8_CSOE

Certified Sarbanes-Oxley Expert

(CSOE)

Part 8

Sarbanes Oxley Compliance

Professionals Association (SOXCPA)

The largest association of Sarbanes Oxley Professionals

in the world

Public Company Accounting Oversight Board

Auditing Standard No. 7 –

Engagement Quality Review

Effective Date: For engagement quality reviews

of audits and interim reviews for fiscal years
beginning on or after December 15, 2009

1
 8_CSOE

Section 103 of the Sarbanes-Oxley

Act

Section 103 of Sarbanes-Oxley directs the PCAOB
to set standards for public company audits …

… including a requirement for each registered
public accounting firm …

… to provide a concurring or second partner
review and approval of [each] audit report (and
other related information) …

… and concurring approval in its issuance

Section 103 of the Sarbanes-Oxley

Act

A well-performed ***engagement quality review
(EQR)*** can serve as an important safeguard
against …

… erroneous or insufficiently supported audit
opinions and, accordingly …

… can contribute to audit quality

2
 8_CSOE

Section 103 of the Sarbanes-Oxley

Act

A.S. No. 7 …

… should increase the likelihood that a registered
public accounting firm …

… will catch any significant engagement
deficiencies before it issues its audit report

Objective

The objective of the engagement quality reviewer
is to perform an evaluation of the significant
judgments made by the engagement team …

… and the related conclusions reached in forming
the overall conclusion on the engagement

3
 8_CSOE

Qualifications of an Engagement
Quality Reviewer

The engagement quality reviewer must be an
associated person of a registered public
accounting firm

An engagement quality reviewer from the firm
that issues the engagement report (or
communicates an engagement conclusion, if no
report is issued) must be a partner or another
individual in an equivalent position

The engagement quality reviewer may also be an
individual from outside the firm

Qualifications of an Engagement
Quality Reviewer

An engagement quality reviewer must have
competence, independence, integrity, and
objectivity

The firm's quality control policies and procedures
should include provisions to provide the firm with
reasonable assurance that the engagement quality
reviewer has sufficient competence,
independence, integrity, and objectivity to
perform the engagement quality review …

… in accordance with the standards of the PCAOB

4
 8_CSOE

Competence

The engagement quality reviewer …

… must possess the level of knowledge and
competence related …

… to accounting, auditing, and financial
reporting…

… required to serve as the engagement partner on
the engagement under review

Independence , Integrity,
Objectivity

The engagement quality reviewer …

… must be independent of the company …

… perform the engagement quality review with
integrity …

… and maintain objectivity in performing the
review

5
 8_CSOE

Independence , Integrity,
Objectivity

The reviewer may use assistants in performing the
engagement quality review

Personnel assisting the quality reviewer also must

be independent …

… perform the assigned procedures with
integrity…

… and maintain objectivity in performing the
review

Independence , Integrity,
Objectivity

To maintain objectivity …

… the engagement quality reviewer and others
who assist the reviewer should not make decisions
on behalf of the engagement team …

… or assume any of the responsibilities of the
engagement team

The person who served as the engagement partner
during either of the two audits preceding the audit
subject to the engagement quality review …

… may not be the engagement quality reviewer

6
 8_CSOE

Engagement Quality Review

Process

In an audit, the engagement quality reviewer
should:

A. Evaluate the significant judgments that relate to

engagement planning, including:

1. The consideration of the firm's recent

engagement experience with the company and
risks identified in connection with the firm's client
acceptance and retention process

Engagement Quality Review

Process

2. The consideration of the company's business …

… recent significant activities …

… and related financial reporting issues and risks

3. The judgments made about materiality and the

effect of those judgments on the engagement
strategy

7
 8_CSOE

Engagement Quality Review

Process

B. Evaluate the engagement team's assessment of,
and audit responses to:

1. Significant risks identified by the engagement

team, including fraud risks

2. Other significant risks identified by the

engagement quality reviewer through
performance of the procedures required by this
standard

Engagement Quality Review

Process

A significant risk is a risk of material
misstatement that requires special audit
consideration

C. Evaluate the significant judgments made about:

(1) the materiality and disposition of corrected

and uncorrected identified misstatements and

(2) the severity and disposition of identified
control deficiencies

8
 8_CSOE

Engagement Quality Review

Process

D. Review the engagement team's evaluation of
the firm's independence in relation to the
engagement

E. Review the engagement completion document

and confirm with the engagement partner that …

… there are no significant unresolved matters

F. Review the financial statements …

… management's report on internal control …

… and the related engagement report

Engagement Quality Review

Process

G. Read other information in documents
containing the financial statements to be filed with
the SEC …

… and evaluate whether the engagement team has
taken appropriate action with respect to *any
material inconsistencies* with the financial
statements …

… or material misstatements of fact of which the
engagement quality reviewer is aware

9
 8_CSOE

Engagement Quality Review

Process

H. Evaluate whether appropriate consultations
have taken place on difficult or contentious
matters

Review the documentation, including conclusions,
of such consultations

I. Evaluate whether appropriate matters have
been communicated or identified for
communication to the audit committee,
management, and other parties …

… such as regulatory bodies

Evaluation of Engagement
Documentation

The engagement quality reviewer should evaluate
whether the engagement documentation that he
or she reviewed:

A. Indicates that the engagement team responded

appropriately to significant risks

B. Supports the conclusions reached by the

engagement team with respect to the matters
reviewed

10
 8_CSOE

Concurring Approval of Issuance

In an audit …

… the engagement quality reviewer may provide
concurring approval of issuance …

… only if, after performing with due professional
care the review required by this standard …

… he or she is not aware of a significant
engagement deficiency

Concurring Approval of Issuance

A significant engagement deficiency in an audit
exists when:

(1) The engagement team failed to obtain

sufficient appropriate evidence in accordance with
the standards of the PCAOB

11
 8_CSOE

Concurring Approval of Issuance

(2) The engagement team reached an
inappropriate overall conclusion on the subject
matter of the engagement

(3) The engagement report is not appropriate in

the circumstances, or

(4) The firm is not independent of its client

Auditing Standards 8 to 15

12
 8_CSOE

Auditing Standards 8 to 15

On September 15, 2010 …

… the PCAOB filed with the SEC a notice on
Auditing Standards Related to the Auditor’s
Assessment of and Response to Risk and Related
Amendments to PCAOB Standards

Those eight auditing standards are:

Auditing Standard (“AS”) No. 8, Audit Risk

AS No. 9, Audit Planning

Auditing Standards 8 to 15

AS No. 10, Supervision of the Audit Engagement

AS No. 11, Consideration of Materiality in
Planning and Performing an Audit

AS No. 12, Identifying and Assessing Risks of
Material Misstatement

AS No. 13, The Auditor’s Responses to the Risks of
Material Misstatement

AS No. 14, Evaluating Audit Results

AS No. 15, Audit Evidence

13
 8_CSOE

Auditing Standards 8 to 15

December 23, 2010 - The SEC is granting approval
of the proposed rules

The rules are effective for audits of fiscal years

beginning on or after December 15, 2010

Auditing Standard No. 8 –

Audit Risk

Effective Date: For audits of fiscal years

beginning on or after Dec. 15, 2010

14
 8_CSOE

Audit Risk

The objective of the auditor is to conduct the audit
of financial statements in a manner that reduces
audit risk to an appropriately low level

Audit Risk - To form an appropriate basis for
expressing an opinion on the financial
statements…

… the auditor must plan and perform the audit to
obtain reasonable assurance about whether the
financial statements are free of material
misstatement due to error or fraud

Audit Risk

Audit risk is the risk that the auditor expresses an
inappropriate audit opinion when …

… the financial statements are materially
misstated …

… i.e., the financial statements are not presented
fairly in conformity with the applicable financial
reporting framework

Audit risk is a function of the risk of material

misstatement and detection risk

15
 8_CSOE

Risk of Material Misstatement

The risk of material misstatement refers to the
risk that the financial statements are materially
misstated

This risk may be especially relevant to the

auditor's consideration of the risk of material
misstatement due to fraud

Risk of Material Misstatement

For example …

… an ineffective control environment …

… a lack of sufficient capital to continue
operations …

… and declining conditions affecting the
company's industry …

… might create pressures or opportunities for
management to manipulate the financial
statements …

… leading to higher risk of material misstatement

16
 8_CSOE

Risk of Material Misstatement

Risk of material misstatement at the assertion
level consists of the following components:

*Inherent risk* which refers to the susceptibility

of an assertion to a misstatement …

… due to error or fraud, that could be material ….

… individually or in combination with other
misstatements before consideration of any related
controls

Risk of Material Misstatement

*Control risk* which is the risk that a
misstatement due to error or fraud that …

… could occur in an assertion and that could be
material, individually or in combination with
other misstatements…

… will *not be prevented or detected on a timely
basis* by the company's internal control

Control risk is a function of the effectiveness of
the design and operation of internal control

17
 8_CSOE

Risk of Material Misstatement

Inherent risk and control risk are related to …

… the company, its environment, and its internal
control and the auditor assesses those risks based
on evidence he or she obtains

The auditor assesses inherent risk using
information obtained from performing risk
assessment procedures …

… and considering the characteristics of the
accounts and disclosures in the financial
statements

Detection Risk

In an audit of financial statements …

… *detection risk* is the risk that the procedures
performed by the auditor will not detect a
misstatement that exists …

… and that could be material individually or in
combination with other misstatements

18
 8_CSOE

Detection Risk

Detection risk is affected by:

(1) The effectiveness of the substantive procedures

and

(2) Their application by the auditor …

… i.e., whether the procedures were performed
with due professional care

Detection Risk

The higher the risk of material misstatement …

… the lower the level of detection risk needs to
be…

… in order to reduce audit risk to an appropriately
low level

19
 8_CSOE

Detection Risk

The auditor reduces the level of detection risk …

… through the nature, timing, and extent of the
substantive procedures performed

As the appropriate level of detection risk

decreases …

… the evidence from substantive procedures that
the auditor should obtain increases

Public Company Accounting Oversight Board

Auditing Standard No. 9 –

Audit Planning

Effective Date: For audits of fiscal years

beginning on or after Dec. 15, 2010

20
 8_CSOE

Objective

This standard establishes requirements regarding
planning an audit

The objective of the auditor is to plan the audit so

that the audit is conducted effectively

Responsibility of the Engagement

Partner for Planning

The engagement partner is responsible for the
engagement and its performance …

… and for planning the audit

He/she may seek assistance from appropriate

engagement team members in fulfilling this
responsibility …

… but engagement team members should also
comply with the relevant requirements in this
standard

21
 8_CSOE

Planning an Audit

The term auditor encompasses both the
engagement partner and the engagement team
members who assist the engagement partner in
planning the audit

Planning the audit includes establishing the
overall audit strategy for the engagement and
developing an audit plan, which includes, in
particular …

… planned risk assessment procedures and
planned responses to the risks of material
misstatement

Planning an Audit

Planning is not a discrete phase of an audit but,
rather …

… a continual and iterative process that …

… might begin shortly after (or in connection
with) the completion of the previous audit …

… and continues until the completion of the
current audit

22
 8_CSOE

Preliminary Engagement Activities

The auditor should perform the following
activities at the beginning of the audit:

a. Perform procedures regarding the continuance

of the client relationship and the specific audit
engagement

Preliminary Engagement Activities

b. Determine compliance with independence and
ethics requirements

c. Establish an understanding with the client

regarding the services to be performed on the
engagement

23
 8_CSOE

Planning Activities

The nature and extent of planning activities that
are necessary …

… depend on the size and complexity of the
company …

… the auditor's previous experience with the
company …

… and changes in circumstances that occur during
the audit

Planning Activities

When developing the audit strategy and audit
plan …

… the auditor should evaluate whether the
following matters are important to the company's
financial statements and internal control over
financial reporting and, if so …

… how they will affect the auditor's procedures:

1. Knowledge of the company's internal control
over financial reporting obtained during other
engagements performed by the auditor

24
 8_CSOE

Planning Activities

2. Matters affecting the industry in which the
company operates …

… such as financial reporting practices, economic
conditions, laws and regulations, and
technological changes

3. Matters relating to the company's business …

… including its organization, operating
characteristics, and capital structure

Planning Activities

4. The extent of recent changes, if any …

… in the company, its operations, or its internal
control over financial reporting

5. The auditor's preliminary judgments about

materiality, risk, and, in integrated audits …

… other factors relating to the determination of
material weaknesses

25
 8_CSOE

Planning Activities

6. Control deficiencies previously communicated
to the audit committee or management

7. Legal or regulatory matters of which the

company is aware

8. The type and extent of available evidence

related to the effectiveness of the company's
internal control over financial reporting

Planning Activities

9. Preliminary judgments about the effectiveness
of internal control over financial reporting

10. Public information about the company

relevant to the evaluation of the likelihood of
material financial statement misstatements …

… and the effectiveness of the company's internal
control over financial reporting

26
 8_CSOE

Planning Activities

11. Knowledge about risks related to the company
evaluated as part of the auditor's client acceptance
and retention evaluation

12. The relative complexity of the company's

operations

Planning Activities

Factors that might indicate less complex
operations include:

- Fewer business lines

- Less complex business processes and financial
reporting systems

- More centralized accounting functions

- Extensive involvement by senior management in
the day-to-day activities of the business

- Fewer levels of management, each with a wide
span of control

27
 8_CSOE

Audit Strategy

The auditor should establish an overall audit
strategy that sets the scope, timing, and direction
of the audit …

… and guides the development of the audit plan

In establishing the overall audit strategy, the

auditor should take into account:

Audit Strategy

a. The reporting objectives of the engagement and
the nature of the communications required by
PCAOB standards

b. The factors that are significant in directing the

activities of the engagement team

28
 8_CSOE

Audit Strategy

c. The results of preliminary engagement activities
and …

… the auditor's evaluation of the important
matters

d. The nature, timing, and extent of resources

necessary to perform the engagement

Audit Plan

The auditor should develop and document an
audit plan that includes a description of:

a. The planned nature, timing, and extent of the
risk assessment procedures

b. The planned nature, timing, and extent of tests

of controls and substantive procedures

c. Other planned audit procedures required to be

performed

29
 8_CSOE

Multi-location Engagements

In an audit of the financial statements of a
company with operations in multiple locations or
business units …

… the auditor should determine the extent to
which audit procedures should be performed at
selected locations or business units to …

… obtain sufficient appropriate evidence to obtain
reasonable assurance about …

… whether the consolidated financial statements
are free of material misstatement

Multi-location Engagements

This includes determining the locations or
business units at which to perform audit
procedures …

… as well as the nature, timing, and extent of the
procedures to be performed at those individual
locations or business units

30
 8_CSOE

Multi-location Engagements

The auditor should assess the risks of material
misstatement to the consolidated financial
statements …

… associated with the location or business unit
and …

… correlate the amount of audit attention devoted
to the location or business unit …

… with the degree of risk of material misstatement
associated with that location or business unit

Multi-location Engagements

Factors that are relevant to the assessment of the
risks of material misstatement associated with a
particular location or business unit …

… and the determination of the necessary audit
procedures include:

31
 8_CSOE

Multi-location Engagements

a. The nature and amount of assets, liabilities, and
transactions executed at the location or business
unit …

… including, e.g., significant transactions executed
at the location or business unit that are outside
the normal course of business for the company …

… or that otherwise appear to be unusual given the
auditor's understanding of the company and its
environment

Multi-location Engagements

b. The materiality of the location or business unit

c. The specific risks associated with the location or

business unit that …

… present a reasonable possibility of material
misstatement to the company's consolidated
financial statements

32
 8_CSOE

Multi-location Engagements

d. Whether the risks of material misstatement
associated with the location or business unit …

… apply to other locations or business units …

… such that, in combination, they present a
reasonable possibility of material misstatement to
the company's consolidated financial statements

e. The degree of centralization of records or

information processing

Multi-location Engagements

f. The effectiveness of the control environment …

… particularly with respect to management's
control over the exercise of authority delegated to
others …

… and its ability to effectively supervise activities
at the location or business unit

g. The frequency, timing, and scope of monitoring

activities by the company or others at the location
or business unit

33
 8_CSOE

Changes During the Course of the

Audit

The auditor should modify the overall audit
strategy and the audit plan as necessary …

… if circumstances change significantly during the
course of the audit …

… including changes due to a revised assessment
of the risks of material misstatement …

… or the discovery of a previously unidentified
risk of material misstatement

Persons with Specialized Skill or

Knowledge

The auditor …

… should determine whether specialized skill or
knowledge is needed …

… to perform appropriate risk assessments, plan
or perform audit procedures …

… or evaluate audit results

34
 8_CSOE

Persons with Specialized Skill or

Knowledge

If a person with specialized skill or knowledge
employed or engaged by the auditor participates
in the audit …

… the auditor should have sufficient knowledge of
the subject matter to be addressed by such a
person to enable the auditor to:

Persons with Specialized Skill or

Knowledge

a. Communicate the objectives of that person's
work

b. Determine whether that person's procedures

meet the auditor's objectives

c. Evaluate the results of that person's
procedures…

… as they relate to the nature, timing, and extent
of other planned audit procedures and the effects
on the auditor's report

35
 8_CSOE

Additional Considerations in
Initial Audits

The auditor should undertake the following
activities before starting an initial audit:

a. Perform procedures regarding the acceptance

of the client relationship and the specific audit
engagement

b. Communicate with the predecessor auditor in

situations in which there has been a change of
auditors

Public Company Accounting Oversight Board

Auditing Standard No. 10 –

Supervision of the Audit
Engagement

Effective Date: For audits of fiscal years

beginning on or after Dec. 15, 2010

36
 8_CSOE

Objective

This standard establishes requirements regarding
supervision of the audit engagement …

… including supervising the work of engagement
team members

The objective of the auditor is to supervise the

audit engagement, including supervising the work
of engagement team members …

… so that the work is performed as directed and
supports the conclusions reached

Responsibility of the Engagement

Partner for Supervision

The engagement partner is responsible for the
engagement and its performance …

… and for proper supervision of the work of
engagement team members …

… and for compliance with PCAOB standards …

… including standards regarding using the work
of specialists, other auditors, internal auditors,
and others who are involved in testing controls

37
 8_CSOE

Responsibility of the Engagement

Partner for Supervision

The engagement partner may seek assistance from
appropriate engagement team members …

… in fulfilling his or her responsibilities pursuant
to this standard

Engagement team members who assist the
engagement partner with supervision of the work
of other engagement team members …

… also should comply with the requirements in
this standard with respect to the supervisory
responsibilities assigned to them

Supervision of Engagement Team

Members

The engagement partner and, as applicable, other
engagement team members performing
supervisory activities should:

a. Inform engagement team members of their

responsibilities, including:

(1) The objectives of the procedures that they are

to perform

38
 8_CSOE

Supervision of Engagement Team

Members

(2) The nature, timing, and extent of procedures
they are to perform

(3) Matters that could affect the procedures to be

performed or the evaluation of the results of those
procedures …

… including relevant aspects of the company, its
environment, and its internal control over
financial reporting …

… and possible accounting and auditing issues

Supervision of Engagement Team

Members

b. Direct engagement team members to bring
significant accounting and auditing issues arising
during the audit …

… to the attention of the engagement partner or
other engagement team members performing
supervisory activities …

… so they can evaluate those issues and determine
that appropriate actions are taken in accordance
with PCAOB standards

39
 8_CSOE

Supervision of Engagement Team

Members

Each engagement team member has a
responsibility to bring to the attention of
appropriate persons …

… disagreements or concerns the engagement
team member might have …

… with respect to accounting and auditing issues
that he or she believes are of significance to the
financial statements or the auditor's report …

… regardless of how those disagreements or
concerns may have arisen

Supervision of Engagement Team

Members

c. Review the work of engagement team members
to evaluate whether:

(1) The work was performed and documented

(2) The objectives of the procedures were achieved

(3) The results of the work support the

conclusions reached

40
 8_CSOE

Supervision of Engagement Team

Members

To determine the extent of supervision necessary
for engagement team members to perform their
work …

… as directed and form appropriate conclusions …

… the engagement partner and other engagement
team members performing supervisory activities
should take into account:

a. The nature of the company, including its size

and complexity

Supervision of Engagement Team

Members

b. The nature of the assigned work for each
engagement team member, including:

(1) The procedures to be performed, and

(2) The controls or accounts and disclosures to be

tested

41
 8_CSOE

Supervision of Engagement Team

Members

c. The risks of material misstatement

d. The knowledge, skill, and ability of each

engagement team member

Definition - For purposes of this standard,

engagement partner is the member of the
engagement team with primary responsibility for
the audit

Public Company Accounting Oversight Board

Auditing Standard No. 11 –

Consideration of Materiality in
Planning and Performing an Audit

Effective Date: For audits of fiscal years

beginning on or after Dec. 15, 2010

42
 8_CSOE

Materiality in the Context of an

Audit

In interpreting the federal securities laws …

… the Supreme Court of the United States has held
that a fact is material if …

… there is "a substantial likelihood that the …fact
would have been viewed by the reasonable
investor as having significantly altered the 'total
mix' of information made available”

Materiality in the Context of an

Audit

As the Supreme Court has noted …

… determinations of materiality require …

… "delicate assessments of the inferences a
'reasonable shareholder' would draw from a given
set of facts and the significance of those inferences
to him ….“

43
 8_CSOE

Establishing a Materiality Level for the

Financial Statements as a Whole

To plan the nature, timing, and extent of audit
procedures, the auditor ***should establish a
materiality level*** for the financial statements as
a whole …

… that is appropriate in light of the particular
circumstances

This includes consideration of the company's

earnings and other relevant factors

Establishing a Materiality Level for the

Financial Statements as a Whole

To determine the nature, timing, and extent of
audit procedures …

… the materiality level for the financial statements
as a whole needs to be expressed as a specified
amount

44
 8_CSOE

Establishing a Materiality Level for the

Financial Statements as a Whole

If financial statements for the audit period are not
available …

… the auditor may establish an initial materiality
level based on estimated or preliminary financial
statement amounts

Establishing a Materiality Level for the

Financial Statements as a Whole

In those situations, the auditor should take into
account the effects of known or expected changes
in the company's financial statements …

… including significant transactions or
adjustments that are expected to be reflected in
the financial statements at the end of the period

45
 8_CSOE

Establishing Materiality Levels for

Particular Accounts or Disclosures

The auditor should evaluate whether, in light of
the particular circumstances …

… there are certain accounts or disclosures for
which there is a substantial likelihood that
misstatements …

… of ***lesser amounts than the materiality
level*** established for the financial statements as
a whole …

… would influence the judgment of a reasonable
investor

Establishing Materiality Levels for

Particular Accounts or Disclosures

If so, the auditor should establish *separate
materiality levels* for those accounts or
disclosures …

… to plan the nature, timing, and extent of audit
procedures for those accounts or disclosures

46
 8_CSOE

Establishing Materiality Levels for

Particular Accounts or Disclosures

Lesser amounts of misstatements could influence
the judgment of a reasonable investor because of
qualitative factors …

… e.g., because of the sensitivity of circumstances
surrounding misstatements, such as conflicts of
interest in related party transactions

Determining Tolerable
Misstatement

The auditor should determine the amount or
amounts …

… of tolerable misstatement for purposes of
assessing risks of material misstatement …

… and planning and performing audit procedures
at the account or disclosure level

47
 8_CSOE

Determining Tolerable
Misstatement

The auditor should determine tolerable
misstatement at an amount or amounts that …

… reduce to an appropriately low level the
probability …

… that the total of uncorrected and undetected
misstatements would result in material
misstatement of the financial statements

Determining Tolerable
Misstatement

Tolerable misstatement should be less than the
materiality level for the financial statements as a
whole and …

… if applicable, the materiality level or levels for
particular accounts or disclosures

48
 8_CSOE

Determining Tolerable
Misstatement

In determining tolerable misstatement and
planning and performing audit procedures …

… the auditor should take into account the nature,
cause (if known), and amount of misstatements
that …

… were accumulated in audits of the financial
statements of prior periods

Considerations for Multi-location

Engagements

For purposes of the audit of the consolidated
financial statements of a company with multiple
locations or business units the auditor should
determine tolerable misstatement for the
individual locations or business units …

… at an amount that reduces to an appropriately
low level the probability that the total of
uncorrected and undetected misstatements …

… would result in material misstatement of the
consolidated financial statements

49
 8_CSOE

Considerations as the Audit

Progresses

The auditor should reevaluate the established
materiality level or levels and tolerable
misstatement when …

… because of changes in the particular
circumstances …

… or additional information that comes to the
auditor's attention ...

Considerations as the Audit

Progresses

… there is a substantial likelihood that
misstatements of amounts that differ significantly
from the materiality level or levels that were
established initially …

… would influence the judgment of a reasonable
investor

50
 8_CSOE

Considerations as the Audit

Progresses

Situations in which changes in circumstances or
additional information that comes to the auditor's
attention would require such reevaluation
include:

a. The materiality level or levels …

… and tolerable misstatement were established
initially based on estimated or preliminary
financial statement amounts …

… that differ significantly from actual amounts

Considerations as the Audit

Progresses

b. Events or changes in conditions occurring after
the materiality level or levels and tolerable
misstatement were established initially …

… are likely to affect investors' perceptions about
the company's financial position, results of
operations, or cash flows

51
 8_CSOE

Considerations as the Audit

Progresses

Examples of such events or changes in conditions
include

(1) Changes in laws, regulations, or the applicable

financial reporting framework that affect
investors' expectations about the measurement or
disclosure of certain items

Considerations as the Audit

Progresses

(2) Significant new contractual arrangements that
draw attention to a particular aspect of a
company's business …

… that is separately disclosed in the financial
statements

52
 8_CSOE

Considerations as the Audit

Progresses

If the auditor's reevaluation results in a lower
amount for the materiality level or levels or
tolerable misstatement than initially established
by the auditor …

… the auditor should

Considerations as the Audit

Progresses

(1) Evaluate the effect, if any, of the lower amount
or amounts on his or her risk assessments and
audit procedures and

(2) Modify the nature, timing, and extent of audit

procedures as necessary to obtain sufficient
appropriate audit evidence.

53
 8_CSOE

Public Company Accounting Oversight Board

Auditing Standard No. 12 –

Identifying and Assessing Risks of
Material Misstatement

Effective Date: For audits of fiscal years

beginning on or after Dec. 15, 2010

Objective

The objective of the auditor is to identify and
appropriately assess the risks of material
misstatement …

… thereby providing a basis for designing and
implementing responses to the risks of material
misstatement

54
 8_CSOE

Performing Risk Assessment

Procedures

The auditor should perform risk assessment
procedures that are sufficient to provide a
reasonable basis …

… for identifying and assessing the risks of
material misstatement …

… whether due to error or fraud …

… and designing further audit procedures

Performing Risk Assessment

Procedures

Risks of material misstatement can arise from a
variety of sources …

… including external factors such as conditions in
the company's industry and environment …

… and company-specific factors, such as the
nature of the company, its activities, and internal
control over financial reporting

55
 8_CSOE

Performing Risk Assessment

Procedures

For example, external or company-specific factors
can affect the judgments involved …

… in determining accounting estimates …

… or create pressures to manipulate the financial
statements to achieve certain financial targets

Performing Risk Assessment

Procedures

Also, risks of material misstatement may relate to
personnel who lack the necessary financial
reporting competencies …

… information systems that fail to accurately
capture business transactions …

… or financial reporting processes that are not
adequately aligned with the requirements in the
applicable financial reporting framework

56
 8_CSOE

Performing Risk Assessment

Procedures

The audit procedures that are necessary to
identify and appropriately assess the risks of
material misstatement include consideration of
both external factors and company-specific factors

This standard discusses the following risk

assessment procedures:

a. Obtaining an understanding of the company and

its environment

Performing Risk Assessment

Procedures

b. Obtaining an understanding of internal control
over financial reporting

c. Considering information from the client

acceptance and retention evaluation, audit
planning activities, past audits, and other
engagements performed for the company

d. Performing analytical procedures

57
 8_CSOE

Performing Risk Assessment

Procedures

e. Conducting a discussion among engagement
team members regarding the risks of material
misstatement

f. Inquiring of the audit committee, management,

and others within the company about the risks of
material misstatement

Performing Risk Assessment

Procedures

In an integrated audit …

… the risks of material misstatement of the
financial statements are the same for both …

… the audit of internal control over financial
reporting …

… and the audit of financial statements

58
 8_CSOE

Performing Risk Assessment

Procedures

The auditor's risk assessment procedures should
apply to both …

… the audit of internal control over financial
reporting …

… and the audit of financial statements

Obtaining an Understanding of the

Company and Its Environment

The auditor should obtain an understanding of the
company and its environment ("understanding of
the company") …

… to understand the events, conditions, and
company activities …

… that might reasonably be expected to have a
significant effect on the risks of material
misstatement

59
 8_CSOE

Obtaining an Understanding of the

Company and Its Environment

Obtaining an understanding of the company
includes understanding:

a. Relevant industry, regulatory, and other
external factors

b. The nature of the company

c. The company's selection and application of

accounting principles, including related
disclosures

Obtaining an Understanding of the

Company and Its Environment

d. The company's objectives and strategies and
those related business risks that might reasonably
be expected to result in risks of material
misstatement

e. The company's measurement and analysis of its

financial performance

60
 8_CSOE

Industry, Regulatory, and Other

External Factors

Obtaining an understanding of relevant industry,
regulatory, and other external factors
encompasses industry factors …

… including the competitive environment and
technological developments …

… the regulatory environment, including the
applicable financial reporting framework and the
legal and political environment …

… and external factors, including general
economic conditions

Nature of the Company

Obtaining an understanding of the nature of the
company includes understanding:

1. The company's organizational structure and

management personnel

61
 8_CSOE

Nature of the Company

2. The sources of funding of the company's
operations and investment activities …

… including the company's capital structure,
noncapital funding (e.g., subordinated debt or
dependencies on supplier financing) …

… and other debt instruments

Nature of the Company

3. The company's significant investments
including equity method investments, joint
ventures, and variable interest entities

4. The company's operating characteristics

including its size and complexity

The size and complexity of a company might affect

the risks of misstatement and how the company
addresses those risks

62
 8_CSOE

Nature of the Company

5. The sources of the company's earnings,
including the relative profitability of key products
and services

6. Key supplier and customer relationships

The auditor should consider performing the

following procedures and the extent to which the
procedures should be performed:

Nature of the Company

1. Reading public information about the company
relevant to the evaluation of the likelihood of
material financial statement misstatements and,
in an integrated audit …

… the effectiveness of the company's internal
control over financial reporting …

… e.g., company-issued press releases, company-
prepared presentation materials for analysts or
investor groups, and analyst reports

63
 8_CSOE

Nature of the Company

2. Observing or reading transcripts of earnings
calls and, to the extent publicly available, other
meetings with investors or rating agencies

3. Obtaining an understanding of compensation

arrangements with senior management …

… including incentive compensation
arrangements, changes or adjustments to those
arrangements, and special bonuses

Nature of the Company

4. Obtaining information about trading activity in
the company's securities and holdings in the
company's securities …

… by significant holders …

… to identify potentially significant unusual
developments

64
 8_CSOE

Company Objectives, Strategies,

and Related Business Risks

The purpose of obtaining an understanding of the
company's objectives, strategies, and related
business risks is to identify business risks that …

… could reasonably be expected to result in
material misstatement of the financial statements

The following are examples of situations in which

business risks might result in material
misstatement of the financial statements:

Company Objectives, Strategies,

and Related Business Risks

1. Industry developments (a potential related
business risk might be, e.g., that the company does
not have the personnel or expertise to deal with
the changes in the industry)

2. New products and services (a potential related

business risk might be, e.g., that the new product
or service will not be successful)

65
 8_CSOE

Company Objectives, Strategies,

and Related Business Risks

3. Use of information technology ("IT") (a
potential related business risk might be, e.g., that
systems and processes are incompatible)

4. New accounting requirements (a potential

related business risk might be, e.g., incomplete or
improper implementation of a new accounting
requirement)

Company Objectives, Strategies,

and Related Business Risks

5. Expansion of the business (a potential related
business risk might be, e.g., that the demand for
the company's products or services has not been
accurately estimated)

66
 8_CSOE

Company Objectives, Strategies,

and Related Business Risks

6. The effects of implementing a strategy,
particularly any effects that will lead to new
accounting requirements (a potential related
business risk might be, e.g., incomplete or
improper implementation of the strategy)

7. Current and prospective financing

requirements (a potential related business risk
might be, e.g., the loss of financing due to the
company's inability to meet financing
requirements)

Company Objectives, Strategies,

and Related Business Risks

8. Regulatory requirements …

… (a potential related business risk might be, e.g.,
that there is increased legal exposure)

67
 8_CSOE

Company Objectives, Strategies,

and Related Business Risks

Business risks could affect risks of material
misstatement at the financial statement level …

… which would affect many accounts and
disclosures in the financial statements

For example …

… a company's loss of financing or declining
conditions affecting the company's industry could
affect its ability to settle its obligations when due

Internal control over financial

reporting

Internal control over financial reporting can be
described as consisting of the following
components:

1. The control environment

2. The company's risk assessment process

3. Information and communication

4. Control activities

5. Monitoring of controls

68
 8_CSOE

Internal control over financial

reporting

Management might use an internal control
framework with components that differ from the
components identified in the preceding
paragraph…

… when establishing and maintaining the
company's internal control over financial
reporting

Internal control over financial

reporting

In evaluating the design of controls and
determining whether they have been implemented
in an audit of financial statements only …

… the auditor may use the framework used by
management or another suitable, recognized
framework

69
 8_CSOE

Control Environment

The auditor should obtain an understanding of the
company's control environment …

… including the policies and actions of
management, the board, and the audit committee
concerning the company's control environment.

Obtaining an understanding of the control

environment includes assessing:

Control Environment

1. Whether management's philosophy and
operating style promote effective internal control
over financial reporting

2. Whether sound integrity and ethical values
particularly of top management, are developed
and understood

3. Whether the board or audit committee
understands and exercises oversight
responsibility over financial reporting and
internal control

70
 8_CSOE

Risk Assessment

The auditor should obtain an understanding of
management's process for:

a. Identifying risks relevant to financial reporting
objectives, including risks of material
misstatement due to fraud ("fraud risks")

b. Assessing the likelihood and significance of

misstatements resulting from those risks

c. Deciding about actions to address those risks

Information and Communication

Information System Relevant to Financial
Reporting

The auditor should obtain an understanding of the

information system …

… including the related business processes,
relevant to financial reporting, including:

71
 8_CSOE

Information and Communication

a. The classes of transactions in the company's
operations that are significant to the financial
statements

b. The procedures, within both automated and

manual systems, by which those transactions are
initiated, authorized, processed, recorded, and
reported

Information and Communication

c. The related accounting records, supporting
information, and specific accounts in the financial
statements that are used to initiate, authorize,
process, and record transactions

d. How the information system captures events

and conditions, other than transactions that are
significant to the financial statements

e. The period-end financial reporting process

72
 8_CSOE

Information and Communication

Note: The identification of risks and controls
within IT is not a separate evaluation

Instead, it is an integral part of the approach used

to identify significant accounts and disclosures
and their relevant assertions and, when
applicable…

… to select the controls to test, as well as to assess
risk and allocate audit effort

Information and Communication

A company's business processes are the activities
designed to:

a. Develop, purchase, produce, sell and distribute
a company's products or services

b. Record information, including accounting and

financial reporting information

c. Ensure compliance with laws and regulations

relevant to the financial statements

73
 8_CSOE

Information and Communication

Obtaining an understanding of the company's
business processes …

… assists the auditor in obtaining an
understanding of how transactions are initiated,
authorized, processed, and recorded

A company's period-end financial reporting

process includes the following:

Information and Communication

1. Procedures used to enter transaction totals into
the general ledger

2. Procedures related to the selection and

application of accounting principles

3. Procedures used to initiate, authorize, record,

and process journal entries in the general ledger

74
 8_CSOE

Information and Communication

4. Procedures used to record recurring and
nonrecurring adjustments to the annual financial
statements (and quarterly financial statements, if
applicable)

5. Procedures for preparing annual financial

statements and related disclosures (and quarterly
financial statements, if applicable)

Information and Communication

The auditor should obtain an understanding of
how the company communicates financial
reporting roles and responsibilities and
significant matters …

… relating to financial reporting to relevant
company personnel and others, including:

75
 8_CSOE

Information and Communication

1. Communications between management, the
audit committee, and the board of directors; and

2. Communications to external parties, including

regulatory authorities and shareholders

Control Activities

The auditor should obtain an understanding of
control activities that is sufficient to assess the
factors that affect the risks of material
misstatement …

… and to design further audit procedures

76
 8_CSOE

Control Activities

As the auditor obtains an understanding of the
other components of internal control over
financial reporting …

… he or she is also likely to obtain knowledge
about some control activities

Control Activities

The auditor should use his or her knowledge
about the presence or absence of control activities
obtained from the understanding of the other
components of internal control over financial
reporting …

… in determining the extent to which it is
necessary to devote additional attention to
obtaining an understanding of control activities …

… to assess the factors that affect the risks of
material misstatement and to design further audit
procedures

77
 8_CSOE

Monitoring of Controls

The auditor should obtain an understanding of the
major types of activities …

… that the company uses to monitor the
effectiveness of its internal control over financial
reporting …

… and how the company initiates corrective
actions related to its controls

An understanding of the company's monitoring
activities includes understanding the source of the
information used in the monitoring activities

Performing Walkthroughs

The auditor may perform walkthroughs as part of
obtaining an understanding of internal control
over financial reporting

For example, the auditor may perform
walkthroughs in connection with understanding
the flow of transactions in the information system
relevant to financial reporting …

… evaluating the design of controls relevant to the
audit and determining whether those controls
have been implemented

78
 8_CSOE

Performing Walkthroughs

In performing a walkthrough …

… the auditor follows a transaction from
origination through the company's processes …

… including information systems …

… until it is reflected in the company's financial
records …

… using the same documents and IT that company
personnel use

Performing Walkthroughs

Walkthrough procedures usually include a
combination of inquiry, observation, inspection of
relevant documentation, and re-performance of
controls

In performing a walkthrough, at the points at

which important processing procedures occur …

… the auditor questions the company's personnel
about their understanding of what is required by
the company's prescribed procedures and controls

79
 8_CSOE

Performing Walkthroughs

These probing questions, combined with the other
walkthrough procedures …

… allow the auditor to gain a sufficient
understanding of the process …

… and to be able to identify important points at
which a necessary control is missing or not
designed effectively

Performing Walkthroughs

Additionally, probing questions that go beyond a
narrow focus on the single transaction used as the
basis for the walkthrough …

… allow the auditor to gain an understanding of
the different types of significant transactions
handled by the process

80
 8_CSOE

Discussion of the Potential for Material

Misstatement Due to Fraud

The discussion among the key engagement team
members about the potential for material
misstatement due to fraud should occur with an
attitude that includes a questioning mind …

… and the key engagement team members should
set aside any prior beliefs they might have that
management is honest and has integrity

The discussion among the key engagement team

members should include:

Discussion of the Potential for Material

Misstatement Due to Fraud

1. An exchange of ideas, or "brainstorming,"
among the key engagement team members
including the engagement partner …

… about how and where they believe the
company's financial statements might be
susceptible to material misstatement due to fraud
how management could perpetrate and conceal
fraudulent financial reporting …

… and how assets of the company could be
misappropriated, including:

81
 8_CSOE

Discussion of the Potential for Material

Misstatement Due to Fraud

(a) The susceptibility of the financial statements to
material misstatement through related party
transactions

(b) How fraud might be perpetrated or concealed

by omitting or presenting incomplete or
inaccurate disclosures

Discussion of the Potential for Material

Misstatement Due to Fraud

2. A consideration of the known external and
internal factors affecting the company that might:

(a) Create incentives or pressures for

management and others to commit fraud

82
 8_CSOE

Discussion of the Potential for Material

Misstatement Due to Fraud

(b) Provide the opportunity for fraud to be
perpetrated

(c) Indicate a culture or environment that enables

management to rationalize committing fraud

Discussion of the Potential for Material

Misstatement Due to Fraud

3. A consideration of the risk of management
override

4. A consideration of the potential audit responses

to the susceptibility of the company's financial
statements to material misstatement due to fraud

The auditor should emphasize the following

matters to all engagement team members:

83
 8_CSOE

Discussion of the Potential for Material

Misstatement Due to Fraud

1. The need to maintain a questioning mind
throughout the audit and …

… to exercise professional skepticism in gathering
and evaluating evidence

2. The need to be alert for information or other

conditions that might affect the assessment of
fraud risks

Discussion of the Potential for Material

Misstatement Due to Fraud

3. If information or other conditions indicate that
a material misstatement due to fraud might have
occurred …

… the need to probe the issues …

… acquire additional evidence as necessary …

… and consult with other team members and, if
appropriate, others in the firm including
specialists

84
 8_CSOE

Inquiring of the Audit Committee, Management, and

Others within the Company about the Risks of
Material Misstatement

The auditor should inquire of the audit committee
or equivalent (or its chair), management, the
internal audit function …

… and others within the company …

… who might reasonably be expected to have
information that is important to the identification
and assessment of risks of material misstatement

Inquiries Regarding Fraud Risks

The auditor's inquiries regarding fraud risks
should include the following:

a. Inquiries of management regarding:

(1) Whether management has knowledge of fraud,

alleged fraud, or suspected fraud affecting the
company

85
 8_CSOE

Inquiries Regarding Fraud Risks

(2) Management's process for identifying and
responding to fraud risks in the company …

… including any specific fraud risks the company
has identified or account balances or disclosures
for which a fraud risk is likely to exist …

… and the nature, extent, and frequency of
management's fraud risk assessment process

Inquiries Regarding Fraud Risks

(3) Controls that the company has established to
address fraud risks the company has identified …

… or that otherwise help to prevent and detect
fraud …

… including how management monitors those
controls

(4) For a company with multiple locations:

(a) The nature and extent of monitoring of
operating locations or business segments and

86
 8_CSOE

Inquiries Regarding Fraud Risks

(b) Whether there are particular operating
locations or business segments for which a fraud
risk might be more likely to exist

(5) Whether and how management communicates

to employees its views on business practices and
ethical behavior

Inquiries Regarding Fraud Risks

(6) Whether management has received tips or
complaints regarding the company's financial
reporting …

… (including those received through the audit
committee's internal whistleblower program, if
such program exists) …

… and, if so, management's responses to such tips
and complaints

87
 8_CSOE

Inquiries Regarding Fraud Risks

(7) Whether management has reported to the
audit committee on how the company's internal
control serves to prevent and detect material
misstatements due to fraud

Inquiries Regarding Fraud Risks

b. Inquiries of the audit committee or equivalent,
or its chair regarding:

(1) The audit committee's views about fraud risks

in the company

(2) Whether the audit committee has knowledge

of fraud, alleged fraud, or suspected fraud
affecting the company

88
 8_CSOE

Inquiries Regarding Fraud Risks

(3) Whether the audit committee is aware of tips
or complaints regarding the company's financial
reporting …

… (including those received through the audit
committee's internal whistleblower program, if
such program exists) …

… and, if so, the audit committee's responses to
such tips and complaints

Inquiries Regarding Fraud Risks

(4) How the audit committee exercises oversight
of the company's assessment of fraud risks and
the establishment of controls to address fraud
risks

89
 8_CSOE

Inquiries Regarding Fraud Risks

c. If the company has an internal audit function,
inquiries of appropriate internal audit personnel
regarding:

(1) The internal auditors' views about fraud risks

in the company

(2) Whether the internal auditors have knowledge

of fraud, alleged fraud, or suspected fraud
affecting the company

Inquiries Regarding Fraud Risks

(3) Whether internal auditors have performed
procedures to identify or detect fraud during the
year …

… and whether management has satisfactorily
responded to the findings resulting from those
procedures

(4) Whether internal auditors are aware of

instances of management override of controls and
the nature and circumstances of such overrides

90
 8_CSOE

Inquiries Regarding Fraud Risks

In addition to the inquiries outlined in the
preceding paragraph …

… the auditor should inquire of others within the
company about their views regarding fraud risks…

… including, in particular, whether they have
knowledge of fraud, alleged fraud, or suspected
fraud

Inquiries Regarding Fraud Risks

The auditor should identify other individuals
within the company to whom inquiries should be
directed …

… and determine the extent of such inquiries by
considering whether others in the company might
have additional knowledge about fraud, alleged
fraud, or suspected fraud …

… or might be able to corroborate fraud risks
identified in discussions with management or the
audit committee

91
 8_CSOE

Inquiries Regarding Fraud Risks

Examples of other individuals within the company
to whom inquiries might be directed include:

1. Employees with varying levels of authority

within the company …

… including, e.g., company personnel with whom
the auditor comes into contact during the course
of the audit

Inquiries Regarding Fraud Risks

(a) In obtaining an understanding of internal
control

(b) In observing inventory or performing cutoff

procedures or

92
 8_CSOE

Inquiries Regarding Fraud Risks

(c) in obtaining explanations for significant
differences identified when performing analytical
procedures

2. Operating personnel not directly involved in the

financial reporting process

Inquiries Regarding Fraud Risks

3. Employees involved in initiating, recording, or
processing complex or unusual transactions …

… e.g., a sales transaction with multiple elements
or a significant related party transaction

4. In-house legal counsel

93
 8_CSOE

Inquiries Regarding Fraud Risks

When evaluating management's responses to
inquiries about fraud risks and determining when
it is necessary to corroborate management's
responses …

… the auditor should take into account the fact
that management is often in the best position to
commit fraud

Also, the auditor should obtain evidence to

address inconsistencies in responses to the
inquiries

Factors Relevant to Identifying

Fraud Risks

The auditor should evaluate whether the
information gathered from the risk assessment
procedures …

… indicates that one or more fraud risk factors are
present and should be taken into account in
identifying and assessing fraud risks

Fraud risk factors are events or conditions that
indicate:

(1) An incentive or pressure to perpetrate fraud

94
 8_CSOE

Factors Relevant to Identifying

Fraud Risks

(2) An opportunity to carry out the fraud

(3) An attitude or rationalization that justifies the

fraudulent action

Fraud risk factors do not necessarily indicate the

existence of fraud

However, they often are present in circumstances
in which fraud exists

Factors Relevant to Identifying

Fraud Risks

All three conditions discussed in the preceding
paragraph are not required to be observed or
evident …

… to conclude that a fraud risk exists

The auditor might conclude that a fraud risk exists

even when only one of these three conditions is
present

95
 8_CSOE

Factors Relevant to Identifying

Fraud Risks

Consideration of the Risk of Omitted, Incomplete,
or Inaccurate Disclosures

The auditor's evaluation of fraud risk factors
should include evaluation of how fraud could be
perpetrated or concealed by …

… presenting incomplete or inaccurate disclosures
or by omitting disclosures that are necessary for
the financial statements to be presented fairly …

… in conformity with the applicable financial
reporting framework

Factors Relevant to Identifying

Fraud Risks

Presumption of Fraud Risk Involving Improper
Revenue Recognition

The auditor should presume that there is a fraud

risk involving improper revenue recognition …

… and evaluate which types of revenue, revenue
transactions, or assertions may give rise to such
risks

96
 8_CSOE

Factors Relevant to Identifying

Fraud Risks

Consideration of the Risk of Management
Override of Controls

The auditor's identification of fraud risks should

include the risk of management override of
controls

Factors Relevant to Identifying

Fraud Risks

Controls over management override are
important to effective internal control over
financial reporting for all companies …

… and may be particularly important at smaller
companies because of the increased involvement
of senior management in performing controls and
in the period-end financial reporting process

97
 8_CSOE

Factors Relevant to Identifying

Fraud Risks

For smaller companies …

… the controls that address the risk of
management override might be different from
those at a larger company

For example, a smaller company might rely on

more detailed oversight by the audit committee …

… that focuses on the risk of management override

Public Company Accounting Oversight Board

Auditing Standard No. 13 –

The Auditor's Responses to the Risks of
Material Misstatement

Effective Date: For audits of fiscal years

beginning on or after Dec. 15, 2010

98
 8_CSOE

Responding to the Risks of

Material Misstatement

The auditor must design and implement audit
responses that address the risks of material
misstatement …

… that are identified and assessed in accordance
with Auditing Standard No. 12, Identifying and
Assessing Risks of Material Misstatement

This standard discusses the following types of

audit responses:

Responding to the Risks of

Material Misstatement

a. Responses that have an overall effect on how
the audit is conducted ("overall responses")

b. Responses involving the nature, timing, and

extent of the audit procedures to be performed

99
 8_CSOE

Responding to the Risks of

Material Misstatement

Overall Responses

The auditor should design and implement overall

responses to address the assessed risks of
material misstatement as follows:

Responding to the Risks of

Material Misstatement

a. Making appropriate assignments of significant
engagement responsibilities

The knowledge, skill, and ability of engagement

team members with significant engagement
responsibilities should be commensurate with the
assessed risks of material misstatement

100
 8_CSOE

Responding to the Risks of

Material Misstatement

b. Providing the extent of supervision that is
appropriate for the circumstances …

… including, in particular, the assessed risks of
material misstatement

c. Incorporating elements of unpredictability in

the selection of audit procedures to be performed

The auditor should incorporate an element of
unpredictability in the selection of auditing
procedures to be performed from year to year

Responding to the Risks of

Material Misstatement

Examples of ways to incorporate an element of
unpredictability include:

(1) Performing audit procedures related to

accounts, disclosures, and assertions that would
not otherwise be tested based on their amount or
the auditor's assessment of risk

(2) Varying the timing of the audit procedures

101
 8_CSOE

Responding to the Risks of

Material Misstatement

(3) Selecting items for testing that have lower
amounts or are otherwise outside customary
selection parameters

(4) Performing audit procedures on an
unannounced basis

(5) In multi-location audits, varying the location

or the nature, timing, and extent of audit
procedures at related locations or business units
from year to year

Responding to the Risks of

Material Misstatement

d. Evaluating the company's selection and
application of significant accounting principles

The auditor should evaluate whether the

company's selection and application of significant
accounting principles …

… particularly those related to subjective
measurements and complex transactions …

… are indicative of bias that could lead to material
misstatement of the financial statements

102
 8_CSOE

Responding to the Risks of

Material Misstatement

The auditor also should determine whether it is
necessary to make pervasive changes to the
nature, timing, or extent of audit procedures …

… to adequately address the assessed risks of
material misstatement

Examples of such pervasive changes include

modifying the audit strategy to:

Responding to the Risks of

Material Misstatement

a. Increase the substantive testing of the valuation
of numerous significant accounts at year end …

… because of significantly deteriorating market
conditions

b. Obtain more persuasive audit evidence from

substantive procedures …

… due to the identification of pervasive
weaknesses in the company's control environment

103
 8_CSOE

Responding to the Risks of

Material Misstatement

Due professional care requires the auditor to
exercise professional skepticism

Professional skepticism is an attitude that

includes a questioning mind and a critical
assessment of the appropriateness and sufficiency
of audit evidence

Responding to the Risks of

Material Misstatement

The auditor's responses to the assessed risks of
material misstatement, particularly fraud risks …

… should involve the application of professional
skepticism in gathering and evaluating audit
evidence

104
 8_CSOE

Responding to the Risks of

Material Misstatement

Examples of the application of professional
skepticism in response to the assessed fraud risks
are:

(a) Modifying the planned audit procedures to

obtain more reliable evidence regarding relevant
assertions and

Responding to the Risks of

Material Misstatement

(b) Obtaining sufficient appropriate evidence to
corroborate management's explanations or
representations concerning important matters …

… such as through third-party confirmation …

… use of a specialist engaged or employed by the
auditor, or examination of documentation from
independent sources

105
 8_CSOE

Testing Design Effectiveness

The auditor should test the design effectiveness of
the controls selected for testing by determining
whether the company's controls …

… if they are operated as prescribed by persons
possessing the necessary authority and
competence to perform the control effectively …

… satisfy the company's control objectives and can
effectively prevent or detect error or fraud that
could result in material misstatements in the
financial statements

Testing Design Effectiveness

A smaller, less complex company might achieve its
control objectives in a different manner from a
larger, more complex organization

For example, a smaller, less complex company
might have fewer employees in the accounting
function limiting opportunities to segregate duties
and leading the company to implement alternative
controls to achieve its control objectives

In such circumstances, the auditor should
evaluate whether those alternative controls are
effective

106
 8_CSOE

Testing Design Effectiveness

Procedures the auditor performs to test design
effectiveness include a mix of …

… inquiry of appropriate personnel …

… observation of the company's operations …

… and inspection of relevant documentation

Walkthroughs that include these procedures

ordinarily are sufficient to evaluate design
effectiveness

Testing Operating Effectiveness

The auditor should test the operating
effectiveness of a control selected for testing …

… by determining whether the control is
*operating as designed* and …

… whether the person performing the control
possesses the necessary authority and competence
to perform the control effectively

107
 8_CSOE

Public Company Accounting Oversight Board

Auditing Standard No. 14 –

Evaluating Audit Results

Effective Date: For audits of fiscal years

beginning on or after Dec. 15, 2010

Objective

This standard establishes requirements regarding
the auditor's evaluation of audit results and …

… determination of whether he or she has
obtained sufficient appropriate audit evidence

108
 8_CSOE

Performing Analytical Procedures

in the Overall Review

In the overall review, the auditor should read the
financial statements and disclosures and perform
analytical procedures to

(a) Evaluate the auditor's conclusions formed

regarding significant accounts and disclosures

(b) Assist in forming an opinion on whether the

financial statements as a whole are free of
material misstatement

Performing Analytical Procedures

in the Overall Review

As part of the overall review, the auditor should
evaluate whether:

a. The evidence gathered in response to unusual

or unexpected transactions, events, amounts, or
relationships previously identified during the
audit is sufficient

109
 8_CSOE

Performing Analytical Procedures

in the Overall Review

b. Unusual or unexpected transactions, events,
amounts, or relationships indicate risks of
material misstatement that were not identified
previously including, in particular, fraud risks

Performing Analytical Procedures

in the Overall Review

If the auditor discovers a previously unidentified
risk of material misstatement …

… or concludes that the evidence gathered is not
adequate…

… he or she should modify his or her audit
procedures or perform additional procedures as
necessary

110
 8_CSOE

Performing Analytical Procedures

in the Overall Review

The nature and extent of the analytical procedures
performed during the overall review …

… may be similar to the analytical procedures
performed as risk assessment procedures

Performing Analytical Procedures

in the Overall Review

The auditor should obtain corroboration for
management's explanations regarding significant
unusual or unexpected transactions, events,
amounts, or relationships

111
 8_CSOE

Performing Analytical Procedures

in the Overall Review

If management's responses to the auditor's
inquiries appear to be implausible …

… inconsistent with other audit evidence …

… imprecise, or not at a sufficient level of detail to
be useful …

… the auditor should perform procedures to
address the matter

Evaluating the Qualitative Aspects of

the Company's Accounting Practices

When evaluating whether the financial statements
as a whole are free of material misstatement …

… the auditor should evaluate the qualitative
aspects of the company's accounting practices …

… including potential ***bias*** in management's
judgments …

… about the amounts and disclosures in the
financial statements

112
 8_CSOE

Evaluating the Qualitative Aspects of

the Company's Accounting Practices

The following are examples of forms of
management bias:

a. The selective correction of misstatements

brought to management's attention during the
audit …

… (e.g., correcting misstatements that have the
effect of increasing reported earnings but …

… not correcting misstatements that have the
effect of decreasing reported earnings)

Evaluating the Qualitative Aspects of

the Company's Accounting Practices

b. The identification by management of additional
adjusting entries that offset misstatements
accumulated by the auditor

If such adjusting entries are identified …

… the auditor should perform procedures to
determine why the underlying misstatements
were not identified previously …

… and evaluate the implications on the integrity of
management and the auditor's risk assessments,
including fraud risk assessments

113
 8_CSOE

Evaluating the Qualitative Aspects of

the Company's Accounting Practices

c. Bias in the selection and application of
accounting principles

d. Bias in accounting estimates

Evaluating the Qualitative Aspects of

the Company's Accounting Practices

If the auditor identifies bias in management's
judgments about the amounts and disclosures in
the financial statements …

… the auditor should evaluate whether the effect
of that bias, together with the effect of
uncorrected misstatements, results in material
misstatement of the financial statements

114
 8_CSOE

Evaluating the Qualitative Aspects of

the Company's Accounting Practices

Also …

… the auditor should evaluate whether the
auditor's risk assessments, including, in
particular …

… the assessment of fraud risks, and the related
audit responses remain appropriate

Public Company Accounting Oversight Board

Auditing Standard No. 15 –

Audit Evidence

Effective Date: For audits of fiscal years

beginning on or after Dec. 15, 2010

115
 8_CSOE

Objective

This standard explains ***what constitutes audit
evidence*** and …

… establishes requirements regarding designing
and performing audit procedures to obtain
sufficient appropriate audit evidence

Objective

2. Audit evidence is all the information …

… whether obtained from audit procedures or
other sources, that is used by the auditor in
arriving at the conclusions on which the auditor's
opinion is based

116
 8_CSOE

Objective

Audit evidence consists of both …

… information that supports and corroborates
management's assertions regarding the financial
statements or internal control over financial
reporting …

… and information that contradicts such
assertions

Sufficient Appropriate Audit

Evidence

The auditor must plan and perform audit
procedures to obtain sufficient appropriate audit
evidence to …

… provide a reasonable basis for his or her
opinion

Sufficiency is the measure of the quantity of audit
evidence

The quantity of audit evidence needed is affected
by the following:

117
 8_CSOE

Sufficient Appropriate Audit

Evidence

1. Risk of material misstatement (in the audit of
financial statements) …

… or the risk associated with the control (in the
audit of internal control over financial reporting)

As the risk increases …

… the amount of evidence that the auditor should
obtain also increases

Sufficient Appropriate Audit

Evidence

As the quality of the evidence increases …

… the need for additional corroborating evidence
decreases

Obtaining more of the same type of audit evidence,

however …

… cannot compensate for the poor quality of that
evidence

118
 8_CSOE

Sufficient Appropriate Audit

Evidence

Appropriateness is the measure of the quality of
audit evidence …

… i.e., its relevance and reliability

To be appropriate …

… audit evidence must be both relevant and
reliable in providing support for the conclusions
on which the auditor's opinion is based

Sufficient Appropriate Audit

Evidence

Relevance and Reliability

The relevance of audit evidence refers to its

relationship to the objective of the control being
tested

The relevance of audit evidence depends on:

a. The design of the audit procedure used

b. The timing of the audit

119
 8_CSOE

Using Information Produced by

the Company

When using information produced by the
company as audit evidence …

… the auditor should evaluate whether the
information is sufficient and appropriate …

… for purposes of the audit by performing
procedures to:

Using Information Produced by

the Company

1. Test the accuracy and completeness of the
information, or test the controls over the accuracy
and completeness of that information

2. Evaluate whether the information is sufficiently

precise and detailed for purposes of the audit

120
 8_CSOE

Financial Statement Assertions

In representing that the financial statements are
presented fairly in conformity with the applicable
financial reporting framework …

… management implicitly or explicitly makes
assertions regarding the recognition,
measurement, presentation, and disclosure of the
various elements of financial statements and
related disclosures

Those assertions can be classified into the
following categories:

Financial Statement Assertions

1. Existence or occurrence – Assets or liabilities of
the company exist at a given date, and recorded
transactions have occurred during a given period

2. Completeness – All transactions and accounts

that should be presented in the financial
statements are so included

121
 8_CSOE

Observation

Observation consists of looking at a process or
procedure being performed by others …

… e.g., the auditor's observation of inventory
counting by the company's personnel …

… or the performance of control activities

Observation

Observation can provide audit evidence about the
performance of a process or procedure …

… but the evidence is limited to the point in time at
which the observation takes place …

… and also is limited by the fact that the act of
being observed may affect how the process or
procedure is performed

122
 8_CSOE

Inquiry

Inquiry consists of seeking information from
knowledgeable persons in financial or
nonfinancial roles within the company or outside
the company

Inquiry may be performed throughout the audit in
addition to other audit procedures

Inquiries may range from formal written inquiries
to informal oral inquiries. Evaluating responses to
inquiries is an integral part of the inquiry process

Inquiry

Inquiry of company personnel by itself …

… does not provide sufficient audit evidence to
reduce audit risk to an appropriately low level for
a relevant assertion …

… or to support a conclusion about the
effectiveness of a control

123
 8_CSOE

Confirmation, Recalculation

A confirmation response represents a particular
form of audit evidence obtained by the auditor
from a third party in accordance with PCAOB
standards

Recalculation consists of checking the

mathematical accuracy of documents or records

Recalculation may be performed manually or

electronically

Reperformance, Analytical
Procedures

Reperformance involves the independent
execution of procedures or controls that …

… were originally performed by company
personnel

Analytical Procedures consist of evaluations of
financial information made by a study of plausible
relationships among both financial and
nonfinancial data

Analytical procedures also encompass the
investigation of significant differences from
expected amounts

124
 8_CSOE

Selecting Items for Testing to

Obtain Audit Evidence

Designing substantive tests of details and tests of
controls includes determining the means of
selecting items for testing …

… from among the items included in an account or
the occurrences of a control

Selecting Items for Testing to

Obtain Audit Evidence

The auditor should determine the means of
selecting items for testing to obtain evidence
that…

… in combination with other relevant evidence, is
sufficient to meet the objective of the audit
procedure

125
 8_CSOE

Selecting Items for Testing to

Obtain Audit Evidence

The alternative means of selecting items for
testing are:

1. Selecting all items

2. Selecting specific items

3. Audit sampling

Selecting Items for Testing to

Obtain Audit Evidence

The particular means or combination of means of
selecting items for testing that is appropriate …

… depends on the nature of the audit procedure …

… the characteristics of the control …

… or the items in the account being tested …

… and the evidence necessary to meet the objective
of the audit procedure

126
 8_CSOE

Selecting All Items

Selecting all items (100 percent examination) …

… refers to testing the entire population of items
in an account or the entire population of
occurrences of a control (or an entire stratum
within one of those populations)

The following are examples of situations in which

100 percent examination might be applied:

Selecting All Items

1. The population constitutes a small number of
large value items

2. The audit procedure is designed to respond to a
significant risk …

… and other means of selecting items for testing
do not provide sufficient appropriate audit
evidence

3. The audit procedure can be automated
effectively and applied to the entire population

127
 8_CSOE

Selecting Specific Items

Selecting specific items …

… refers to testing all of the items in a population
that have a specified characteristic such as:

Selecting Specific Items

1. Key items

The auditor may decide to select specific items
within a population because they are important to
accomplishing the objective of the audit
procedure…

… or exhibit some other characteristic, e.g., items
that are suspicious, unusual, or particularly risk-
prone or …

… items that have a history of error

128
 8_CSOE

Selecting Specific Items

2. All items over a certain amount

The auditor may decide to examine items whose
recorded values exceed a certain amount to …

… verify a large proportion of the total amount of
the items included in an account.

The auditor also might select specific items to

obtain an understanding about matters such as
the nature of the company or the nature of
transactions

Audit Sampling

Audit sampling is the application of an audit
procedure to less than 100 percent of the items …

… within an account balance or class of
transactions …

… for the purpose of evaluating some
characteristic of the balance or class

129