through .73) affect the assessment of the risks of material misstatement due to fraud made earlier in the audit. This evaluation primarily is a qualitative matter based on the auditor's judgment. Such an evaluation may provide further insight about the risks of material misstatement due to fraud and whether there is a need to perform additional or different audit procedures. As part of this evaluation, the auditor with final responsibility for the audit should ascertain that there has been appropriate communication with the other audit team members throughout the audit regarding information or conditions indicative of risks of material misstatement due to fraud. fn 28
Responding to misstatements that may be the result of fraud. When audit test results identify misstatements in the financial statements, the auditor should consider whether such misstatements may be indicative of fraud. fn 29 That determination affects the auditor's evaluation of materiality and the related responses necessary as a result of that evaluation. fn 30
If the auditor believes that misstatements are or may be the result of fraud, but the effect of the misstatements is not material to the financial statements, the auditor nevertheless should evaluate the implications, especially those dealing with the organizational position of the person(s) involved. For example, fraud involving misappropriations of cash from a small petty cash fund normally would be of little significance to the auditor in assessing the risk of material misstatement due to fraud because both the manner of operating the fund and its size would tend to establish a limit on the amount of potential loss, and the custodianship of such funds normally is entrusted to a nonmanagement employee. fn 31 Conversely, if the matter involves higher-level management, even though the amount itself is not material to the financial statements, it may be indicative of a more pervasive problem, for example, implications about the integrity of management. fn 32 In such circumstances, the auditor should reevaluate the assessment of the risk of material misstatement due to fraud and its resulting impact on (a) the nature, timing, and extent of the tests of balances or transactions and (b) the assessment of the effectiveness of controls if control risk was assessed below the maximum.
If the auditor believes that the misstatement is or may be the result of fraud, and either has determined that the effect could be material to the financial statements or has been unable to evaluate whether the effect is material, the auditor should:
a. Attempt to obtain additional evidential matter to determine whether material fraud has occurred or is likely to have occurred, and, if so, its effect on the financial statements and the auditor's report thereon. fn 33
b. Consider the implications for other aspects of the audit (see paragraph .76).
c. Discuss the matter and the approach for further investigation with an appropriate level of management that is at least one level above those involved, and with senior management and the audit committee. fn 34
d. If appropriate, suggest that the client consult with legal counsel.
The auditor's consideration of the risks of material misstatement and the results of audit tests may indicate such a significant risk of material misstatement due to fraud that the auditor should consider withdrawing from the engagement and communicating the reasons for withdrawal to the audit committee or others with equivalent authority and responsibility. fn 35 Whether the auditor concludes that withdrawal from the engagement is appropriate may depend on (a) the implications about the integrity of management and (b) the diligence and cooperation of management or the board of directors in investigating the circumstances and taking appropriate action. Because of the variety of circumstances that may arise, it is not possible to definitively describe when withdrawal is appropriate. fn 36 The auditor may wish to consult with legal counsel when considering withdrawal from an engagement.
Whenever the auditor has determined that there is evidence that fraud may exist, that matter should be brought to the attention of an appropriate level of management. This is appropriate even if the matter might be considered inconsequential, such as a minor defalcation by an employee at a low level in the entity's organization. Fraud involving senior management and fraud (whether caused by senior management or other employees) that causes a material misstatement of the financial statements should be reported directly to the audit committee. In addition, the auditor should reach an understanding with the audit committee regarding the nature and extent of communications with the committee about misappropriations perpetrated by lower-level employees.
[The following paragraph is effective for audits of fiscal years ending on or after November 15, 2004, for accelerated filers, and on or after July 15, 2005, for all other issuers. See PCAOB Release No. 2004-008.
For audits of fiscal years ending before November 15, 2004, for accelerated filers, and before July 15, 2005, for all other issuers, click here.]
If the auditor, as a result of the assessment of the risks of material misstatement, has identified risks of material misstatement due to fraud that have continuing control implications (whe