
[Federal Register: September 27, 2010 (Volume 75, Number 186)]
[Notices]               
[Page 59331-59410]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr27se10-159]                         


[[Page 59331]]

-----------------------------------------------------------------------

Part II





Securities and Exchange Commission





-----------------------------------------------------------------------



Public Company Accounting Oversight Board; Notice of Filing of Proposed 
Rules on Auditing Standards Related to the Auditor's Assessment of and 
Response to Risk and Related Amendments to PCAOB Standards; Notice


[[Page 59332]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-62919; File No. PCAOB-2010-01]

 
Public Company Accounting Oversight Board; Notice of Filing of 
Proposed Rules on Auditing Standards Related to the Auditor's 
Assessment of and Response to Risk and Related Amendments to PCAOB 
Standards

September 15, 2010.
    Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 (the 
``Act''), notice is hereby given that on September 15, 2010, the Public 
Company Accounting Oversight Board (the ``Board'' or the ``PCAOB'') 
filed with the Securities and Exchange Commission (the ``Commission'') 
the proposed rules described in Items I and II below, which items have 
been prepared by the Board. The Commission is publishing this notice to 
solicit comments on the proposed rules from interested persons.

I. Board's Statement of the Terms of Substance of the Proposed Rules

    On August 5, 2010, the Board adopted the following eight auditing 
standards:

 Auditing Standard No. 8, Audit Risk
 Auditing Standard No. 9, Audit Planning
 Auditing Standard No. 10, Supervision of the Audit Engagement
 Auditing Standard No. 11, Consideration of Materiality in 
Planning and Performing an Audit
 Auditing Standard No. 12, Identifying and Assessing Risks of 
Material Misstatement
 Auditing Standard No. 13, The Auditor's Responses to the Risks 
of Material Misstatement
 Auditing Standard No. 14, Evaluating Audit Results
 Auditing Standard No. 15, Audit Evidence

(collectively referred to as the ``Risk Assessment Standards''); and 
amendment to the Board's interim auditing standards (collectively, 
``the proposed rules ''). The text of the Risk Assessment Standards and 
amendments to the Board's interim auditing standards are set out below.

Auditing Standard No. 8

Audit Risk

Introduction

    1. This standard discusses the auditor's consideration of audit 
risk in an audit of financial statements as part of an integrated audit 
\1\ or an audit of financial statements only.
---------------------------------------------------------------------------

    \1\ When the auditor is performing an integrated audit of 
financial statements and internal control over financial reporting, 
the requirements in Auditing Standard No. 5, An Audit of Internal 
Control Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements, also apply. However, the risks of material 
misstatement of the financial statements are the same for both the 
audit of financial statements and the audit of internal control over 
financial reporting.
---------------------------------------------------------------------------

Objective

    2. The objective of the auditor is to conduct the audit of 
financial statements in a manner that reduces audit risk to an 
appropriately low level.

Audit Risk

    3. To form an appropriate basis for expressing an opinion on the 
financial statements, the auditor must plan and perform the audit to 
obtain reasonable assurance about whether the financial statements are 
free of material misstatement \2\ due to error or fraud. Reasonable 
assurance \3\ is obtained by reducing audit risk to an appropriately 
low level through applying due professional care, including obtaining 
sufficient appropriate audit evidence.
---------------------------------------------------------------------------

    \2\ Misstatement is defined in Appendix A of Auditing Standard 
No. 14, Evaluating Audit Results.
    \3\ See AU sec. 110, Responsibilities and Functions of the 
Independent Auditor, and paragraph .10 of AU sec. 230, Due 
Professional Care in the Performance of Work, for a further 
discussion of reasonable assurance.
---------------------------------------------------------------------------

    4. In an audit of financial statements, audit risk is the risk that 
the auditor expresses an inappropriate audit opinion when the financial 
statements are materially misstated, i.e., the financial statements are 
not presented fairly in conformity with the applicable financial 
reporting framework. Audit risk is a function of the risk of material 
misstatement and detection risk.
    Note: The auditor should look to the requirements of the Securities 
and Exchange Commission for the company under audit with respect to the 
accounting principles applicable to that company.
Risk of Material Misstatement
    5. The risk of material misstatement refers to the risk that the 
financial statements are materially misstated. Auditing Standard No. 
12, Identifying and Assessing Risks of Material Misstatement, indicates 
that the auditor should assess the risks of material misstatement at 
two levels: (1) At the financial statement level and (2) at the 
assertion \4\ level.\5\
---------------------------------------------------------------------------

    \4\ See Auditing Standard No. 15, Audit Evidence, for a 
description of financial statement assertions.
    \5\ Paragraph 59 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    6. Risks of material misstatement at the financial statement level 
relate pervasively to the financial statements as a whole and 
potentially affect many assertions. Risks of material misstatement at 
the financial statement level may be especially relevant to the 
auditor's consideration of the risk of material misstatement due to 
fraud. For example, an ineffective control environment, a lack of 
sufficient capital to continue operations, and declining conditions 
affecting the company's industry might create pressures or 
opportunities for management to manipulate the financial statements, 
leading to higher risk of material misstatement.
    7. Risk of material misstatement at the assertion level consists of 
the following components:
    a. Inherent risk, which refers to the susceptibility of an 
assertion to a misstatement, due to error or fraud, that could be 
material, individually or in combination with other misstatements, 
before consideration of any related controls.
    b. Control risk, which is the risk that a misstatement due to error 
or fraud that could occur in an assertion and that could be material, 
individually or in combination with other misstatements, will not be 
prevented or detected on a timely basis by the company's internal 
control. Control risk is a function of the effectiveness of the design 
and operation of internal control.
    8. Inherent risk and control risk are related to the company, its 
environment, and its internal control, and the auditor assesses those 
risks based on evidence he or she obtains. The auditor assesses 
inherent risk using information obtained from performing risk 
assessment procedures and considering the characteristics of the 
accounts and disclosures in the financial statements.\6\ The auditor 
assesses control risk using evidence obtained from tests of controls 
(if the auditor plans to rely on those controls to assess control risk 
at less than maximum) and from other sources.\7\
---------------------------------------------------------------------------

    \6\ Paragraph 59.a. of Auditing Standard No. 12.
    \7\ Paragraphs 32-34 of Auditing Standard No. 13, The Auditor's 
Responses to the Risks of Material Misstatement.
---------------------------------------------------------------------------

Detection Risk
    9. In an audit of financial statements, detection risk is the risk 
that the procedures performed by the auditor will not detect a 
misstatement that exists and that could be material, individually or in 
combination with other misstatements. Detection risk is affected by (1) 
the effectiveness of the

[[Page 59333]]

substantive procedures and (2) their application by the auditor, i.e., 
whether the procedures were performed with due professional care.
    10. The auditor uses the assessed risk of material misstatement to 
determine the appropriate level of detection risk for a financial 
statement assertion. The higher the risk of material misstatement, the 
lower the level of detection risk needs to be in order to reduce audit 
risk to an appropriately low level.
    11. The auditor reduces the level of detection risk through the 
nature, timing, and extent of the substantive procedures performed. As 
the appropriate level of detection risk decreases, the evidence from 
substantive procedures that the auditor should obtain increases.\8\
---------------------------------------------------------------------------

    \8\ Paragraph 37 of Auditing Standard No. 13.
---------------------------------------------------------------------------

Auditing Standard No. 9

Audit Planning

Introduction

    1. This standard establishes requirements regarding planning an 
audit.

Objective

    2. The objective of the auditor is to plan the audit so that the 
audit is conducted effectively.

Responsibility of the Engagement Partner for Planning

    3. The engagement partner \9\ is responsible for the engagement and 
its performance. Accordingly, the engagement partner is responsible for 
planning the audit and may seek assistance from appropriate engagement 
team members in fulfilling this responsibility. Engagement team members 
who assist the engagement partner with audit planning also should 
comply with the relevant requirements in this standard.
---------------------------------------------------------------------------

    \9\ Terms defined in Appendix A, Definitions, are set in 
boldface type the first time they appear.
---------------------------------------------------------------------------

Planning an Audit

    4. The auditor should properly plan the audit. This standard 
describes the auditor's responsibilities for properly planning the 
audit.\10\
---------------------------------------------------------------------------

    \10\ The term, ``auditor,'' as used in this standard, 
encompasses both the engagement partner and the engagement team 
members who assist the engagement partner in planning the audit.
---------------------------------------------------------------------------

    5. Planning the audit includes establishing the overall audit 
strategy for the engagement and developing an audit plan, which 
includes, in particular, planned risk assessment procedures and planned 
responses to the risks of material misstatement. Planning is not a 
discrete phase of an audit but, rather, a continual and iterative 
process that might begin shortly after (or in connection with) the 
completion of the previous audit and continues until the completion of 
the current audit.
Preliminary Engagement Activities
    6. The auditor should perform the following activities at the 
beginning of the audit:
    a. Perform procedures regarding the continuance of the client 
relationship and the specific audit engagement,\11\
---------------------------------------------------------------------------

    \11\ Paragraphs .14-.16 of QC sec. 20, System of Quality Control 
for a CPA Firm's Accounting and Auditing Practice. AU sec. 161, The 
Relationship of Generally Accepted Auditing Standards to Quality 
Control Standards, explains how the quality control standards relate 
to the conduct of audits.
---------------------------------------------------------------------------

    b. Determine compliance with independence and ethics requirements, 
and
    Note: The determination of compliance with independence and ethics 
requirements is not limited to preliminary engagement activities and 
should be reevaluated with changes in circumstances.
    c. Establish an understanding with the client regarding the 
services to be performed on the engagement.\12\
---------------------------------------------------------------------------

    \12\ AU sec. 310, Appointment of the Independent Auditor.
---------------------------------------------------------------------------

Planning Activities
    7. The nature and extent of planning activities that are necessary 
depend on the size and complexity of the company, the auditor's 
previous experience with the company, and changes in circumstances that 
occur during the audit. When developing the audit strategy and audit 
plan, as discussed in paragraphs 8-10, the auditor should evaluate 
whether the following matters are important to the company's financial 
statements and internal control over financial reporting and, if so, 
how they will affect the auditor's procedures:
     Knowledge of the company's internal control over financial 
reporting obtained during other engagements performed by the auditor;
     Matters affecting the industry in which the company 
operates, such as financial reporting practices, economic conditions, 
laws and regulations, and technological changes;
     Matters relating to the company's business, including its 
organization, operating characteristics, and capital structure;
     The extent of recent changes, if any, in the company, its 
operations, or its internal control over financial reporting;
     The auditor's preliminary judgments about materiality,\13\ 
risk, and, in integrated audits, other factors relating to the 
determination of material weaknesses;
---------------------------------------------------------------------------

    \13\ Auditing Standard No. 11, Consideration of Materiality in 
Planning and Performing an Audit.
---------------------------------------------------------------------------

     Control deficiencies previously communicated to the audit 
committee \14\ or management;
---------------------------------------------------------------------------

    \14\ If no audit committee exists, all references to the audit 
committee in this standard apply to the entire board of directors of 
the company. See 15 U.S.C. Sec. Sec.  78c(a)58 and 7201(a)(3).
---------------------------------------------------------------------------

     Legal or regulatory matters of which the company is aware;
     The type and extent of available evidence related to the 
effectiveness of the company's internal control over financial 
reporting;
     Preliminary judgments about the effectiveness of internal 
control over financial reporting;
     Public information about the company relevant to the 
evaluation of the likelihood of material financial statement 
misstatements and the effectiveness of the company's internal control 
over financial reporting;
     Knowledge about risks related to the company evaluated as 
part of the auditor's client acceptance and retention evaluation; and
     The relative complexity of the company's operations.
    Note: Many smaller companies have less complex operations. 
Additionally, some larger, complex companies may have less complex 
units or processes. Factors that might indicate less complex operations 
include: fewer business lines; less complex business processes and 
financial reporting systems; more centralized accounting functions; 
extensive involvement by senior management in the day-to-day activities 
of the business; and fewer levels of management, each with a wide span 
of control.
Audit Strategy
    8. The auditor should establish an overall audit strategy that sets 
the scope, timing, and direction of the audit and guides the 
development of the audit plan.
    9. In establishing the overall audit strategy, the auditor should 
take into account:
    a. The reporting objectives of the engagement and the nature of the 
communications required by PCAOB standards,\15\
---------------------------------------------------------------------------

    \15\ See, e.g., AU sec. 310 and AU sec. 380, Communication With 
Audit Committees. Also, various laws or regulations require other 
matters to be communicated. (See, e.g., Rule 2-07 of Regulation S-X, 
17 CFR 210.2-07; and Rule 10A-3 under the Securities Exchange Act of 
1934, 17 CFR 240.10A-3.) The requirements of this standard do not 
modify communications required by those other laws or regulations.

---------------------------------------------------------------------------

[[Page 59334]]

    b. The factors that are significant in directing the activities of 
the engagement team,\16\
---------------------------------------------------------------------------

    \16\ See, e.g., paragraph 6 of Auditing Standard No. 10, 
Supervision of the Audit Engagement.
---------------------------------------------------------------------------

    c. The results of preliminary engagement activities \17\ and the 
auditor's evaluation of the important matters in accordance with 
paragraph 7 of this standard, and
---------------------------------------------------------------------------

    \17\ Paragraph 6 of this standard.
---------------------------------------------------------------------------

    d. The nature, timing, and extent of resources necessary to perform 
the engagement.\18\
---------------------------------------------------------------------------

    \18\ See, e.g., paragraph .06 of AU sec. 230, Due Professional 
Care in the Performance of Work, paragraph 16 of this standard, and 
paragraph 5.a. of Auditing Standard No. 13, The Auditor's Responses 
to the Risks of Material Misstatement.
---------------------------------------------------------------------------

Audit Plan
    10. The auditor should develop and document an audit plan that 
includes a description of:
    a. The planned nature, timing, and extent of the risk assessment 
procedures; \19\
---------------------------------------------------------------------------

    \19\ Auditing Standard No. 12, Identifying and Assessing Risks 
of Material Misstatement.
---------------------------------------------------------------------------

    b. The planned nature, timing, and extent of tests of controls and 
substantive procedures; \20\ and
---------------------------------------------------------------------------

    \20\ Auditing Standard No. 13 and Auditing Standard No. 5, An 
Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.
---------------------------------------------------------------------------

    c. Other planned audit procedures required to be performed so that 
the engagement complies with PCAOB standards.
Multi-Location Engagements
    11. In an audit of the financial statements of a company with 
operations in multiple locations or business units,\21\ the auditor 
should determine the extent to which audit procedures should be 
performed at selected locations or business units to obtain sufficient 
appropriate evidence to obtain reasonable assurance about whether the 
consolidated financial statements are free of material misstatement. 
This includes determining the locations or business units at which to 
perform audit procedures, as well as the nature, timing, and extent of 
the procedures to be performed at those individual locations or 
business units. The auditor should assess the risks of material 
misstatement to the consolidated financial statements associated with 
the location or business unit and correlate the amount of audit 
attention devoted to the location or business unit with the degree of 
risk of material misstatement associated with that location or business 
unit.
---------------------------------------------------------------------------

    \21\ The term ``business units'' includes subsidiaries, 
divisions, branches, components, or investments.
---------------------------------------------------------------------------

    12. Factors that are relevant to the assessment of the risks of 
material misstatement associated with a particular location or business 
unit and the determination of the necessary audit procedures include:
    a. The nature and amount of assets, liabilities, and transactions 
executed at the location or business unit, including, e.g., significant 
transactions executed at the location or business unit that are outside 
the normal course of business for the company, or that otherwise appear 
to be unusual given the auditor's understanding of the company and its 
environment; \22\
---------------------------------------------------------------------------

    \22\ Paragraph .66 of AU sec. 316, Consideration of Fraud in a 
Financial Statement Audit.
---------------------------------------------------------------------------

    b. The materiality of the location or business unit; \23\
---------------------------------------------------------------------------

    \23\ Paragraph 10 of Auditing Standard No. 11 describes the 
consideration of materiality in planning and performing audit 
procedures at an individual location or business unit.
---------------------------------------------------------------------------

    c. The specific risks associated with the location or business unit 
that present a reasonable possibility\24\ of material misstatement to 
the company's consolidated financial statements;
---------------------------------------------------------------------------

    \24\ There is a reasonable possibility of an event, as used in 
this standard, when the likelihood of the event is either 
``reasonably possible'' or ``probable,'' as those terms are used in 
the FASB Accounting Standards Codification, Contingencies Topic, 
paragraph 450-20-25-1.
---------------------------------------------------------------------------

    d. Whether the risks of material misstatement associated with the 
location or business unit apply to other locations or business units 
such that, in combination, they present a reasonable possibility of 
material misstatement to the company's consolidated financial 
statements;
    e. The degree of centralization of records or information 
processing;
    f. The effectiveness of the control environment, particularly with 
respect to management's control over the exercise of authority 
delegated to others and its ability to effectively supervise activities 
at the location or business unit; and
    g. The frequency, timing, and scope of monitoring activities by the 
company or others at the location or business unit.
    Note: When performing an audit of internal control over financial 
reporting, refer to Appendix B, Special Topics, of Auditing Standard 
No. 5\25\ for considerations when a company has multiple locations or 
business units.
---------------------------------------------------------------------------

    \25\ Paragraphs B10-B16 of Auditing Standard No. 5.
---------------------------------------------------------------------------

    13. In determining the locations or business units at which to 
perform audit procedures, the auditor may take into account relevant 
activities performed by internal audit, as described in AU sec. 322, 
The Auditor's Consideration of the Internal Audit Function in an Audit 
of Financial Statements, or others, as described in Auditing Standard 
No. 5. AU sec. 322 and Auditing Standard No. 5 establish requirements 
regarding using the work of internal audit and others, respectively.
    14. AU sec. 543, Part of Audit Performed by Other Independent 
Auditors, describes the auditor's responsibilities regarding using the 
work and reports of other independent auditors who audit the financial 
statements of one or more of the locations or business units that are 
included in the consolidated financial statements.\26\ In those 
situations, the auditor should perform the procedures in paragraphs 11-
13 of this standard to determine the locations or business units at 
which audit procedures should be performed.
---------------------------------------------------------------------------

    \26\ For integrated audits, see also paragraphs C8-C11 of 
Auditing Standard No. 5.
---------------------------------------------------------------------------

Changes During the Course of the Audit
    15. The auditor should modify the overall audit strategy and the 
audit plan as necessary if circumstances change significantly during 
the course of the audit, including changes due to a revised assessment 
of the risks of material misstatement or the discovery of a previously 
unidentified risk of material misstatement.
Persons With Specialized Skill or Knowledge
    16. The auditor should determine whether specialized skill or 
knowledge is needed to perform appropriate risk assessments, plan or 
perform audit procedures, or evaluate audit results.
    17. If a person with specialized skill or knowledge employed or 
engaged by the auditor participates in the audit, the auditor should 
have sufficient knowledge of the subject matter to be addressed by such 
a person to enable the auditor to:
    a. Communicate the objectives of that person's work;
    b. Determine whether that person's procedures meet the auditor's 
objectives; and
    c. Evaluate the results of that person's procedures as they relate 
to the nature, timing, and extent of other planned audit procedures and 
the effects on the auditor's report.

Additional Considerations in Initial Audits

    18. The auditor should undertake the following activities before 
starting an initial audit:

[[Page 59335]]

    a. Perform procedures regarding the acceptance of the client 
relationship and the specific audit engagement; and
    b. Communicate with the predecessor auditor in situations in which 
there has been a change of auditors in accordance with AU sec. 315, 
Communications Between Predecessor and Successor Auditors.
    19. The purpose and objective of planning the audit are the same 
for an initial audit or a recurring audit engagement. However, for an 
initial audit, the auditor should determine the additional planning 
activities necessary to establish an appropriate audit strategy and 
audit plan, including determining the audit procedures necessary to 
obtain sufficient appropriate audit evidence regarding the opening 
balances.\27\
---------------------------------------------------------------------------

    \27\ See also paragraph 3 of Auditing Standard No. 6, Evaluating 
Consistency of Financial Statements.
---------------------------------------------------------------------------

Appendix A--Definition

    A1. For purposes of this standard, the term listed below is defined 
as follows:
    A2. Engagement partner--The member of the engagement team with 
primary responsibility for the audit.

Auditing Standard No. 10

Supervision of the Audit Engagement

Introduction

    1. This standard establishes requirements regarding supervision of 
the audit engagement, including supervising the work of engagement team 
members.

Objective

    2. The objective of the auditor is to supervise the audit 
engagement, including supervising the work of engagement team members 
so that the work is performed as directed and supports the conclusions 
reached.

Responsibility of the Engagement Partner for Supervision

    3. The engagement partner \28\ is responsible for the engagement 
and its performance. Accordingly, the engagement partner is responsible 
for proper supervision of the work of engagement team members and for 
compliance with PCAOB standards, including standards regarding using 
the work of specialists,\29\ other auditors,\30\ internal auditors,\31\ 
and others who are involved in testing controls.\32\ Paragraphs 5-6 of 
this standard describe the nature and extent of supervisory activities 
necessary for proper supervision of engagement team members.\33\
---------------------------------------------------------------------------

    \28\ Terms defined in Appendix A, Definitions, are set in 
boldface type the first time they appear.
    \29\ AU sec. 336, Using the Work of a Specialist.
    \30\ AU sec. 543, Part of Audit Performed by Other Independent 
Auditors.
    \31\ AU sec. 322, The Auditor's Consideration of the Internal 
Audit Function in an Audit of Financial Statements.
    \32\ Paragraphs 16-19 of Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.
    \33\ See also paragraph .06 of AU sec. 230, Due Professional 
Care in the Performance of Work.
---------------------------------------------------------------------------

    4. The engagement partner may seek assistance from appropriate 
engagement team members in fulfilling his or her responsibilities 
pursuant to this standard. Engagement team members who assist the 
engagement partner with supervision of the work of other engagement 
team members also should comply with the requirements in this standard 
with respect to the supervisory responsibilities assigned to them.

Supervision of Engagement Team Members

    5. The engagement partner and, as applicable, other engagement team 
members performing supervisory activities, should:
    a. Inform engagement team members of their responsibilities,\34\ 
including:
---------------------------------------------------------------------------

    \34\ AU sec. 230.06 and paragraph 5 of Auditing Standard No. 13, 
The Auditor's Responses to the Risks of Material Misstatement, 
establish requirements regarding the appropriate assignment of 
engagement team members.
---------------------------------------------------------------------------

    (1) The objectives of the procedures that they are to perform;
    (2) The nature, timing, and extent of procedures they are to 
perform; and
    (3) Matters that could affect the procedures to be performed or the 
evaluation of the results of those procedures, including relevant 
aspects of the company, its environment, and its internal control over 
financial reporting,\35\ and possible accounting and auditing issues;
---------------------------------------------------------------------------

    \35\ Auditing Standard No. 12, Identifying and Assessing Risks 
of Material Misstatement, describes the auditor's responsibilities 
for obtaining an understanding of the company, its environment, and 
its internal control over financial reporting.
---------------------------------------------------------------------------

    b. Direct engagement team members to bring significant accounting 
and auditing issues arising during the audit to the attention of the 
engagement partner or other engagement team members performing 
supervisory activities so they can evaluate those issues and determine 
that appropriate actions are taken in accordance with PCAOB standards; 
\36\
---------------------------------------------------------------------------

    \36\ See, e.g., paragraph 15 of Auditing Standard No. 9, Audit 
Planning, paragraph 74 of Auditing Standard No. 12, and paragraphs 
20-23 and 35-36 of Auditing Standard No. 14, Evaluating Audit 
Results.
---------------------------------------------------------------------------

    Note: In applying due professional care in accordance with AU sec. 
230, each engagement team member has a responsibility to bring to the 
attention of appropriate persons, disagreements or concerns the 
engagement team member might have with respect to accounting and 
auditing issues that he or she believes are of significance to the 
financial statements or the auditor's report regardless of how those 
disagreements or concerns may have arisen.
    c. Review the work of engagement team members to evaluate whether:
    (1) The work was performed and documented;
    (2) The objectives of the procedures were achieved; and
    (3) The results of the work support the conclusions reached.\37\
---------------------------------------------------------------------------

    \37\ Auditing Standard No. 14 describes the auditor's 
responsibilities for evaluating the results of the audit, and 
Auditing Standard No. 3, Audit Documentation, establishes 
requirements regarding audit documentation.
---------------------------------------------------------------------------

    6. To determine the extent of supervision necessary for engagement 
team members to perform their work as directed and form appropriate 
conclusions, the engagement partner and other engagement team members 
performing supervisory activities should take into account:
    a. The nature of the company, including its size and complexity; 
\38\
---------------------------------------------------------------------------

    \38\ Paragraph 10 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    b. The nature of the assigned work for each engagement team member, 
including:
    (1) The procedures to be performed, and
    (2) The controls or accounts and disclosures to be tested;
    c. The risks of material misstatement; and
    d. The knowledge, skill, and ability of each engagement team 
member.\39\
---------------------------------------------------------------------------

    \39\ See also paragraph 5.a. of Auditing Standard No. 13 and AU 
sec. 230.06.
---------------------------------------------------------------------------

    Note: In accordance with the requirements of paragraph 5 of 
Auditing Standard No. 13, The Auditor's Responses to the Risks of 
Material Misstatement, the extent of supervision of engagement team 
members should be commensurate with the risks of material 
misstatement.\40\
---------------------------------------------------------------------------

    \40\ Paragraph 5.b. of Auditing Standard No. 13 indicates that 
the extent of supervision of engagement team members is part of the 
auditor's overall responses to the risks of material misstatement.
---------------------------------------------------------------------------

Appendix A--Definition

    A1. For purposes of this standard, the term listed below is defined 
as follows:
    A2. Engagement partner--The member of the engagement team with 
primary responsibility for the audit.

[[Page 59336]]

Auditing Standard No. 11

Consideration of Materiality in Planning and Performing an Audit

Introduction

    1. This standard establishes requirements regarding the auditor's 
consideration of materiality in planning and performing an audit.\41\
---------------------------------------------------------------------------

    \41\ Auditing Standard No. 14 establishes requirements regarding 
the auditor's consideration of materiality in evaluating audit 
results.
---------------------------------------------------------------------------

Materiality in the Context of an Audit
    2. In interpreting the federal securities laws, the Supreme Court 
of the United States has held that a fact is material if there is ``a 
substantial likelihood that the * * * fact would have been viewed by 
the reasonable investor as having significantly altered the `total mix' 
of information made available.'' \42\ As the Supreme Court has noted, 
determinations of materiality require ``delicate assessments of the 
inferences a `reasonable shareholder' would draw from a given set of 
facts and the significance of those inferences to him * * *.'' \43\
---------------------------------------------------------------------------

    \42\ TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976). 
See also Basic, Inc. v. Levinson, 485 U.S. 224 (1988).
    \43\ TSC Industries, 426 U.S. at 450.
---------------------------------------------------------------------------

    3. To obtain reasonable assurance about whether the financial 
statements are free of material misstatement, the auditor should plan 
and perform audit procedures to detect misstatements that, individually 
or in combination with other misstatements, would result in material 
misstatement of the financial statements. This includes being alert 
while planning and performing audit procedures for misstatements that 
could be material due to quantitative or qualitative factors. Also, the 
evaluation of uncorrected misstatements in accordance with Auditing 
Standard No. 14, Evaluating Audit Results, requires consideration of 
both qualitative and quantitative factors.\44\ However, it ordinarily 
is not practical to design audit procedures to detect misstatements 
that are material based solely on qualitative factors.
---------------------------------------------------------------------------

    \44\ Appendix B of Auditing Standard No. 14.
---------------------------------------------------------------------------

    4. For integrated audits, Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements, states, ``In planning the audit of 
internal control over financial reporting, the auditor should use the 
same materiality considerations he or she would use in planning the 
audit of the company's annual financial statements.'' \45\
---------------------------------------------------------------------------

    \45\ Paragraph 20 of Auditing Standard No. 5.
---------------------------------------------------------------------------

Objective

    5. The objective of the auditor is to apply the concept of 
materiality appropriately in planning and performing audit procedures.

Considering Materiality in Planning and Performing an Audit

Establishing a Materiality Level for the Financial Statements as a 
Whole
    6. To plan the nature, timing, and extent of audit procedures, the 
auditor should establish a materiality level for the financial 
statements as a whole that is appropriate in light of the particular 
circumstances. This includes consideration of the company's earnings 
and other relevant factors. To determine the nature, timing, and extent 
of audit procedures, the materiality level for the financial statements 
as a whole needs to be expressed as a specified amount.
    Note: If financial statements for the audit period are not 
available, the auditor may establish an initial materiality level based 
on estimated or preliminary financial statement amounts. In those 
situations, the auditor should take into account the effects of known 
or expected changes in the company's financial statements, including 
significant transactions or adjustments that are expected to be 
reflected in the financial statements at the end of the period.
Establishing Materiality Levels for Particular Accounts or Disclosures
    7. The auditor should evaluate whether, in light of the particular 
circumstances, there are certain accounts or disclosures for which 
there is a substantial likelihood that misstatements of lesser amounts 
than the materiality level established for the financial statements as 
a whole would influence the judgment of a reasonable investor. If so, 
the auditor should establish separate materiality levels for those 
accounts or disclosures to plan the nature, timing, and extent of audit 
procedures for those accounts or disclosures.
    Note: Lesser amounts of misstatements could influence the judgment 
of a reasonable investor because of qualitative factors, e.g., because 
of the sensitivity of circumstances surrounding misstatements, such as 
conflicts of interest in related party transactions.
Determining Tolerable Misstatement
    8. The auditor should determine the amount or amounts of tolerable 
misstatement for purposes of assessing risks of material misstatement 
and planning and performing audit procedures at the account or 
disclosure level. The auditor should determine tolerable misstatement 
at an amount or amounts that reduce to an appropriately low level the 
probability that the total of uncorrected and undetected misstatements 
would result in material misstatement of the financial statements. 
Accordingly, tolerable misstatement should be less than the materiality 
level for the financial statements as a whole and, if applicable, the 
materiality level or levels for particular accounts or disclosures.
    9. In determining tolerable misstatement and planning and 
performing audit procedures, the auditor should take into account the 
nature, cause (if known), and amount of misstatements that were 
accumulated in audits of the financial statements of prior periods.
Considerations for Multi-Location Engagements
    10. For purposes of the audit of the consolidated financial 
statements of a company with multiple locations or business units, the 
auditor should determine tolerable misstatement for the individual 
locations or business units at an amount that reduces to an 
appropriately low level the probability that the total of uncorrected 
and undetected misstatements would result in material misstatement of 
the consolidated financial statements. Accordingly, tolerable 
misstatement at an individual location should be less than the 
materiality level for the financial statements as a whole.

Considerations as the Audit Progresses

    11. The auditor should reevaluate the established materiality level 
or levels and tolerable misstatement when, because of changes in the 
particular circumstances or additional information that comes to the 
auditor's attention, there is a substantial likelihood that 
misstatements of amounts that differ significantly from the materiality 
level or levels that were established initially would influence the 
judgment of a reasonable investor. Situations in which changes in 
circumstances or additional information that comes to the auditor's 
attention would require such reevaluation include:
    a. The materiality level or levels and tolerable misstatement were 
established initially based on estimated or preliminary financial 
statement amounts that differ significantly from actual amounts.
    b. Events or changes in conditions occurring after the materiality 
level or levels and tolerable misstatement were established initially 
are likely to affect

[[Page 59337]]

investors' perceptions about the company's financial position, results 
of operations, or cash flows.
    Note: Examples of such events or changes in conditions include (1) 
changes in laws, regulations, or the applicable financial reporting 
framework that affect investors' expectations about the measurement or 
disclosure of certain items and (2) significant new contractual 
arrangements that draw attention to a particular aspect of a company's 
business that is separately disclosed in the financial statements.
    12. If the auditor's reevaluation results in a lower amount for the 
materiality level or levels or tolerable misstatement than initially 
established by the auditor, the auditor should (1) evaluate the effect, 
if any, of the lower amount or amounts on his or her risk assessments 
and audit procedures and (2) modify the nature, timing, and extent of 
audit procedures as necessary to obtain sufficient appropriate audit 
evidence.
    Note: The reevaluation of the materiality level or levels and 
tolerable misstatement is also relevant to the auditor's evaluation of 
uncorrected misstatements in accordance with Auditing Standard No. 
14.\46\
---------------------------------------------------------------------------

    \46\ Paragraph 17 of Auditing Standard No. 14.
---------------------------------------------------------------------------

Auditing Standard No. 12

Identifying and Assessing Risks of Material Misstatement

Introduction

    1. This standard establishes requirements regarding the process of 
identifying and assessing risks of material misstatement \47\ of the 
financial statements.
---------------------------------------------------------------------------

    \47\ Paragraphs 5-8 of Auditing Standard No. 8, Audit Risk.
---------------------------------------------------------------------------

    2. Paragraphs 4-58 of this standard discuss the auditor's 
responsibilities for performing risk assessment procedures.\48\ 
Paragraphs 59-73 of this standard discuss identifying and assessing the 
risks of material misstatement using information obtained from 
performing risk assessment procedures.
---------------------------------------------------------------------------

    \48\ Terms defined in Appendix A, Definitions, are set in 
boldface type the first time they appear.
---------------------------------------------------------------------------

Objective

    3. The objective of the auditor is to identify and appropriately 
assess the risks of material misstatement, thereby providing a basis 
for designing and implementing responses to the risks of material 
misstatement.

Performing Risk Assessment Procedures

    4. The auditor should perform risk assessment procedures that are 
sufficient to provide a reasonable basis for identifying and assessing 
the risks of material misstatement, whether due to error or fraud,\49\ 
and designing further audit procedures.\50\
---------------------------------------------------------------------------

    \49\ AU sec. 316, Consideration of Fraud in a Financial 
Statement Audit, discusses fraud, its characteristics, and the types 
of misstatements due to fraud that are relevant to the audit, i.e., 
misstatements arising from fraudulent financial reporting and 
misstatements arising from asset misappropriation.
    \50\ Auditing Standard No. 15, Audit Evidence, describes further 
audit procedures as consisting of tests of controls and substantive 
procedures.
---------------------------------------------------------------------------

    5. Risks of material misstatement can arise from a variety of 
sources, including external factors, such as conditions in the 
company's industry and environment, and company-specific factors, such 
as the nature of the company, its activities, and internal control over 
financial reporting. For example, external or company-specific factors 
can affect the judgments involved in determining accounting estimates 
or create pressures to manipulate the financial statements to achieve 
certain financial targets. Also, risks of material misstatement may 
relate to, e.g., personnel who lack the necessary financial reporting 
competencies, information systems that fail to accurately capture 
business transactions, or financial reporting processes that are not 
adequately aligned with the requirements in the applicable financial 
reporting framework. Thus, the audit procedures that are necessary to 
identify and appropriately assess the risks of material misstatement 
include consideration of both external factors and company-specific 
factors. This standard discusses the following risk assessment 
procedures:
    a. Obtaining an understanding of the company and its environment 
(paragraphs 7-17);
    b. Obtaining an understanding of internal control over financial 
reporting (paragraphs 18-40);
    c. Considering information from the client acceptance and retention 
evaluation, audit planning activities, past audits, and other 
engagements performed for the company (paragraphs 41-45);
    d. Performing analytical procedures (paragraphs 46-48);
    e. Conducting a discussion among engagement team members regarding 
the risks of material misstatement (paragraphs 49-53); and
    f. Inquiring of the audit committee, management, and others within 
the company about the risks of material misstatement (paragraphs 54-
58).
    Note: This standard describes an approach to identifying and 
assessing risks of material misstatement that begins at the financial 
statement level and with the auditor's overall understanding of the 
company and its environment and works down to the significant accounts 
and disclosures and their relevant assertions.\51\
---------------------------------------------------------------------------

    \51\ Paragraph 11 of Auditing Standard No. 15 discusses 
financial statement assertions.
---------------------------------------------------------------------------

    6. In an integrated audit, the risks of material misstatement of 
the financial statements are the same for both the audit of internal 
control over financial reporting and the audit of financial statements. 
The auditor's risk assessment procedures should apply to both the audit 
of internal control over financial reporting and the audit of financial 
statements.

Obtaining an Understanding of the Company and Its Environment

    7. The auditor should obtain an understanding of the company and 
its environment (``understanding of the company'') to understand the 
events, conditions, and company activities that might reasonably be 
expected to have a significant effect on the risks of material 
misstatement. Obtaining an understanding of the company includes 
understanding:
    a. Relevant industry, regulatory, and other external factors;
    b. The nature of the company;
    c. The company's selection and application of accounting 
principles, including related disclosures;
    d. The company's objectives and strategies and those related 
business risks that might reasonably be expected to result in risks of 
material misstatement; and
    e. The company's measurement and analysis of its financial 
performance.
    8. In obtaining an understanding of the company, the auditor should 
evaluate whether significant changes in the company from prior periods, 
including changes in its internal control over financial reporting, 
affect the risks of material misstatement.
Industry, Regulatory, and Other External Factors
    9. Obtaining an understanding of relevant industry, regulatory, and 
other external factors encompasses industry factors, including the 
competitive environment and technological developments; the regulatory 
environment, including the applicable

[[Page 59338]]

financial reporting framework \52\ and the legal and political 
environment; \53\ and external factors, including general economic 
conditions.
---------------------------------------------------------------------------

    \52\ The auditor should look to the requirements of the 
Securities and Exchange Commission for the company under audit with 
respect to the accounting principles applicable to that company.
    \53\ AU sec. 317, Illegal Acts by Clients, discusses the 
auditor's consideration of laws and regulations relevant to the 
audit.
---------------------------------------------------------------------------

Nature of the Company
    10. Obtaining an understanding of the nature of the company 
includes understanding:
     The company's organizational structure and management 
personnel;
     The sources of funding of the company's operations and 
investment activities, including the company's capital structure, 
noncapital funding (e.g., subordinated debt or dependencies on supplier 
financing), and other debt instruments;
     The company's significant investments, including equity 
method investments, joint ventures, and variable interest entities;
     The company's operating characteristics, including its 
size and complexity;
    Note: The size and complexity of a company might affect the risks 
of misstatement and how the company addresses those risks.
     The sources of the company's earnings, including the 
relative profitability of key products and services; and
     Key supplier and customer relationships.
    Note: The auditor should take into account the information gathered 
while obtaining an understanding of the nature of the company when 
determining the existence of related parties in accordance with AU sec. 
334, Related Parties.
    11. As part of obtaining an understanding of the company as 
required by paragraph 7, the auditor should consider performing the 
following procedures and the extent to which the procedures should be 
performed:
     Reading public information about the company relevant to 
the evaluation of the likelihood of material financial statement 
misstatements and, in an integrated audit, the effectiveness of the 
company's internal control over financial reporting, e.g., company-
issued press releases, company-prepared presentation materials for 
analysts or investor groups, and analyst reports;
     Observing or reading transcripts of earnings calls and, to 
the extent publicly available, other meetings with investors or rating 
agencies;
     Obtaining an understanding of compensation arrangements 
with senior management, including incentive compensation arrangements, 
changes or adjustments to those arrangements, and special bonuses; and
     Obtaining information about trading activity in the 
company's securities and holdings in the company's securities by 
significant holders to identify potentially significant unusual 
developments (e.g., from Forms 3, 4, 5, 13D, and 13G).
Selection and Application of Accounting Principles, Including Related 
Disclosures
    12. As part of obtaining an understanding of the company's 
selection and application of accounting principles, including related 
disclosures, the auditor should evaluate whether the company's 
selection and application of accounting principles are appropriate for 
its business and consistent with the applicable financial reporting 
framework and accounting principles used in the relevant industry. 
Also, to identify and assess risks of material misstatement related to 
omitted, incomplete, or inaccurate disclosures, the auditor should 
develop expectations about the disclosures that are necessary for the 
company's financial statements to be presented fairly in conformity 
with the applicable financial reporting framework.
    13. The following matters, if present, are relevant to the 
necessary understanding of the company's selection and application of 
accounting principles, including related disclosures:
     Significant changes in the company's accounting 
principles, financial reporting policies, or disclosures and the 
reasons for such changes;
     The financial reporting competencies of personnel involved 
in selecting and applying significant new or complex accounting 
principles;
     The accounts or disclosures for which judgment is used in 
the application of significant accounting principles, especially in 
determining management's estimates and assumptions;
     The effect of significant accounting principles in 
controversial or emerging areas for which there is a lack of 
authoritative guidance or consensus;
     The methods the company uses to account for significant 
and unusual transactions; and
     Financial reporting standards and laws and regulations 
that are new to the company, including when and how the company will 
adopt such requirements.
Company Objectives, Strategies, and Related Business Risks
    14. The purpose of obtaining an understanding of the company's 
objectives, strategies, and related business risks is to identify 
business risks that could reasonably be expected to result in material 
misstatement of the financial statements.
    Note: Some relevant business risks might be identified through 
other risk assessment procedures, such as obtaining an understanding of 
the nature of the company and understanding industry, regulatory, and 
other external factors.
    15. The following are examples of situations in which business 
risks might result in material misstatement of the financial 
statements:
     Industry developments (a potential related business risk 
might be, e.g., that the company does not have the personnel or 
expertise to deal with the changes in the industry.)
     New products and services (a potential related business 
risk might be, e.g., that the new product or service will not be 
successful.)
     Use of information technology (``IT'') (a potential 
related business risk might be, e.g., that systems and processes are 
incompatible.)
     New accounting requirements (a potential related business 
risk might be, e.g., incomplete or improper implementation of a new 
accounting requirement.)
     Expansion of the business (a potential related business 
risk might be, e.g., that the demand for the company's products or 
services has not been accurately estimated.)
     The effects of implementing a strategy, particularly any 
effects that will lead to new accounting requirements (a potential 
related business risk might be, e.g., incomplete or improper 
implementation of the strategy.)
     Current and prospective financing requirements (a 
potential related business risk might be, e.g., the loss of financing 
due to the company's inability to meet financing requirements.)
     Regulatory requirements (a potential related business risk 
might be, e.g., that there is increased legal exposure.)
    Note: Business risks could affect risks of material misstatement at 
the financial statement level, which would affect many accounts and 
disclosures in the financial statements. For example, a company's loss 
of financing or declining conditions affecting the company's

[[Page 59339]]

industry could affect its ability to settle its obligations when due. 
This, in turn, could affect the risks of material misstatement related 
to, e.g., the classification of long-term liabilities or valuation of 
long-term assets, or it could result in substantial doubt about the 
company's ability to continue as a going concern. Other business risks 
could affect the risks of material misstatement for particular 
accounts, disclosures, or assertions. For example, an unsuccessful new 
product or service or failed business expansion might affect the risks 
of material misstatement related to the valuation of inventory and 
other related assets.
Company Performance Measures
    16. The purpose of obtaining an understanding of the company's 
performance measures is to identify performance measures, whether 
external or internal, that affect the risks of material misstatement.
    17. The following are examples of performance measures that might 
affect the risks of material misstatement:
     Measures that form the basis for contractual commitments 
or incentive compensation arrangements;
     Measures used by external parties, such as analysts and 
rating agencies, to review the company's performance; and
     Measures the company uses to monitor its operations that 
highlight unexpected results or trends that prompt management to 
investigate their cause and take corrective action, including 
correction of misstatements.
    Note: The first two examples represent performance measures that 
can affect the risks of material misstatement by creating incentives or 
pressures for management of the company to manipulate certain accounts 
or disclosures to achieve certain performance targets (or conceal a 
failure to achieve those targets). The third example represents 
performance measures that management might use to monitor risks 
affecting the financial statements.
    Note: Smaller companies might have less formal processes to measure 
and review financial performance. In such cases, the auditor might 
identify relevant performance measures by considering the information 
that the company uses to manage the business.

Obtaining an Understanding of Internal Control Over Financial Reporting

    18. The auditor should obtain a sufficient understanding of each 
component \54\ of internal control over financial reporting 
(``understanding of internal control'') to (a) identify the types of 
potential misstatements, (b) assess the factors that affect the risks 
of material misstatement, and (c) design further audit procedures.
---------------------------------------------------------------------------

    \54\ Paragraphs 21-22 of this standard discuss components of 
internal control over financial reporting.
---------------------------------------------------------------------------

    19. The nature, timing, and extent of procedures that are necessary 
to obtain an understanding of internal control depend on the size and 
complexity of the company; \55\ the auditor's existing knowledge of the 
company's internal control over financial reporting; the nature of the 
company's controls, including the company's use of IT; the nature and 
extent of changes in systems and operations; and the nature of the 
company's documentation of its internal control over financial 
reporting.
---------------------------------------------------------------------------

    \55\ Paragraph 13 of Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That is Integrated with An 
Audit of Financial Statements, states, ``The size and complexity of 
the company, its business processes, and business units, may affect 
the way in which the company achieves many of its control 
objectives. The size and complexity of the company also might affect 
the risks of misstatement and the controls necessary to address 
those risks.''
---------------------------------------------------------------------------

    Note: The auditor also might obtain an understanding of certain 
controls that are not part of internal control over financial 
reporting, e.g., controls over the completeness and accuracy of 
operating or other nonfinancial information used as audit evidence.\56\
---------------------------------------------------------------------------

    \56\ Paragraph 10 of Auditing Standard No. 15.
---------------------------------------------------------------------------

    20. Obtaining an understanding of internal control includes 
evaluating the design of controls that are relevant to the audit and 
determining whether the controls have been implemented.
    Note: Procedures the auditor performs to obtain evidence about 
design effectiveness include inquiry of appropriate personnel, 
observation of the company's operations, and inspection of relevant 
documentation. Walkthroughs, as described in paragraphs 37-38, that 
include these procedures ordinarily are sufficient to evaluate design 
effectiveness.
    Note: Determining whether a control has been implemented means 
determining whether the control exists and whether the company is using 
it. The procedures to determine whether a control has been implemented 
may be performed in connection with the evaluation of its design. 
Procedures performed to determine whether a control has been 
implemented include inquiry of appropriate personnel, in combination 
with observation of the application of controls or inspection of 
documentation. Walkthroughs, as described in paragraphs 37-38, that 
include these procedures ordinarily are sufficient to determine whether 
a control has been implemented.
    21. Internal control over financial reporting can be described as 
consisting of the following components: \57\
---------------------------------------------------------------------------

    \57\ Different internal control frameworks use different terms 
and approaches to describe the components of internal control over 
financial reporting.
---------------------------------------------------------------------------

     The control environment,
     The company's risk assessment process,
     Information and communication,
     Control activities, and
     Monitoring of controls.
    22. Management might use an internal control framework with 
components that differ from the components identified in the preceding 
paragraph when establishing and maintaining the company's internal 
control over financial reporting. In evaluating the design of controls 
and determining whether they have been implemented in an audit of 
financial statements only, the auditor may use the framework used by 
management or another suitable, recognized framework.\58\ For 
integrated audits, Auditing Standard No. 5, states, ``The auditor 
should use the same suitable, recognized control framework to perform 
his or her audit of internal control over financial reporting as 
management uses for its annual evaluation of the effectiveness of the 
company's internal control over financial reporting.'' \59\ If the 
auditor uses a suitable, recognized internal control framework with 
components that differ from those listed in the preceding paragraph, 
the auditor should adapt the requirements in paragraphs 23-36 of this 
standard to conform to the components in the framework used.
---------------------------------------------------------------------------

    \58\ See Securities Exchange Act Release No. 34-47986 (June 5, 
2003) for a description of the characteristics of a suitable, 
recognized framework.
    \59\ Paragraph 5 of Auditing Standard No. 5.
---------------------------------------------------------------------------

Control Environment
    23. The auditor should obtain an understanding of the company's 
control environment, including the policies and actions of management, 
the board, and the audit committee concerning the company's control 
environment.
    24. Obtaining an understanding of the control environment includes 
assessing:
     Whether management's philosophy and operating style 
promote effective internal control over financial reporting;
     Whether sound integrity and ethical values, particularly 
of top management, are developed and understood; and
     Whether the board or audit committee understands and 
exercises oversight responsibility over financial reporting and 
internal control.
    Note: In an audit of financial statements only, this assessment may 
be based on the evidence obtained in

[[Page 59340]]

understanding the control environment, in accordance with paragraph 23, 
and the other relevant knowledge possessed by the auditor. In an 
integrated audit of financial statements and internal control over 
financial reporting, Auditing Standard No. 5 \60\ describes the 
auditor's responsibility for evaluating the control environment.
---------------------------------------------------------------------------

    \60\ Paragraph 25 of Auditing Standard No. 5.
---------------------------------------------------------------------------

    25. If the auditor identifies a control deficiency \61\ in the 
company's control environment, the auditor should evaluate the extent 
to which this control deficiency is indicative of a fraud risk factor, 
as discussed in paragraphs 65-66 of this standard.
---------------------------------------------------------------------------

    \61\ Paragraph A3 of Auditing Standard No. 5.
---------------------------------------------------------------------------

The Company's Risk Assessment Process
    26. The auditor should obtain an understanding of management's 
process for:
    a. Identifying risks relevant to financial reporting objectives, 
including risks of material misstatement due to fraud (``fraud 
risks'');
    b. Assessing the likelihood and significance of misstatements 
resulting from those risks; and
    c. Deciding about actions to address those risks.
    27. Obtaining an understanding of the company's risk assessment 
process includes obtaining an understanding of the risks of material 
misstatement identified and assessed by management and the actions 
taken to address those risks.
Information and Communication
    28. Information System Relevant to Financial Reporting. The auditor 
should obtain an understanding of the information system, including the 
related business processes, relevant to financial reporting, including:
    a. The classes of transactions in the company's operations that are 
significant to the financial statements;
    b. The procedures, within both automated and manual systems, by 
which those transactions are initiated, authorized, processed, 
recorded, and reported;
    c. The related accounting records, supporting information, and 
specific accounts in the financial statements that are used to 
initiate, authorize, process, and record transactions;
    d. How the information system captures events and conditions, other 
than transactions,\62\ that are significant to the financial 
statements; and
---------------------------------------------------------------------------

    \62\ Examples of such events and conditions include depreciation 
and amortization and conditions affecting the recoverability of 
assets.
---------------------------------------------------------------------------

    e. The period-end financial reporting process.
    Note: Appendix B discusses additional considerations regarding 
manual and automated systems and controls.
    29. The auditor also should obtain an understanding of how IT 
affects the company's flow of transactions. (See Appendix B.)
    Note: The identification of risks and controls within IT is not a 
separate evaluation. Instead, it is an integral part of the approach 
used to identify significant accounts and disclosures and their 
relevant assertions and, when applicable, to select the controls to 
test, as well as to assess risk and allocate audit effort.
    30. A company's business processes are the activities designed to:
    a. Develop, purchase, produce, sell and distribute a company's 
products or services;
    b. Record information, including accounting and financial reporting 
information; and
    c. Ensure compliance with laws and regulations relevant to the 
financial statements.
    31. Obtaining an understanding of the company's business processes 
assists the auditor in obtaining an understanding of how transactions 
are initiated, authorized, processed, and recorded.
    32. A company's period-end financial reporting process, as referred 
to in paragraph 28.e., includes the following:
     Procedures used to enter transaction totals into the 
general ledger;
     Procedures related to the selection and application of 
accounting principles; \63\
---------------------------------------------------------------------------

    \63\ Paragraphs 12-13 of this standard.
---------------------------------------------------------------------------

     Procedures used to initiate, authorize, record, and 
process journal entries in the general ledger;
     Procedures used to record recurring and nonrecurring 
adjustments to the annual financial statements (and quarterly financial 
statements, if applicable); and
     Procedures for preparing annual financial statements and 
related disclosures (and quarterly financial statements, if 
applicable).
    33. Communication. The auditor should obtain an understanding of 
how the company communicates financial reporting roles and 
responsibilities and significant matters relating to financial 
reporting to relevant company personnel and others, including:
     Communications between management, the audit committee, 
and the board of directors; and
     Communications to external parties, including regulatory 
authorities and shareholders.
Control Activities
    34. The auditor should obtain an understanding of control 
activities that is sufficient to assess the factors that affect the 
risks of material misstatement and to design further audit procedures, 
as described in paragraph 18 of this standard.\64\ As the auditor 
obtains an understanding of the other components of internal control 
over financial reporting, he or she is also likely to obtain knowledge 
about some control activities. The auditor should use his or her 
knowledge about the presence or absence of control activities obtained 
from the understanding of the other components of internal control over 
financial reporting in determining the extent to which it is necessary 
to devote additional attention to obtaining an understanding of control 
activities to assess the factors that affect the risks of material 
misstatement and to design further audit procedures.
---------------------------------------------------------------------------

    \64\ Also see paragraph B5 of Appendix B of this standard.
---------------------------------------------------------------------------

    Note: A broader understanding of control activities is needed for 
relevant assertions for which the auditor plans to rely on controls. 
Also, in the audit of internal control over financial reporting, the 
auditor's understanding of control activities encompasses a broader 
range of accounts and disclosures than what is normally obtained in a 
financial statement audit.
Monitoring of Controls
    35. The auditor should obtain an understanding of the major types 
of activities that the company uses to monitor the effectiveness of its 
internal control over financial reporting and how the company initiates 
corrective actions related to its controls.\65\
---------------------------------------------------------------------------

    \65\ In some companies, internal auditors or others performing 
an equivalent function contribute to the monitoring of controls. AU 
sec. 322, The Auditor's Consideration of the Internal Audit Function 
in an Audit of Financial Statements, establishes requirements 
regarding the auditor's consideration and use of the work of the 
internal audit function.
---------------------------------------------------------------------------

    36. An understanding of the company's monitoring activities 
includes understanding the source of the information used in the 
monitoring activities.
Performing Walkthroughs
    37. As discussed in paragraph 20, the auditor may perform 
walkthroughs as part of obtaining an understanding of internal control 
over financial reporting. For example, the auditor may perform 
walkthroughs in connection with understanding the flow of transactions

[[Page 59341]]

in the information system relevant to financial reporting, evaluating 
the design of controls relevant to the audit, and determining whether 
those controls have been implemented. In performing a walkthrough, the 
auditor follows a transaction from origination through the company's 
processes, including information systems, until it is reflected in the 
company's financial records, using the same documents and IT that 
company personnel use. Walkthrough procedures usually include a 
combination of inquiry, observation, inspection of relevant 
documentation, and re-performance of controls.
    Note: For integrated audits, Auditing Standard No. 5 establishes 
certain objectives that the auditor should achieve to further 
understand likely sources of potential misstatements and as part of 
selecting the controls to test. Auditing Standard No. 5 states that 
performing walkthroughs will frequently be the most effective way of 
achieving those objectives.\66\
---------------------------------------------------------------------------

    \66\ See paragraphs 34-38 of Auditing Standard No. 5.
---------------------------------------------------------------------------

    38. In performing a walkthrough, at the points at which important 
processing procedures occur, the auditor questions the company's 
personnel about their understanding of what is required by the 
company's prescribed procedures and controls. These probing questions, 
combined with the other walkthrough procedures, allow the auditor to 
gain a sufficient understanding of the process and to be able to 
identify important points at which a necessary control is missing or 
not designed effectively. Additionally, probing questions that go 
beyond a narrow focus on the single transaction used as the basis for 
the walkthrough allow the auditor to gain an understanding of the 
different types of significant transactions handled by the process.
Relationship of Understanding of Internal Control to Tests of Controls
    39. The objective of obtaining an understanding of internal 
control, as discussed in paragraph 18 of this standard, is different 
from testing controls for the purpose of assessing control risk \67\ or 
for the purpose of expressing an opinion on internal control over 
financial reporting in the audit of internal control over financial 
reporting.\68\ The auditor may obtain an understanding of internal 
control concurrently with performing tests of controls if he or she 
obtains sufficient appropriate evidence to achieve the objectives of 
both procedures. Also, the auditor should take into account the 
evidence obtained from understanding internal control when assessing 
control risk and, in the audit of internal control over financial 
reporting, forming an opinion about the effectiveness of internal 
control over financial reporting.
---------------------------------------------------------------------------

    \67\ Paragraphs 16-35 of Auditing Standard No. 13, The Auditor's 
Responses to the Risks of Material Misstatement.
    \68\ Paragraph B1 of Auditing Standard No. 5.
---------------------------------------------------------------------------

    40. Relationship of Understanding of Internal Control to Evaluating 
Entity-Level Controls in an Audit of Internal Control Over Financial 
Reporting. Auditing Standard No. 5 states, ``The auditor must test 
those entity-level controls that are important to the auditor's 
conclusion about whether the company has effective internal control 
over financial reporting.'' \69\ The procedures performed to obtain an 
understanding of certain components of internal control in accordance 
with this standard, e.g., the control environment, the company's risk 
assessment process, information and communication, and monitoring of 
controls, might provide evidence that is relevant to the auditor's 
evaluation of entity-level controls.\70\ The auditor should take into 
account the evidence obtained from understanding internal control when 
determining the nature, timing, and extent of procedures necessary to 
support the auditor's conclusions about the effectiveness of entity-
level controls in the audit of internal control over financial 
reporting.
---------------------------------------------------------------------------

    \69\ Paragraph 22 of Auditing Standard No. 5.
    \70\ The entity-level controls included in paragraph 24 of 
Auditing Standard No. 5 include controls related to the control 
environment; the company's risk assessment process; centralized 
processing and controls; controls over the period-end financial 
reporting process; and controls to monitor other controls.
---------------------------------------------------------------------------

Considering Information From the Client Acceptance and Retention 
Evaluation, Audit Planning Activities, Past Audits, and Other 
Engagements

    41. Client Acceptance and Retention and Audit Planning Activities. 
The auditor should evaluate whether information obtained from the 
client acceptance and retention evaluation process or audit planning 
activities is relevant to identifying risks of material misstatement. 
Risks of material misstatement identified during those activities 
should be assessed as discussed beginning in paragraph 59 of this 
standard.
    42. Past Audits. In subsequent years, the auditor should 
incorporate knowledge obtained during past audits into the auditor's 
process for identifying risks of material misstatement, including when 
identifying significant ongoing matters that affect the risks of 
material misstatement or determining how changes in the company or its 
environment affect the risks of material misstatement, as discussed in 
paragraph 8 of this standard.
    43. If the auditor plans to limit the nature, timing, or extent of 
his or her risk assessment procedures by relying on information from 
past audits, the auditor should evaluate whether the prior years' 
information remains relevant and reliable.
    44. Other Engagements. When the auditor has performed a review of 
interim financial information in accordance with AU sec. 722, Interim 
Financial Information, the auditor should evaluate whether information 
obtained during the review is relevant to identifying risks of material 
misstatement in the year-end audit.
    45. The auditor should obtain an understanding of the nature of the 
services that have been performed for the company by the auditor or 
affiliates of the firm \71\ and should take into account relevant 
information obtained from those engagements in identifying risks of 
material misstatement.\72\
---------------------------------------------------------------------------

    \71\ See PCAOB Rule 3501(a)(i), which defines ``affiliate of the 
accounting firm.''
    \72\ Paragraph 7 of Auditing Standard No. 9, Audit Planning.
---------------------------------------------------------------------------

Performing Analytical Procedures

    46. The auditor should perform analytical procedures that are 
designed to:
    a. Enhance the auditor's understanding of the client's business and 
the significant transactions and events that have occurred since the 
prior year end; and
    b. Identify areas that might represent specific risks relevant to 
the audit, including the existence of unusual transactions and events, 
and amounts, ratios, and trends that warrant investigation.
    47. In applying analytical procedures as risk assessment 
procedures, the auditor should perform analytical procedures relating 
to revenue with the objective of identifying unusual or unexpected 
relationships involving revenue accounts that might indicate a material 
misstatement, including material misstatement due to fraud. Also, when 
the auditor has performed a review of interim financial information in 
accordance with AU sec. 722, he or she should take into account the 
analytical procedures applied in that review when designing and 
applying analytical procedures as risk assessment procedures.
    48. When performing an analytical procedure, the auditor should use 
his or

[[Page 59342]]

her understanding of the company to develop expectations about 
plausible relationships among the data to be used in the procedure.\73\ 
When comparison of those expectations with relationships derived from 
recorded amounts yields unusual or unexpected results, the auditor 
should take into account those results in identifying the risks of 
material misstatement.
---------------------------------------------------------------------------

    \73\ Analytical procedures consist of evaluations of financial 
information made by a study of plausible relationships among both 
financial and nonfinancial data.
---------------------------------------------------------------------------

    Note: Analytical procedures performed as risk assessment procedures 
often use data that is preliminary or data that is aggregated at a high 
level, and, in those instances, such analytical procedures are not 
designed with the level of precision necessary for substantive 
analytical procedures.

Conducting a Discussion Among Engagement Team Members Regarding Risks 
of Material Misstatement

    49. The key engagement team members should discuss (1) the 
company's selection and application of accounting principles, including 
related disclosure requirements, and (2) the susceptibility of the 
company's financial statements to material misstatement due to error or 
fraud.
    Note: The key engagement team members should discuss the potential 
for material misstatement due to fraud either as part of the discussion 
regarding risks of material misstatement or in a separate 
discussion.\74\
---------------------------------------------------------------------------

    \74\ Paragraphs 52-53 of this standard.
---------------------------------------------------------------------------

    Note: As discussed in paragraph 67, the financial statements might 
be susceptible to misstatement through omission of required disclosures 
or presentation of inaccurate or incomplete disclosures.
    50. Key engagement team members include all engagement team members 
who have significant engagement responsibilities, including the 
engagement partner. The manner in which the discussion is conducted 
depends on the individuals involved and the circumstances of the 
engagement. For example, if the audit involves more than one location, 
there could be multiple discussions with team members in differing 
locations. The engagement partner or other key engagement team members 
should communicate the important matters from the discussion to 
engagement team members who are not involved in the discussion.
    Note: If the audit is performed entirely by the engagement partner, 
that engagement partner, having personally conducted the planning of 
the audit, is responsible for evaluating the susceptibility of the 
company's financial statements to material misstatement.
    51. Communication among the engagement team members about 
significant matters affecting the risks of material misstatement should 
continue throughout the audit, including when conditions change.\75\
---------------------------------------------------------------------------

    \75\ See also paragraph 29 of Auditing Standard No. 14, 
Evaluating Audit Results.
---------------------------------------------------------------------------

Discussion of the Potential for Material Misstatement Due to Fraud
    52. The discussion among the key engagement team members about the 
potential for material misstatement due to fraud should occur with an 
attitude that includes a questioning mind, and the key engagement team 
members should set aside any prior beliefs they might have that 
management is honest and has integrity. The discussion among the key 
engagement team members should include:
     An exchange of ideas, or ``brainstorming,'' among the key 
engagement team members, including the engagement partner, about how 
and where they believe the company's financial statements might be 
susceptible to material misstatement due to fraud, how management could 
perpetrate and conceal fraudulent financial reporting, and how assets 
of the company could be misappropriated, including (a) the 
susceptibility of the financial statements to material misstatement 
through related party transactions and (b) how fraud might be 
perpetrated or concealed by omitting or presenting incomplete or 
inaccurate disclosures;
     A consideration of the known external and internal factors 
affecting the company that might (a) create incentives or pressures for 
management and others to commit fraud, (b) provide the opportunity for 
fraud to be perpetrated, and (c) indicate a culture or environment that 
enables management to rationalize committing fraud;
     A consideration of the risk of management override; and
     A consideration of the potential audit responses to the 
susceptibility of the company's financial statements to material 
misstatement due to fraud.
    53. The auditor should emphasize the following matters to all 
engagement team members:
     The need to maintain a questioning mind throughout the 
audit and to exercise professional skepticism in gathering and 
evaluating evidence, as described in AU sec. 316; \76\
---------------------------------------------------------------------------

    \76\ AU sec. 316.13.
---------------------------------------------------------------------------

     The need to be alert for information or other conditions 
(such as those matters presented in Appendix C of Auditing Standard No. 
14) that might affect the assessment of fraud risks; and
     If information or other conditions indicate that a 
material misstatement due to fraud might have occurred, the need to 
probe the issues, acquire additional evidence as necessary, and consult 
with other team members and, if appropriate, others in the firm 
including specialists.\77\
---------------------------------------------------------------------------

    \77\ Paragraphs 20-23 of Auditing Standard No. 14 establish 
further requirements for evaluating whether misstatements might be 
indicative of fraud and determining the necessary procedures to be 
performed in those situations.
---------------------------------------------------------------------------

Inquiring of the Audit Committee, Management, and Others Within the 
Company About the Risks of Material Misstatement

    54. The auditor should inquire of the audit committee, or 
equivalent (or its chair), management, the internal audit function, and 
others within the company who might reasonably be expected to have 
information that is important to the identification and assessment of 
risks of material misstatement.
    Note: The auditor's inquiries about risks of material misstatement 
should include inquiries regarding fraud risks.
    55. The auditor should use his or her knowledge of the company and 
its environment, as well as information from other risk assessment 
procedures, to determine the nature of the inquiries about risks of 
material misstatement.
Inquiries Regarding Fraud Risks
    56. The auditor's inquiries regarding fraud risks should include 
the following:
    a. Inquiries of management regarding:
    (1) Whether management has knowledge of fraud, alleged fraud, or 
suspected fraud affecting the company;
    (2) Management's process for identifying and responding to fraud 
risks in the company, including any specific fraud risks the company 
has identified or account balances or disclosures for which a fraud 
risk is likely to exist, and the nature, extent, and frequency of 
management's fraud risk assessment process;
    (3) Controls that the company has established to address fraud 
risks the company has identified, or that otherwise help to prevent and 
detect fraud, including how management monitors those controls;
    (4) For a company with multiple locations (a) the nature and extent 
of monitoring of operating locations or business segments and (b) 
whether there

[[Page 59343]]

are particular operating locations or business segments for which a 
fraud risk might be more likely to exist;
    (5) Whether and how management communicates to employees its views 
on business practices and ethical behavior;
    (6) Whether management has received tips or complaints regarding 
the company's financial reporting (including those received through the 
audit committee's internal whistleblower program, if such program 
exists) and, if so, management's responses to such tips and complaints; 
and
    (7) Whether management has reported to the audit committee on how 
the company's internal control serves to prevent and detect material 
misstatements due to fraud.
    b. Inquiries of the audit committee, or equivalent, or its chair 
regarding:
    (1) The audit committee's views about fraud risks in the company;
    (2) Whether the audit committee has knowledge of fraud, alleged 
fraud, or suspected fraud affecting the company;
    (3) Whether the audit committee is aware of tips or complaints 
regarding the company's financial reporting (including those received 
through the audit committee's internal whistleblower program, if such 
program exists) and, if so, the audit committee's responses to such 
tips and complaints; and
    (4) How the audit committee exercises oversight of the company's 
assessment of fraud risks and the establishment of controls to address 
fraud risks.
    c. If the company has an internal audit function, inquiries of 
appropriate internal audit personnel regarding:
    (1) The internal auditors' views about fraud risks in the company;
    (2) Whether the internal auditors have knowledge of fraud, alleged 
fraud, or suspected fraud affecting the company;
    (3) Whether internal auditors have performed procedures to identify 
or detect fraud during the year, and whether management has 
satisfactorily responded to the findings resulting from those 
procedures; and
    (4) Whether internal auditors are aware of instances of management 
override of controls and the nature and circumstances of such 
overrides.
    57. In addition to the inquiries outlined in the preceding 
paragraph, the auditor should inquire of others within the company 
about their views regarding fraud risks, including, in particular, 
whether they have knowledge of fraud, alleged fraud, or suspected 
fraud. The auditor should identify other individuals within the company 
to whom inquiries should be directed and determine the extent of such 
inquiries by considering whether others in the company might have 
additional knowledge about fraud, alleged fraud, or suspected fraud or 
might be able to corroborate fraud risks identified in discussions with 
management or the audit committee. Examples of other individuals within 
the company to whom inquiries might be directed include:
     Employees with varying levels of authority within the 
company, including, e.g., company personnel with whom the auditor comes 
into contact during the course of the audit (a) in obtaining an 
understanding of internal control, (b) in observing inventory or 
performing cutoff procedures, or (c) in obtaining explanations for 
significant differences identified when performing analytical 
procedures;
     Operating personnel not directly involved in the financial 
reporting process;
     Employees involved in initiating, recording, or processing 
complex or unusual transactions, e.g., a sales transaction with 
multiple elements or a significant related party transaction; and
     In-house legal counsel.
    58. When evaluating management's responses to inquiries about fraud 
risks and determining when it is necessary to corroborate management's 
responses, the auditor should take into account the fact that 
management is often in the best position to commit fraud. Also, the 
auditor should obtain evidence to address inconsistencies in responses 
to the inquiries.

Identifying and Assessing the Risks of Material Misstatement

    59. The auditor should identify and assess the risks of material 
misstatement at the financial statement level and the assertion level. 
In identifying and assessing risks of material misstatement, the 
auditor should:
    a. Identify risks of misstatement using information obtained from 
performing risk assessment procedures (as discussed in paragraphs 4-58) 
and considering the characteristics of the accounts and disclosures in 
the financial statements.
    Note: Factors relevant to identifying fraud risks are discussed in 
paragraphs 65-69 of this standard.
    b. Evaluate whether the identified risks relate pervasively to the 
financial statements as a whole and potentially affect many assertions.
    c. Evaluate the types of potential misstatements that could result 
from the identified risks and the accounts, disclosures, and assertions 
that could be affected.
    Note: In identifying and assessing risks at the assertion level, 
the auditor should evaluate how risks at the financial statement level 
could affect risks of misstatement at the assertion level.
    d. Assess the likelihood of misstatement, including the possibility 
of multiple misstatements, and the magnitude of potential misstatement 
to assess the possibility that the risk could result in material 
misstatement of the financial statements.
    Note: In assessing the likelihood and magnitude of potential 
misstatement, the auditor may take into account the planned degree of 
reliance on controls selected to test.\78\
---------------------------------------------------------------------------

    \78\ Paragraphs 16-35 of Auditing Standard No. 13.
---------------------------------------------------------------------------

    e. Identify significant accounts and disclosures \79\ and their 
relevant assertions \80\ (paragraphs 60-64 of this standard).
---------------------------------------------------------------------------

    \79\ Paragraph A10 of Auditing Standard No. 5 states:
    An account or disclosure is a significant account or disclosure 
if there is a reasonable possibility that the account or disclosure 
could contain a misstatement that, individually or when aggregated 
with others, has a material effect on the financial statements, 
considering the risks of both overstatement and understatement. The 
determination of whether an account or disclosure is significant is 
based on inherent risk, without regard to the effect of controls.
    \80\ Paragraph A9 of Auditing Standard No. 5 states:
    A relevant assertion is a financial statement assertion that has 
a reasonable possibility of containing a misstatement or 
misstatements that would cause the financial statements to be 
materially misstated. The determination of whether an assertion is a 
relevant assertion is based on inherent risk, without regard to the 
effect of controls.
---------------------------------------------------------------------------

    Note: The determination of whether an account or disclosure is 
significant or whether an assertion is a relevant assertion is based on 
inherent risk, without regard to the effect of controls.
    f. Determine whether any of the identified and assessed risks of 
material misstatement are significant risks (paragraphs 70-71 of this 
standard).

Identifying Significant Accounts and Disclosures and Their Relevant 
Assertions

    60. To identify significant accounts and disclosures and their 
relevant assertions in accordance with paragraph 59.e., the auditor 
should evaluate the qualitative and quantitative risk factors related 
to the financial statement line items and disclosures. Risk factors 
relevant to the identification of significant accounts and disclosures 
and their relevant assertions include:
     Size and composition of the account;
     Susceptibility to misstatement due to error or fraud;

[[Page 59344]]

     Volume of activity, complexity, and homogeneity of the 
individual transactions processed through the account or reflected in 
the disclosure;
     Nature of the account or disclosure;
     Accounting and reporting complexities associated with the 
account or disclosure;
     Exposure to losses in the account;
     Possibility of significant contingent liabilities arising 
from the activities reflected in the account or disclosure;
     Existence of related party transactions in the account; 
and
     Changes from the prior period in account and disclosure 
characteristics.
    61. As part of identifying significant accounts and disclosures and 
their relevant assertions, the auditor also should determine the likely 
sources of potential misstatements that would cause the financial 
statements to be materially misstated. The auditor might determine the 
likely sources of potential misstatements by asking himself or herself 
``what could go wrong?'' within a given significant account or 
disclosure.
    62. The risk factors that the auditor should evaluate in the 
identification of significant accounts and disclosures and their 
relevant assertions are the same in the audit of internal control over 
financial reporting as in the audit of the financial statements; 
accordingly, significant accounts and disclosures and their relevant 
assertions are the same for both audits.
    Note: In the financial statement audit, the auditor might perform 
substantive auditing procedures on financial statement accounts, 
disclosures, and assertions that are not determined to be significant 
accounts and disclosures and relevant assertions.\81\\\
---------------------------------------------------------------------------

    \81\ \\ The auditor might perform substantive auditing 
procedures because his or her assessment of the risk that undetected 
misstatement would cause the financial statements to be materially 
misstated is unacceptably high or as a means of introducing 
unpredictability in the procedures performed. See paragraphs 11, 14, 
and 25 of Auditing Standard No. 14, for further discussion about 
undetected misstatement. See paragraph 61 of Auditing Standard No. 5 
and paragraph 5.c. of Auditing Standard No. 13, for further 
discussion about the unpredictability of auditing procedures.
---------------------------------------------------------------------------

    63. The components of a potential significant account or disclosure 
might be subject to significantly differing risks.
    64. When a company has multiple locations or business units, the 
auditor should identify significant accounts and disclosures and their 
relevant assertions based on the consolidated financial statements.
Factors Relevant to Identifying Fraud Risks
    65. The auditor should evaluate whether the information gathered 
from the risk assessment procedures indicates that one or more fraud 
risk factors are present and should be taken into account in 
identifying and assessing fraud risks. Fraud risk factors are events or 
conditions that indicate (1) an incentive or pressure to perpetrate 
fraud, (2) an opportunity to carry out the fraud, or (3) an attitude or 
rationalization that justifies the fraudulent action. Fraud risk 
factors do not necessarily indicate the existence of fraud; however, 
they often are present in circumstances in which fraud exists. Examples 
of fraud risk factors related to fraudulent financial reporting and 
misappropriation of assets are listed in AU sec. 316.85. These 
illustrative risk factors are classified based on the three conditions 
discussed in this paragraph, which generally are present when fraud 
exists.
    Note: The factors listed in AU sec. 316.85 cover a broad range of 
situations and are only examples. Accordingly, the auditor might 
identify additional or different fraud risk factors.
    66. All three conditions discussed in the preceding paragraph are 
not required to be observed or evident to conclude that a fraud risk 
exists. The auditor might conclude that a fraud risk exists even when 
only one of these three conditions is present.
    67. Consideration of the Risk of Omitted, Incomplete, or Inaccurate 
Disclosures. The auditor's evaluation of fraud risk factors in 
accordance with paragraph 65 should include evaluation of how fraud 
could be perpetrated or concealed by presenting incomplete or 
inaccurate disclosures or by omitting disclosures that are necessary 
for the financial statements to be presented fairly in conformity with 
the applicable financial reporting framework.
    68. Presumption of Fraud Risk Involving Improper Revenue 
Recognition. The auditor should presume that there is a fraud risk 
involving improper revenue recognition and evaluate which types of 
revenue, revenue transactions, or assertions may give rise to such 
risks.
    69. Consideration of the Risk of Management Override of Controls. 
The auditor's identification of fraud risks should include the risk of 
management override of controls.
    Note: Controls over management override are important to effective 
internal control over financial reporting for all companies, and may be 
particularly important at smaller companies because of the increased 
involvement of senior management in performing controls and in the 
period-end financial reporting process. For smaller companies, the 
controls that address the risk of management override might be 
different from those at a larger company. For example, a smaller 
company might rely on more detailed oversight by the audit committee 
that focuses on the risk of management override.
Factors Relevant To Identifying Significant Risks
    70. To determine whether an identified and assessed risk is a 
significant risk, the auditor should evaluate whether the risk requires 
special audit consideration because of the nature of the risk or the 
likelihood and potential magnitude of misstatement related to the risk.
    Note: The determination of whether a risk of material misstatement 
is a significant risk is based on inherent risk, without regard to the 
effect of controls.
    71. Factors that should be evaluated in determining which risks are 
significant risks include:
    a. The effect of the quantitative and qualitative risk factors 
discussed in paragraph 60 on the likelihood and potential magnitude of 
misstatements;
    b. Whether the risk is a fraud risk;
    Note: A fraud risk is a significant risk.
    c. Whether the risk is related to recent significant economic, 
accounting, or other developments;
    d. The complexity of transactions;
    e. Whether the risk involves significant transactions with related 
parties;
    f. The degree of complexity or judgment in the recognition or 
measurement of financial information related to the risk, especially 
those measurements involving a wide range of measurement uncertainty; 
and
    g. Whether the risk involves significant transactions that are 
outside the normal course of business for the company or that otherwise 
appear to be unusual due to their timing, size, or nature.
Further Consideration of Controls
    72. When the auditor has determined that a significant risk, 
including a fraud risk, exists, the auditor should evaluate the design 
of the company's controls that are intended to address fraud risks and 
other significant risks and determine whether those controls have been 
implemented, if the auditor has not already done so when obtaining an 
understanding of internal control, as described in paragraphs 18-40 of 
this standard.\82\
---------------------------------------------------------------------------

    \82\ Auditing Standard No. 13 discusses the auditor's response 
to fraud risks and other significant risks.
---------------------------------------------------------------------------

    73. Controls that address fraud risks include (a) specific controls 
designed to

[[Page 59345]]

mitigate specific risks of fraud, e.g., controls to address risks of 
intentional misstatement of specific accounts and (b) controls designed 
to prevent, deter, and detect fraud, e.g., controls to promote a 
culture of honesty and ethical behavior.\83\\\ Such controls also 
include those that address the risk of management override of other 
controls.
---------------------------------------------------------------------------

    \83\ \\ AU sec. 316.88 and paragraph 14 of Auditing Standard No. 
5 present examples of controls that address fraud risks.
---------------------------------------------------------------------------

Revision of Risk Assessment

    74. The auditor's assessment of the risks of material misstatement, 
including fraud risks, should continue throughout the audit. When the 
auditor obtains audit evidence during the course of the audit that 
contradicts the audit evidence on which the auditor originally based 
his or her risk assessment, the auditor should revise the risk 
assessment and modify planned audit procedures or perform additional 
procedures in response to the revised risk assessments.\84\
---------------------------------------------------------------------------

    \84\ See also paragraph 46 of Auditing Standard No. 13.
---------------------------------------------------------------------------

APPENDIX A--Definitions

A1. For purposes of this standard, the terms listed below are defined 
as follows:
A2. Business risks--Risks that result from significant conditions, 
events, circumstances, actions, or inactions that could adversely 
affect a company's ability to achieve its objectives and execute its 
strategies. Business risks also might result from setting inappropriate 
objectives and strategies or from changes or complexity in the 
company's operations or management.
A3. Company's objectives and strategies--The overall plans for the 
company as established by management or the board of directors. 
Strategies are the approaches by which management intends to achieve 
its objectives.
A4. Risk assessment procedures--The procedures performed by the auditor 
to obtain information for identifying and assessing the risks of 
material misstatement in the financial statements whether due to error 
or fraud.

    Note: Risk assessment procedures by themselves do not provide 
sufficient appropriate evidence on which to base an audit opinion.

A5. Significant risk--A risk of material misstatement that requires 
special audit consideration.

APPENDIX B--Consideration of Manual and Automated Systems and Controls

B1. While obtaining an understanding of the company's information 
system related to financial reporting, the auditor should obtain an 
understanding of how the company uses information technology (``IT'') 
and how IT affects the financial statements.\85\ The auditor also 
should obtain an understanding of the extent of manual controls and 
automated controls used by the company, including the IT general 
controls that are important to the effective operation of the automated 
controls. That information should be taken into account in assessing 
the risks of material misstatement.\86\
---------------------------------------------------------------------------

    \85\ See also AU sec. 324, Service Organizations, if the company 
uses a service organization for services that are part of the 
company's internal control over financial reporting.
    \86\ See also paragraphs 16-17 of Auditing Standard No. 9, Audit 
Planning.
---------------------------------------------------------------------------

B2. Controls in a manual system might include procedures such as 
approvals and reviews of transactions, and reconciliations and follow-
up of reconciling items.
B3. Alternatively, a company might use automated procedures to 
initiate, record, process, and report transactions, in which case 
records in electronic format would replace paper documents. When IT is 
used to initiate, record, process, and report transactions, the IT 
systems and programs may include controls related to the relevant 
assertions of significant accounts and disclosures or may be critical 
to the effective functioning of manual controls that depend on IT.
B4. The auditor should obtain an understanding of specific risks to a 
company's internal control over financial reporting resulting from IT. 
Examples of such risks include:

     Reliance on systems or programs that are inaccurately 
processing data, processing inaccurate data, or both;
     Unauthorized access to data that might result in 
destruction of data or improper changes to data, including the 
recording of unauthorized or non-existent transactions or inaccurate 
recording of transactions (particular risks might arise when multiple 
users access a common database);
     The possibility of IT personnel gaining access privileges 
beyond those necessary to perform their assigned duties, thereby 
breaking down segregation of duties;
     Unauthorized changes to data in master files;
     Unauthorized changes to systems or programs;
     Failure to make necessary changes to systems or programs;
     Inappropriate manual intervention; and
     Potential loss of data or inability to access data as 
required.
B5. In obtaining an understanding of the company's control activities, 
the auditor should obtain an understanding of how the company has 
responded to risks arising from IT.
B6. When a company uses manual elements in internal control systems and 
the auditor plans to rely on, and therefore test, those manual 
controls, the auditor should design procedures to test the consistency 
in the application of those manual controls.

Auditing Standard No. 13

The Auditor's Responses to the Risks of Material Misstatement

Introduction

    1. This standard establishes requirements regarding designing and 
implementing appropriate responses to the risks of material 
misstatement.

Objective

    2. The objective of the auditor is to address the risks of material 
misstatement through appropriate overall audit responses and audit 
procedures.

Responding to the Risks of Material Misstatement

    3. To meet the objective in the preceding paragraph, the auditor 
must design and implement audit responses that address the risks of 
material misstatement that are identified and assessed in accordance 
with Auditing Standard No. 12, Identifying and Assessing Risks of 
Material Misstatement.
    4. This standard discusses the following types of audit responses:
    a. Responses that have an overall effect on how the audit is 
conducted (``overall responses''), as described in paragraphs 5-7; and
    b. Responses involving the nature, timing, and extent of the audit 
procedures to be performed, as described in paragraphs 8-46.

Overall Responses

    5. The auditor should design and implement overall responses to 
address the assessed risks of material misstatement as follows:

[[Page 59346]]

    a. Making appropriate assignments of significant engagement 
responsibilities. The knowledge, skill, and ability of engagement team 
members with significant engagement responsibilities should be 
commensurate with the assessed risks of material misstatement.\87\
---------------------------------------------------------------------------

    \87\ See also paragraph .06 of AU sec. 230, Due Professional 
Care in the Performance of Work.
---------------------------------------------------------------------------

    b. Providing the extent of supervision that is appropriate for the 
circumstances, including, in particular, the assessed risks of material 
misstatement. (See paragraphs 5-6 of Auditing Standard No. 10, 
Supervision of the Audit Engagement.)
    c. Incorporating elements of unpredictability in the selection of 
audit procedures to be performed. As part of the auditor's response to 
the assessed risks of material misstatement, including the assessed 
risks of material misstatement due to fraud (``fraud risks''), the 
auditor should incorporate an element of unpredictability in the 
selection of auditing procedures to be performed from year to year. 
Examples of ways to incorporate an element of unpredictability include:
    (1) Performing audit procedures related to accounts, disclosures, 
and assertions that would not otherwise be tested based on their amount 
or the auditor's assessment of risk;
    (2) Varying the timing of the audit procedures;
    (3) Selecting items for testing that have lower amounts or are 
otherwise outside customary selection parameters;
    (4) Performing audit procedures on an unannounced basis; and
    (5) In multi-location audits, varying the location or the nature, 
timing, and extent of audit procedures at related locations or business 
units from year to year.\88\
---------------------------------------------------------------------------

    \88\ For integrated audits, paragraphs 61 and B13 of Auditing 
Standard No. 5, An audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements, 
establish requirements for introducing unpredictability in testing 
of controls from year to year and in multi-location audits.
---------------------------------------------------------------------------

    d. Evaluating the company's selection and application of 
significant accounting principles. The auditor should evaluate whether 
the company's selection and application of significant accounting 
principles, particularly those related to subjective measurements and 
complex transactions,\89\ are indicative of bias that could lead to 
material misstatement of the financial statements.
---------------------------------------------------------------------------

    \89\ Paragraphs 12-13 of Auditing Standard No. 12 discuss the 
auditor's responsibilities regarding obtaining an understanding of 
the company's selection and application of accounting principles. 
See also paragraphs .66-.67 of AU sec. 316, Consideration of Fraud 
in a Financial Statement Audit, and paragraphs .04 and .06 of AU 
sec. 411, The Meaning of Present Fairly in Conformity With Generally 
Accepted Accounting Principles.
---------------------------------------------------------------------------

    Note: Paragraph .11 of AU sec. 380, Communication With Audit 
Committees, discusses the auditor's judgments about the quality of a 
company's accounting principles.
    6. The auditor also should determine whether it is necessary to 
make pervasive changes to the nature, timing, or extent of audit 
procedures to adequately address the assessed risks of material 
misstatement. Examples of such pervasive changes include modifying the 
audit strategy to:
    a. Increase the substantive testing of the valuation of numerous 
significant accounts at year end because of significantly deteriorating 
market conditions, and
    b. Obtain more persuasive audit evidence from substantive 
procedures due to the identification of pervasive weaknesses in the 
company's control environment.
    7. Due professional care requires the auditor to exercise 
professional skepticism.\90\ Professional skepticism is an attitude 
that includes a questioning mind and a critical assessment of the 
appropriateness and sufficiency of audit evidence. The auditor's 
responses to the assessed risks of material misstatement, particularly 
fraud risks, should involve the application of professional skepticism 
in gathering and evaluating audit evidence.\91\ Examples of the 
application of professional skepticism in response to the assessed 
fraud risks are (a) modifying the planned audit procedures to obtain 
more reliable evidence regarding relevant assertions and (b) obtaining 
sufficient appropriate evidence to corroborate management's 
explanations or representations concerning important matters, such as 
through third-party confirmation, use of a specialist engaged or 
employed by the auditor, or examination of documentation from 
independent sources.
---------------------------------------------------------------------------

    \90\ AU secs. 230.07-.09.
    \91\ AU sec. 316.13.
---------------------------------------------------------------------------

Responses Involving the Nature, Timing, and Extent of Audit Procedures

    8. The auditor should design and perform audit procedures in a 
manner that addresses the assessed risks of material misstatement for 
each relevant assertion of each significant account and disclosure.
    9. In designing the audit procedures to be performed, the auditor 
should:
    a. Obtain more persuasive audit evidence the higher the auditor's 
assessment of risk;
    b. Take into account the types of potential misstatements that 
could result from the identified risks and the likelihood and magnitude 
of potential misstatement; \92\
---------------------------------------------------------------------------

    \92\ For example, potential misstatements regarding disclosures 
include omission of required disclosures or presentation of 
inaccurate or incomplete disclosures.
---------------------------------------------------------------------------

    c. In an integrated audit, design the testing of controls to 
accomplish the objectives of both audits simultaneously:
    (1) To obtain sufficient evidence to support the auditor's control 
risk \93\ assessments for purposes of the audit of financial 
statements; \94\ and
---------------------------------------------------------------------------

    \93\ See paragraph 7.b. of Auditing Standard No. 8, Audit Risk, 
for a definition of control risk.
    \94\ For purposes of this standard, the term ``audit of 
financial statements'' refers to the financial statement portion of 
the integrated audit and to the audit of financial statements only.
---------------------------------------------------------------------------

    (2) To obtain sufficient evidence to support the auditor's opinion 
on internal control over financial reporting as of year-end.
    Note: Auditing Standard No. 5 establishes requirements for tests of 
controls in the audit of internal control over financial reporting.
    10. The audit procedures performed in response to the assessed 
risks of material misstatement can be classified into two categories: 
(1) tests of controls and (2) substantive procedures.\95\ Paragraphs 
16-35 of this standard discuss tests of controls, and paragraphs 36-46 
discuss substantive procedures.
---------------------------------------------------------------------------

    \95\ Substantive procedures consist of (a) tests of details of 
accounts and disclosures and (b) substantive analytical procedures.
---------------------------------------------------------------------------

    Note: Paragraphs 16-17 of this standard discuss when tests of 
controls are necessary in a financial statement audit. Ordinarily, 
tests of controls are performed for relevant assertions for which the 
auditor chooses to rely on controls to modify his or her substantive 
procedures.
Responses to Significant Risks
    11. For significant risks, the auditor should perform substantive 
procedures, including tests of details, that are specifically 
responsive to the assessed risks.
    Note: Auditing Standard No. 12 discusses identification of 
significant risks \96\ and states that fraud risks are significant 
risks.
---------------------------------------------------------------------------

    \96\ See paragraph 71 of Auditing Standard No. 12 for factors 
that the auditor should evaluate in determining which risks are 
significant risks.
---------------------------------------------------------------------------

Responses to Fraud Risks
    12. The audit procedures that are necessary to address the assessed 
fraud risks depend upon the types of risks and the relevant assertions 
that might be affected.

[[Page 59347]]

    Note: If the auditor identifies deficiencies in controls that are 
intended to address assessed fraud risks, the auditor should take into 
account those deficiencies when designing his or her response to those 
fraud risks.
    Note: Auditing Standard No. 5 establishes requirements for 
addressing assessed fraud risks in the audit of internal control over 
financial reporting.\97\
---------------------------------------------------------------------------

    \97\ Paragraphs 14-15 of Auditing Standard No. 5.
---------------------------------------------------------------------------

    13. Addressing Fraud Risks in the Audit of Financial Statements. In 
the audit of financial statements, the auditor should perform 
substantive procedures, including tests of details, that are 
specifically responsive to the assessed fraud risks. If the auditor 
selects certain controls intended to address the assessed fraud risks 
for testing in accordance with paragraphs 16-17 of this standard, the 
auditor should perform tests of those controls.
    14. The following are examples of ways in which planned audit 
procedures may be modified to address assessed fraud risks:
    a. Changing the nature of audit procedures to obtain evidence that 
is more reliable or to obtain additional corroborative information;
    b. Changing the timing of audit procedures to be closer to the end 
of the period or to the points during the period in which fraudulent 
transactions are more likely to occur; and
    c. Changing the extent of the procedures applied to obtain more 
evidence, e.g., by increasing sample sizes or applying computer-
assisted audit techniques to all of the items in an account.
    Note: AU secs. 316.54-.67 provide additional examples of responses 
to assessed fraud risks relating to fraudulent financial reporting 
(e.g., revenue recognition, inventory quantities, and management 
estimates) and misappropriation of assets in the audit of financial 
statements.
    15. Also, AU sec. 316 indicates that the auditor should perform 
audit procedures to specifically address the risk of management 
override of controls including:
    a. Examining journal entries and other adjustments for evidence of 
possible material misstatement due to fraud (AU secs. 316.58-.62);
    b. Reviewing accounting estimates for biases that could result in 
material misstatement due to fraud (AU secs. 316.63-.65); and
    c. Evaluating the business rationale for significant unusual 
transactions (AU secs. 316.66-.67).

Testing Controls

Testing Controls in an Audit of Financial Statements
    16. Controls to be Tested. If the auditor plans to assess control 
risk at less than the maximum by relying on controls,\98\ and the 
nature, timing, and extent of planned substantive procedures are based 
on that lower assessment, the auditor must obtain evidence that the 
controls selected for testing are designed effectively and operated 
effectively during the entire period of reliance.\99\ However, the 
auditor is not required to assess control risk at less than the maximum 
for all relevant assertions and, for a variety of reasons, the auditor 
may choose not to do so.
---------------------------------------------------------------------------

    \98\ Reliance on controls that is supported by sufficient and 
appropriate audit evidence allows the auditor to assess control risk 
at less than the maximum, which results in a lower assessed risk of 
material misstatement. In turn, this allows the auditor to modify 
the nature, timing, and extent of planned substantive procedures.
    \99\ Terms defined in Appendix A, Definitions, are set in 
boldface type the first time they appear.
---------------------------------------------------------------------------

    17. Also, tests of controls must be performed in the audit of 
financial statements for each relevant assertion for which substantive 
procedures alone cannot provide sufficient appropriate audit evidence 
and when necessary to support the auditor's reliance on the accuracy 
and completeness of financial information used in performing other 
audit procedures.\100\
---------------------------------------------------------------------------

    \100\ Paragraph 10 of Auditing Standard No. 15, Audit Evidence, 
and paragraph .16 of AU sec. 329, Substantive Analytical Procedures.
---------------------------------------------------------------------------

    Note: When a significant amount of information supporting one or 
more relevant assertions is electronically initiated, recorded, 
processed, or reported, it might be impossible to design effective 
substantive tests that, by themselves, would provide sufficient 
appropriate evidence regarding the assertions. For such assertions, 
significant audit evidence may be available only in electronic form. In 
such cases, the sufficiency and appropriateness of the audit evidence 
usually depend on the effectiveness of controls over their accuracy and 
completeness. Furthermore, the potential for improper initiation or 
alteration of information to occur and not be detected may be greater 
if information is initiated, recorded, processed, or reported only in 
electronic form and appropriate controls are not operating effectively.
    18. Evidence about the Effectiveness of Controls in the Audit of 
Financial Statements. In designing and performing tests of controls for 
the audit of financial statements, the evidence necessary to support 
the auditor's control risk assessment depends on the degree of reliance 
the auditor plans to place on the effectiveness of a control. The 
auditor should obtain more persuasive audit evidence from tests of 
controls the greater the reliance the auditor places on the 
effectiveness of a control. The auditor also should obtain more 
persuasive evidence about the effectiveness of controls for each 
relevant assertion for which the audit approach consists primarily of 
tests of controls, including situations in which substantive procedures 
alone cannot provide sufficient appropriate audit evidence.
Testing Design Effectiveness
    19. The auditor should test the design effectiveness of the 
controls selected for testing by determining whether the company's 
controls, if they are operated as prescribed by persons possessing the 
necessary authority and competence to perform the control effectively, 
satisfy the company's control objectives and can effectively prevent or 
detect error or fraud that could result in material misstatements in 
the financial statements.
    Note: A smaller, less complex company might achieve its control 
objectives in a different manner from a larger, more complex 
organization. For example, a smaller, less complex company might have 
fewer employees in the accounting function, limiting opportunities to 
segregate duties and leading the company to implement alternative 
controls to achieve its control objectives. In such circumstances, the 
auditor should evaluate whether those alternative controls are 
effective.
    20. Procedures the auditor performs to test design effectiveness 
include a mix of inquiry of appropriate personnel, observation of the 
company's operations, and inspection of relevant documentation. 
Walkthroughs that include these procedures ordinarily are sufficient to 
evaluate design effectiveness.\101\
---------------------------------------------------------------------------

    \101\ Paragraphs 37-38 of Auditing Standard No. 12 discuss 
performing a walkthrough.
---------------------------------------------------------------------------

Testing Operating Effectiveness
    21. The auditor should test the operating effectiveness of a 
control selected for testing by determining whether the control is 
operating as designed and whether the person performing the control 
possesses the necessary authority and competence to perform the control 
effectively.
    22. Procedures the auditor performs to test operating effectiveness 
include a

[[Page 59348]]

mix of inquiry of appropriate personnel, observation of the company's 
operations, inspection of relevant documentation, and re-performance of 
the control.
Obtaining Evidence From Tests of Controls
    23. The evidence provided by the auditor's tests of the 
effectiveness of controls depends upon the mix of the nature, timing, 
and extent of the auditor's procedures. Further, for an individual 
control, different combinations of the nature, timing, and extent of 
testing might provide sufficient evidence in relation to the degree of 
reliance in an audit of financial statements.
    Note: To obtain evidence about whether a control is effective, the 
control must be tested directly; the effectiveness of a control cannot 
be inferred from the absence of misstatements detected by substantive 
procedures.
Nature of Tests of Controls
    24. Some types of tests, by their nature, produce greater evidence 
of the effectiveness of controls than other tests. The following tests 
that the auditor might perform are presented in the order of the 
evidence that they ordinarily would produce, from least to most: 
inquiry, observation, inspection of relevant documentation, and re-
performance of a control.
    Note: Inquiry alone does not provide sufficient evidence to support 
a conclusion about the effectiveness of a control.
    25. The nature of the tests of controls that will provide 
appropriate evidence depends, to a large degree, on the nature of the 
control to be tested, including whether the operation of the control 
results in documentary evidence of its operation. Documentary evidence 
of the operation of some controls, such as management's philosophy and 
operating style, might not exist.
    Note: A smaller, less complex company or unit might have less 
formal documentation regarding the operation of its controls. In those 
situations, testing controls through inquiry combined with other 
procedures, such as observation of activities, inspection of less 
formal documentation, or re-performance of certain controls, might 
provide sufficient evidence about whether the control is effective.
Extent of Tests of Controls
    26. The more extensively a control is tested, the greater the 
evidence obtained from that test.
    27. Matters that could affect the necessary extent of testing of a 
control in relation to the degree of reliance on a control include the 
following:
     The frequency of the performance of the control by the 
company during the audit period;
     The length of time during the audit period that the 
auditor is relying on the operating effectiveness of the control;
     The expected rate of deviation from a control;
     The relevance and reliability of the audit evidence to be 
obtained regarding the operating effectiveness of the control;
     The extent to which audit evidence is obtained from tests 
of other controls related to the assertion;
     The nature of the control, including, in particular, 
whether it is a manual control or an automated control; and
     For an automated control, the effectiveness of relevant 
information technology general controls.
    Note: AU sec. 350, Audit Sampling, establishes requirements 
regarding the use of sampling in tests of controls.
Timing of Tests of Controls
    28. The timing of tests of controls relates to when the evidence 
about the operating effectiveness of the controls is obtained and the 
period of time to which it applies. Paragraph 16 of this standard 
indicates that the auditor must obtain evidence that the controls 
selected for testing are designed effectively and operated effectively 
during the entire period of reliance.
    29. Using Audit Evidence Obtained during an Interim Period. When 
the auditor obtains evidence about the operating effectiveness of 
controls as of or through an interim date, he or she should determine 
what additional evidence is necessary concerning the operation of the 
controls for the remaining period of reliance.
    30. The additional evidence that is necessary to update the results 
of testing from an interim date through the remaining period of 
reliance depends on the following factors:
     The possibility that there have been any significant 
changes in internal control over financial reporting subsequent to the 
interim date;
    Note: If there have been significant changes to the control since 
the interim date, the auditor should obtain evidence about the 
effectiveness of the new or modified control;
     The inherent risk associated with the related account(s) 
or assertion(s);
     The specific control tested prior to year end, including 
the nature of the control and the risk that the control is no longer 
effective during the remaining period, and the results of the tests of 
the control;
     The planned degree of reliance on the control;
     The sufficiency of the evidence of effectiveness obtained 
at an interim date; and
     The length of the remaining period.
    31. Using Audit Evidence Obtained in Past Audits. For audits of 
financial statements, the auditor should obtain evidence during the 
current year audit about the design and operating effectiveness of 
controls upon which the auditor relies. When controls on which the 
auditor plans to rely have been tested in past audits and the auditor 
plans to use evidence about the effectiveness of those controls that 
was obtained in prior years, the auditor should take into account the 
following factors to determine the evidence needed during the current 
year audit to support the auditor's control risk assessments:
     The nature and materiality of misstatements that the 
control is intended to prevent or detect;
     The inherent risk associated with the related account(s) 
or assertion(s);
     Whether there have been changes in the volume or nature of 
transactions that might adversely affect control design or operating 
effectiveness;
     Whether the account has a history of errors;
     The effectiveness of entity-level controls that the 
auditor has tested, especially controls that monitor other controls;
     The nature of the controls and the frequency with which 
they operate;
     The degree to which the control relies on the 
effectiveness of other controls (e.g., the control environment or 
information technology general controls);
     The competence of the personnel who perform the control or 
monitor its performance and whether there have been changes in key 
personnel who perform the control or monitor its performance;
     Whether the control relies on performance by an individual 
or is automated (i.e., an automated control would generally be expected 
to be lower risk if relevant information technology general controls 
are effective); \102\
---------------------------------------------------------------------------

    \102\ The auditor also may use a benchmarking strategy, when 
appropriate, for automated application controls in subsequent years' 
audits. Benchmarking is described further beginning at paragraph B28 
of Auditing Standard No. 5.
---------------------------------------------------------------------------

     The complexity of the control and the significance of the 
judgments that must be made in connection with its operation;

[[Page 59349]]

     The planned degree of reliance on the control;
     The nature, timing, and extent of procedures performed in 
past audits;
     The results of the previous years' testing of the control;
     Whether there have been changes in the control or the 
process in which it operates since the previous audit; and
     For integrated audits, the evidence regarding the 
effectiveness of the controls obtained during the audit of internal 
control.
Assessing Control Risk
    32. The auditor should assess control risk for relevant assertions 
by evaluating the evidence obtained from all sources, including the 
auditor's testing of controls for the audit of internal control and the 
audit of financial statements, misstatements detected during the 
financial statement audit, and any identified control deficiencies.
    33. Control risk should be assessed at the maximum level for 
relevant assertions (1) for which controls necessary to sufficiently 
address the assessed risk of material misstatement in those assertions 
are missing or ineffective or (2) when the auditor has not obtained 
sufficient appropriate evidence to support a control risk assessment 
below the maximum level.
    34. When deficiencies affecting the controls on which the auditor 
intends to rely are detected, the auditor should evaluate the severity 
of the deficiencies and the effect on the auditor's control risk 
assessments. If the auditor plans to rely on controls relating to an 
assertion but the controls that the auditor tests are ineffective 
because of control deficiencies, the auditor should:
    a. Perform tests of other controls related to the same assertion as 
the ineffective controls, or
    b. Revise the control risk assessment and modify the planned 
substantive procedures as necessary in light of the increased 
assessment of risk.
    Note: Auditing Standard No. 5 establishes requirements for 
evaluating the severity of a control deficiency and communicating 
identified control deficiencies to management and the audit committee 
in an integrated audit. AU sec. 325, Communications About Control 
Deficiencies in an Audit of Financial Statements, establishes 
requirements for communicating significant deficiencies and material 
weaknesses in an audit of financial statements only.
Testing Controls in an Audit of Internal Control
    35. Auditing Standard No. 5 states that the objective of the tests 
of controls in an audit of internal control is to obtain evidence about 
the effectiveness of controls to support the auditor's opinion on the 
company's internal control over financial reporting. The auditor's 
opinion relates to the effectiveness of the company's internal control 
over financial reporting as of a point in time and taken as a 
whole.\103\ Auditing Standard No. 5 establishes requirements regarding 
the selection of controls to be tested and the necessary nature, 
timing, and extent of tests of controls in an audit of internal control 
over financial reporting.
---------------------------------------------------------------------------

    \103\ Paragraph B1 of Auditing Standard No. 5.
---------------------------------------------------------------------------

Substantive Procedures

    36. The auditor should perform substantive procedures for each 
relevant assertion of each significant account and disclosure, 
regardless of the assessed level of control risk.
    37. As the assessed risk of material misstatement increases, the 
evidence from substantive procedures that the auditor should obtain 
also increases. The evidence provided by the auditor's substantive 
procedures depends upon the mix of the nature, timing, and extent of 
those procedures. Further, for an individual assertion, different 
combinations of the nature, timing, and extent of testing might provide 
sufficient appropriate evidence to respond to the assessed risk of 
material misstatement.
    38. Internal control over financial reporting has inherent 
limitations,\104\ which, in turn, can affect the evidence that is 
needed from substantive procedures. For example, more evidence from 
substantive procedures ordinarily is needed for relevant assertions 
that have a higher susceptibility to management override or to lapses 
in judgment or breakdowns resulting from human failures.\105\
---------------------------------------------------------------------------

    \104\ Paragraph A5 of Auditing Standard No. 5.
    \105\ See, e.g., paragraph .14 of AU sec. 328, Auditing Fair 
Value Measurements and Disclosures.
---------------------------------------------------------------------------

Nature of Substantive Procedures
    39. Substantive procedures generally provide persuasive evidence 
when they are designed and performed to obtain evidence that is 
relevant and reliable. Also, some types of substantive procedures, by 
their nature, produce more persuasive evidence than others. Inquiry 
alone does not provide sufficient appropriate evidence to support a 
conclusion about a relevant assertion.
    Note: Auditing Standard No. 15 discusses certain types of 
substantive procedures and the relevance and reliability of audit 
evidence.
    40. Taking into account the types of potential misstatements in the 
relevant assertions that could result from identified risks, as 
required by paragraph 9.b., can help the auditor determine the types 
and combination of substantive audit procedures that are necessary to 
detect material misstatements in the respective assertions.
    41. Substantive Procedures Related to the Period-end Financial 
Reporting Process. The auditor's substantive procedures must include 
the following audit procedures related to the period-end financial 
reporting process:
    a. Reconciling the financial statements with the underlying 
accounting records; and
    b. Examining material adjustments made during the course of 
preparing the financial statements.
    Note: AU secs. 316.58-.62 establish requirements for examining 
journal entries and other adjustments for evidence of possible material 
misstatement due to fraud.
Extent of Substantive Procedures
    42. The more extensively a substantive procedure is performed, the 
greater the evidence obtained from the procedure. The necessary extent 
of a substantive audit procedure depends on the materiality of the 
account or disclosure, the assessed risk of material misstatement, and 
the necessary degree of assurance from the procedure. However, 
increasing the extent of an audit procedure cannot adequately address 
an assessed risk of material misstatement unless the evidence to be 
obtained from the procedure is reliable and relevant.
Timing of Substantive Procedures
    43. Performing certain substantive procedures at interim dates may 
permit early consideration of matters affecting the year-end financial 
statements, e.g., testing material transactions involving higher risks 
of misstatement. However, performing substantive procedures at an 
interim date without performing procedures at a later date increases 
the risk that a material misstatement could exist in the year-end 
financial statements that would not be detected by the auditor. This 
risk increases as the period between the interim date and year end 
increases.
    44. In determining whether it is appropriate to perform substantive 
procedures at an interim date, the auditor should take into account the 
following:
    a. The assessed risk of material misstatement, including:

[[Page 59350]]

    (1) The auditor's assessment of control risk, as discussed in 
paragraphs 32-34;
    (2) The existence of conditions or circumstances, if any, that 
create incentives or pressures on management to misstate the financial 
statements between the interim test date and the end of the period 
covered by the financial statements;
    (3) The effects of known or expected changes in the company, its 
environment, or its internal control over financial reporting during 
the remaining period;
    b. The nature of the substantive procedures;
    c. The nature of the account or disclosure and relevant assertion; 
and
    d. The ability of the auditor to perform the necessary audit 
procedures to cover the remaining period.
    45. When substantive procedures are performed at an interim date, 
the auditor should cover the remaining period by performing substantive 
procedures, or substantive procedures combined with tests of controls, 
that provide a reasonable basis for extending the audit conclusions 
from the interim date to the period end. Such procedures should include 
(a) comparing relevant information about the account balance at the 
interim date with comparable information at the end of the period to 
identify amounts that appear unusual and investigating such amounts and 
(b) performing audit procedures to test the remaining period.
    46. If the auditor obtains evidence that contradicts the evidence 
on which the original risk assessments were based, including evidence 
of misstatements that he or she did not expect, the auditor should 
revise the related risk assessments and modify the planned nature, 
timing, or extent of substantive procedures covering the remaining 
period as necessary. Examples of such modifications include extending 
or repeating at the period end the procedures performed at the interim 
date.
Dual-Purpose Tests
    47. In some situations, the auditor might perform a substantive 
test of a transaction concurrently with a test of a control relevant to 
that transaction (a ``dual-purpose test''). In those situations, the 
auditor should design the dual-purpose test to achieve the objectives 
of both the test of the control and the substantive test. Also, when 
performing a dual-purpose test, the auditor should evaluate the results 
of the test in forming conclusions about both the assertion and the 
effectiveness of the control being tested.\106\
---------------------------------------------------------------------------

    \106\ Paragraph .44 of AU sec. 350 discusses applying audit 
sampling in dual-purpose tests.
---------------------------------------------------------------------------

APPENDIX A--Definitions

A1. For purposes of this standard, the terms listed below are defined 
as follows:
A2. Dual-purpose test--Substantive test of a transaction and a test of 
a control relevant to that transaction that are performed concurrently, 
e.g., a substantive test of sales transactions performed concurrently 
with a test of controls over those transactions.
A3. Period of reliance--The period being covered by the company's 
financial statements, or the portion of that period, for which the 
auditor plans to rely on controls in order to modify the nature, 
timing, and extent of planned substantive procedures.

Auditing Standard No. 14

Evaluating Audit Results

Introduction

    1. This standard establishes requirements regarding the auditor's 
evaluation of audit results and determination of whether he or she has 
obtained sufficient appropriate audit evidence.

Objective

    2. The objective of the auditor is to evaluate the results of the 
audit to determine whether the audit evidence obtained is sufficient 
and appropriate to support the opinion to be expressed in the auditor's 
report.

Evaluating the Results of the Audit of Financial Statements

    3. In forming an opinion on whether the financial statements are 
presented fairly, in all material respects, in conformity with the 
applicable financial reporting framework, the auditor should take into 
account all relevant audit evidence, regardless of whether it appears 
to corroborate or to contradict the assertions in the financial 
statements.
    4. In the audit of financial statements,\107\ the auditor's 
evaluation of audit results should include evaluation of the following:
---------------------------------------------------------------------------

    \107\ For purposes of this standard, the term ``audit of 
financial statements'' refers to the financial statement portion of 
the integrated audit and to the audit of financial statements only.
---------------------------------------------------------------------------

    a. The results of analytical procedures performed in the overall 
review of the financial statements (``overall review'');
    b. Misstatements accumulated during the audit, including, in 
particular, uncorrected misstatements; \108\
---------------------------------------------------------------------------

    \108\ Terms defined in Appendix A, Definitions, are set in 
boldface type the first time they appear.
---------------------------------------------------------------------------

    c. The qualitative aspects of the company's accounting practices;
    d. Conditions identified during the audit that relate to the 
assessment of the risk of material misstatement due to fraud (``fraud 
risk'');
    e. The presentation of the financial statements, including the 
disclosures; and
    f. The sufficiency and appropriateness of the audit evidence 
obtained.
Performing Analytical Procedures in the Overall Review
    5. In the overall review, the auditor should read the financial 
statements and disclosures and perform analytical procedures to (a) 
evaluate the auditor's conclusions formed regarding significant 
accounts and disclosures and (b) assist in forming an opinion on 
whether the financial statements as a whole are free of material 
misstatement.
    6. As part of the overall review, the auditor should evaluate 
whether:
    a. The evidence gathered in response to unusual or unexpected 
transactions, events, amounts, or relationships previously identified 
during the audit is sufficient; and
    b. Unusual or unexpected transactions, events, amounts, or 
relationships \109\ indicate risks of material misstatement that were 
not identified previously, including, in particular, fraud risks.
---------------------------------------------------------------------------

    \109\ Paragraphs 46-48 of Auditing Standard No. 12, Identifying 
and Assessing Risks of Material Misstatement and paragraph .03 of AU 
sec. 329, Substantive Analytical Procedures.
---------------------------------------------------------------------------

    Note: If the auditor discovers a previously unidentified risk of 
material misstatement or concludes that the evidence gathered is not 
adequate, he or she should modify his or her audit procedures or 
perform additional procedures as necessary in accordance with paragraph 
36 of this standard.
    7. The nature and extent of the analytical procedures performed 
during the overall review may be similar to the analytical procedures 
performed as risk assessment procedures. The auditor should perform 
analytical procedures relating to revenue through the end of the 
reporting period.\110\
---------------------------------------------------------------------------

    \110\ Paragraph 47 of Auditing Standard No. 12 contains a 
requirement to perform analytical procedures relating to revenue as 
part of the risk assessment procedures.
---------------------------------------------------------------------------

    8. The auditor should obtain corroboration for management's 
explanations regarding significant unusual or unexpected transactions,

[[Page 59351]]

events, amounts, or relationships. If management's responses to the 
auditor's inquiries appear to be implausible, inconsistent with other 
audit evidence, imprecise, or not at a sufficient level of detail to be 
useful, the auditor should perform procedures to address the matter.
    9. Evaluating Whether Analytical Procedures Indicate a Previously 
Unrecognized Fraud Risk. Whether an unusual or unexpected transaction, 
event, amount, or relationship indicates a fraud risk, as discussed in 
paragraph 6.b., depends on the relevant facts and circumstances, 
including the nature of the account or relationship among the data used 
in the analytical procedures. For example, certain unusual or 
unexpected transactions, events, amounts, or relationships could 
indicate a fraud risk if a component of the relationship involves 
accounts and disclosures that management has incentives or pressures to 
manipulate, e.g., significant unusual or unexpected relationships 
involving revenue and income.
Accumulating and Evaluating Identified Misstatements
    10. Accumulating Identified Misstatements. The auditor should 
accumulate misstatements identified during the audit, other than those 
that are clearly trivial.
    Note: ``Clearly trivial'' is not another expression for ``not 
material.'' Matters that are clearly trivial will be of a smaller order 
of magnitude than the materiality level established in accordance with 
Auditing Standard No. 11, Consideration of Materiality in Planning and 
Performing an Audit, and will be inconsequential, whether taken 
individually or in aggregate and whether judged by any criteria of 
size, nature, or circumstances. When there is any uncertainty about 
whether one or more items is clearly trivial, the matter is not 
considered trivial.
    11. The auditor may designate an amount below which misstatements 
are clearly trivial and do not need to be accumulated. In such cases, 
the amount should be set so that any misstatements below that amount 
would not be material to the financial statements, individually or in 
combination with other misstatements, considering the possibility of 
undetected misstatement.
    12. The auditor's accumulation of misstatements should include the 
auditor's best estimate of the total misstatement in the accounts and 
disclosures that he or she has tested, not just the amount of 
misstatements specifically identified. This includes misstatements 
related to accounting estimates, as determined in accordance with 
paragraph 13 of this standard, and projected misstatements from 
substantive procedures that involve audit sampling, as determined in 
accordance with AU sec. 350, Audit Sampling.\111\
---------------------------------------------------------------------------

    \111\ AU sec. 350.26.
---------------------------------------------------------------------------

    13. Misstatements Relating to Accounting Estimates. If the auditor 
concludes that the amount of an accounting estimate included in the 
financial statements is unreasonable or was not determined in 
conformity with the relevant requirements of the applicable financial 
reporting framework, he or she should treat the difference between that 
estimate and a reasonable estimate determined in conformity with the 
applicable accounting principles as a misstatement. If a range of 
reasonable estimates is supported by sufficient appropriate audit 
evidence and the recorded estimate is outside of the range of 
reasonable estimates, the auditor should treat the difference between 
the recorded accounting estimate and the closest reasonable estimate as 
a misstatement.
    Note: If an accounting estimate is determined in conformity with 
the relevant requirements of the applicable financial reporting 
framework and the amount of the estimate is reasonable, a difference 
between an estimated amount best supported by the audit evidence and 
the recorded amount of the accounting estimate ordinarily would not be 
considered to be a misstatement. Paragraph 27 discusses evaluating 
accounting estimates for bias.
    14. Considerations as the Audit Progresses. The auditor should 
determine whether the overall audit strategy and audit plan need to be 
modified if:
    a. The nature of accumulated misstatements and the circumstances of 
their occurrence indicate that other misstatements might exist that, in 
combination with accumulated misstatements, could be material; or
    b. The aggregate of misstatements accumulated during the audit 
approaches the materiality level or levels used in planning and 
performing the audit.\112\
---------------------------------------------------------------------------

    \112\ Auditing Standard No. 11.
---------------------------------------------------------------------------

    Note: When the aggregate of accumulated misstatements approaches 
the materiality level or levels used in planning and performing the 
audit, there likely will be greater than an appropriately low level of 
risk that possible undetected misstatements, when combined with the 
aggregate of misstatements accumulated during the audit that remain 
uncorrected, could be material to the financial statements. If the 
auditor's assessment of this risk is unacceptably high, he or she 
should perform additional audit procedures or determine that management 
has adjusted the financial statements so that the risk that the 
financial statements are materially misstated has been reduced to an 
appropriately low level.
    15. The auditor should communicate accumulated misstatements to 
management on a timely basis to provide management with an opportunity 
to correct them.
    16. If management has examined an account or a disclosure in 
response to misstatements detected by the auditor and has made 
corrections to the account or disclosure, the auditor should evaluate 
management's work to determine whether the corrections have been 
recorded properly and whether uncorrected misstatements remain.
    17. Evaluation of the Effect of Uncorrected Misstatements. The 
auditor should evaluate whether uncorrected misstatements are material, 
individually or in combination with other misstatements. In making this 
evaluation, the auditor should evaluate the misstatements in relation 
to the specific accounts and disclosures involved and to the financial 
statements as a whole, taking into account relevant quantitative and 
qualitative factors.\113\ (See Appendix B.)
---------------------------------------------------------------------------

    \113\ If the financial statements contain material 
misstatements, AU sec. 508, Reports on Audited Financial Statements, 
indicates that the auditor should issue a qualified or an adverse 
opinion on the financial statements. AU sec. 508.35 discusses 
situations in which the financial statements are materially affected 
by a departure from the applicable financial reporting framework.
---------------------------------------------------------------------------

    Note: In interpreting the federal securities laws, the Supreme 
Court of the United States has held that a fact is material if there is 
``a substantial likelihood that the * * * fact would have been viewed 
by the reasonable investor as having significantly altered the `total 
mix' of information made available.'' \114\ As the Supreme Court has 
noted, determinations of materiality require ``delicate assessments of 
the inferences a `reasonable shareholder' would draw from a given set 
of facts and the significance of those inferences to him * * *.'' \115\
---------------------------------------------------------------------------

    \114\ TSC Industries v. Northway, Inc., 426 U.S. 438, 449 
(1976). See also Basic, Inc. v. Levinson, 485 U.S. 224 (1988).
    \115\ TSC Industries, 426 U.S. at 450.
---------------------------------------------------------------------------

    Note: As a result of the interaction of quantitative and 
qualitative considerations in materiality judgments, uncorrected 
misstatements of relatively small amounts could have a material effect 
on the financial statements. For

[[Page 59352]]

example, an illegal payment of an otherwise immaterial amount could be 
material if there is a reasonable possibility \116\ that it could lead 
to a material contingent liability or a material loss of revenue.\117\ 
Also, a misstatement made intentionally could be material for 
qualitative reasons, even if relatively small in amount.
---------------------------------------------------------------------------

    \116\ There is a reasonable possibility of an event, as used in 
this standard, when the likelihood of the event is either 
``reasonably possible'' or ``probable,'' as those terms are used in 
the FASB Accounting Standards Codification, Contingencies Topic, 
paragraph 450-20-25-1.
    \117\ AU sec. 317, Illegal Acts by Clients.
---------------------------------------------------------------------------

    Note: If the reevaluation of the established materiality level or 
levels, as set forth in Auditing Standard No. 11,\118\ results in a 
lower amount for the materiality level or levels, the auditor should 
take into account that lower materiality level or levels in the 
evaluation of uncorrected misstatements.
---------------------------------------------------------------------------

    \118\ Paragraphs 11-12 of Auditing Standard No. 11.
---------------------------------------------------------------------------

    18. The auditor's evaluation of uncorrected misstatements, as 
described in paragraph 17 of this standard, should include evaluation 
of the effects of uncorrected misstatements detected in prior years and 
misstatements detected in the current year that relate to prior years.
    19. The auditor cannot assume that an instance of error or fraud is 
an isolated occurrence. Therefore, the auditor should evaluate the 
nature and effects of the individual misstatements accumulated during 
the audit on the assessed risks of material misstatement. This 
evaluation is important in determining whether the risk assessments 
remain appropriate, as discussed in paragraph 36 of this standard.
    20. Evaluating Whether Misstatements Might Be Indicative of Fraud. 
The auditor should evaluate whether identified misstatements \119\ 
might be indicative of fraud and, in turn, how they affect the 
auditor's evaluation of materiality and the related audit responses. As 
indicated in AU sec. 316, Consideration of Fraud in a Financial 
Statement Audit, fraud is an intentional act that results in material 
misstatement of the financial statements.\120\
---------------------------------------------------------------------------

    \119\ Misstatements include omission and presentation of 
inaccurate or incomplete disclosures.
    \120\ AU sec. 316.05.
---------------------------------------------------------------------------

    21. If the auditor believes that a misstatement is or might be 
intentional, and if the effect on the financial statements could be 
material or cannot be readily determined, the auditor should perform 
procedures to obtain additional audit evidence to determine whether 
fraud has occurred or is likely to have occurred and, if so, its effect 
on the financial statements and the auditor's report thereon.
    22. For misstatements that the auditor believes are or might be 
intentional, the auditor should evaluate the implications on the 
integrity of management or employees and the possible effect on other 
aspects of the audit. If the misstatement involves higher-level 
management, it might be indicative of a more pervasive problem, such as 
an issue with the integrity of management, even if the amount of the 
misstatement is small. In such circumstances, the auditor should 
reevaluate the assessment of fraud risk and the effect of that 
assessment on (a) the nature, timing, and extent of the necessary tests 
of accounts or disclosures and (b) the assessment of the effectiveness 
of controls. The auditor also should evaluate whether the circumstances 
or conditions indicate possible collusion involving employees, 
management, or external parties and, if so, the effect of the collusion 
on the reliability of evidence obtained.
    23. If the auditor becomes aware of information indicating that 
fraud or another illegal act has occurred or might have occurred, he or 
she also must determine his or her responsibilities under AU secs. 
316.79-.82A, AU sec. 317, and Section 10A of the Securities Exchange 
Act of 1934, 15 U.S.C. Sec.  78j-1.
Evaluating the Qualitative Aspects of the Company's Accounting 
Practices
    24. When evaluating whether the financial statements as a whole are 
free of material misstatement, the auditor should evaluate the 
qualitative aspects of the company's accounting practices, including 
potential bias in management's judgments about the amounts and 
disclosures in the financial statements.
    25. The following are examples of forms of management bias:
    a. The selective correction of misstatements brought to 
management's attention during the audit (e.g., correcting misstatements 
that have the effect of increasing reported earnings but not correcting 
misstatements that have the effect of decreasing reported earnings).
    Note: To evaluate the potential effect of selective correction of 
misstatements, the auditor should obtain an understanding of the 
reasons that management decided not to correct misstatements 
communicated by the auditor in accordance with paragraph 15.
    b. The identification by management of additional adjusting entries 
that offset misstatements accumulated by the auditor. If such adjusting 
entries are identified, the auditor should perform procedures to 
determine why the underlying misstatements were not identified 
previously and evaluate the implications on the integrity of management 
and the auditor's risk assessments, including fraud risk assessments. 
The auditor also should perform additional procedures as necessary to 
address the risk of further undetected misstatement.
    c. Bias in the selection and application of accounting 
principles.\121\
---------------------------------------------------------------------------

    \121\ Paragraph 5.d. of Auditing Standard No. 13, The Auditor's 
Responses to the Risks of Material Misstatement.
---------------------------------------------------------------------------

    d. Bias in accounting estimates.\122\
---------------------------------------------------------------------------

    \122\ Paragraph 27 of this standard.
---------------------------------------------------------------------------

    26. If the auditor identifies bias in management's judgments about 
the amounts and disclosures in the financial statements, the auditor 
should evaluate whether the effect of that bias, together with the 
effect of uncorrected misstatements, results in material misstatement 
of the financial statements. Also, the auditor should evaluate whether 
the auditor's risk assessments, including, in particular, the 
assessment of fraud risks, and the related audit responses remain 
appropriate.
    27. Evaluating Bias in Accounting Estimates. The auditor should 
evaluate whether the difference between estimates best supported by the 
audit evidence and estimates included in the financial statements, 
which are individually reasonable, indicate a possible bias on the part 
of the company's management. If each accounting estimate included in 
the financial statements was individually reasonable but the effect of 
the difference between each estimate and the estimate best supported by 
the audit evidence was to increase earnings or loss, the auditor should 
evaluate whether these circumstances indicate potential management bias 
in the estimates. Bias also can result from the cumulative effect of 
changes in multiple accounting estimates. If the estimates in the 
financial statements are grouped at one end of the range of reasonable 
estimates in the prior year and are grouped at the other end of the 
range of reasonable estimates in the current year, the auditor should 
evaluate whether management is using swings in estimates to achieve an 
expected or desired outcome, e.g., to offset higher or lower than 
expected earnings.

[[Page 59353]]

    Note: AU secs. 316.64-.65 establish requirements regarding 
performing a retrospective review of accounting estimates and 
evaluating the potential for fraud risks.
Evaluating Conditions Relating to the Assessment of Fraud Risks
    28. When evaluating the results of the audit, the auditor should 
evaluate whether the accumulated results of auditing procedures \123\ 
and other observations affect the assessment of the fraud risks made 
throughout the audit and whether the audit procedures need to be 
modified to respond to those risks. (See Appendix C.)
---------------------------------------------------------------------------

    \123\ Such auditing procedures include, but are not limited to, 
procedures in the overall review (paragraph 9 of this standard), the 
evaluation of identified misstatements (paragraphs 20-23 of this 
standard), and the evaluation of the qualitative aspects of the 
company's accounting practices (paragraphs 24-27 of this standard).
---------------------------------------------------------------------------

    29. As part of this evaluation, the engagement partner should 
determine whether there has been appropriate communication with the 
other engagement team members throughout the audit regarding 
information or conditions that are indicative of fraud risks.
    Note: To accomplish this communication, the engagement partner 
might arrange another discussion among the engagement team members 
about fraud risks. (See paragraphs 49-51 of Auditing Standard No. 12.)
Evaluating the Presentation of the Financial Statements, Including the 
Disclosures
    30. The auditor must evaluate whether the financial statements are 
presented fairly, in all material respects, in conformity with the 
applicable financial reporting framework.
    Note: AU sec. 411, The Meaning of Present Fairly in Conformity With 
Generally Accepted Accounting Principles, establishes requirements for 
evaluating the presentation of the financial statements. Auditing 
Standard No. 6, Evaluating Consistency of Financial Statements, 
establishes requirements regarding evaluating the consistency of the 
accounting principles used in financial statements.
    Note: The auditor should look to the requirements of the Securities 
and Exchange Commission for the company under audit with respect to the 
accounting principles applicable to that company.
    31. As part of the evaluation of the presentation of the financial 
statements, the auditor should evaluate whether the financial 
statements contain the information essential for a fair presentation of 
the financial statements in conformity with the applicable financial 
reporting framework. Evaluation of the information disclosed in the 
financial statements includes consideration of the form, arrangement, 
and content of the financial statements (including the accompanying 
notes), encompassing matters such as the terminology used, the amount 
of detail given, the classification of items in the statements, and the 
bases of amounts set forth.
    Note: According to AU sec. 508, if the financial statements, 
including the accompanying notes, fail to disclose information that is 
required by the applicable financial reporting framework, the auditor 
should express a qualified or adverse opinion and should provide the 
information in the report, if practicable, unless its omission from the 
report is recognized as appropriate by a specific auditing 
standard.\124\
---------------------------------------------------------------------------

    \124\ AU secs. 508.41-.44.
---------------------------------------------------------------------------

Evaluating the Sufficiency and Appropriateness of Audit Evidence
    32. Auditing Standard No. 8, Audit Risk, states:
    To form an appropriate basis for expressing an opinion on the 
financial statements, the auditor must plan and perform the audit to 
obtain reasonable assurance about whether the financial statements are 
free of material misstatement due to error or fraud. Reasonable 
assurance is obtained by reducing audit risk to an appropriately low 
level through applying due professional care, including obtaining 
sufficient appropriate audit evidence.\125\
---------------------------------------------------------------------------

    \125\ Paragraph 3 of Auditing Standard No. 8.
---------------------------------------------------------------------------

    33. As part of evaluating audit results, the auditor must conclude 
on whether sufficient appropriate audit evidence has been obtained to 
support his or her opinion on the financial statements.
    34. Factors that are relevant to the conclusion on whether 
sufficient appropriate audit evidence has been obtained include the 
following:
    a. The significance of uncorrected misstatements and the likelihood 
of their having a material effect, individually or in combination, on 
the financial statements, considering the possibility of further 
undetected misstatement (paragraphs 14 and 17-19 of this standard).
    b. The results of audit procedures performed in the audit of 
financial statements, including whether the evidence obtained supports 
or contradicts management's assertions and whether such audit 
procedures identified specific instances of fraud (paragraphs 20-23 and 
28-29 of this standard).
    c. The auditor's risk assessments (paragraph 36 of this standard).
    d. The results of audit procedures performed in the audit of 
internal control over financial reporting, if the audit is an 
integrated audit.
    e. The appropriateness (i.e., the relevance and reliability) of the 
audit evidence obtained.\126\
---------------------------------------------------------------------------

    \126\ Paragraphs 7-9 of Auditing Standard No. 15, Audit 
Evidence, discuss the relevance and reliability of audit evidence.
---------------------------------------------------------------------------

    35. If the auditor has not obtained sufficient appropriate audit 
evidence about a relevant assertion or has substantial doubt about a 
relevant assertion, the auditor should perform procedures to obtain 
further audit evidence to address the matter. If the auditor is unable 
to obtain sufficient appropriate audit evidence to have a reasonable 
basis to conclude about whether the financial statements as a whole are 
free of material misstatement, AU sec. 508 indicates that the auditor 
should express a qualified opinion or a disclaimer of opinion.\127\
---------------------------------------------------------------------------

    \127\ AU sec. 508.22-.34 contains requirements regarding audit 
scope limitations.
---------------------------------------------------------------------------

    36. Evaluating the Appropriateness of Risk Assessments. As part of 
the evaluation of whether sufficient appropriate audit evidence has 
been obtained, the auditor should evaluate whether the assessments of 
the risks of material misstatement at the assertion level remain 
appropriate and whether the audit procedures need to be modified or 
additional procedures need to be performed as a result of any changes 
in the risk assessments. For example, the re-evaluation of the 
auditor's risk assessments could result in the identification of 
relevant assertions or significant risks that were not identified 
previously and for which the auditor should perform additional audit 
procedures.
    Note: Auditing Standard No. 12 establishes requirements on revising 
the auditor's risk assessment.\128\ Auditing Standard No. 13 discusses 
the auditor's responsibilities regarding the assessment of control risk 
and evaluation of control deficiencies in an audit of financial 
statements.\129\
---------------------------------------------------------------------------

    \128\ Paragraph 74 of Auditing Standard No. 12.
    \129\ Paragraphs 32-34 of Auditing Standard No. 13.
---------------------------------------------------------------------------

Evaluating the Results of the Audit of Internal Control Over Financial 
Reporting

    37. Auditing Standard No. 5, An Audit of Internal Control Over 
Financial Reporting That Is Integrated with An Audit of Financial 
Statements, indicates

[[Page 59354]]

that the auditor should form an opinion on the effectiveness of 
internal control over financial reporting by evaluating evidence 
obtained from all sources, including the auditor's testing of controls, 
misstatements detected during the financial statement audit, and any 
identified control deficiencies. Auditing Standard No. 5 describes the 
auditor's responsibilities regarding evaluating the results of the 
audit, including evaluating the identified control deficiencies.\130\
---------------------------------------------------------------------------

    \130\ Paragraphs 62-70 of Auditing Standard No. 5 discuss 
evaluating identified control deficiencies, and paragraphs 71-73 of 
Auditing Standard No. 5 discuss forming an opinion on the 
effectiveness of internal control over financial reporting.
---------------------------------------------------------------------------

APPENDIX A--Definitions

A1. For purposes of this standard, the terms listed below are defined 
as follows:
A2. Misstatement--A misstatement, if material individually or in 
combination with other misstatements, causes the financial statements 
not to be presented fairly in conformity with the applicable financial 
reporting framework.\131\ A misstatement may relate to a difference 
between the amount, classification, presentation, or disclosure of a 
reported financial statement item and the amount, classification, 
presentation, or disclosure that should be reported in conformity with 
the applicable financial reporting framework. Misstatements can arise 
from error (i.e., unintentional misstatement) or fraud.\132\
---------------------------------------------------------------------------

    \131\ The auditor should look to the requirements of the 
Securities and Exchange Commission for the company under audit with 
respect to the accounting principles applicable to that company.
    \132\ Paragraph .02 of AU sec. 316, Consideration of Fraud in a 
Financial Statement Audit.
---------------------------------------------------------------------------

A3. Uncorrected misstatements--Misstatements, other than those that are 
clearly trivial,\133\ that management has not corrected.
---------------------------------------------------------------------------

    \133\ Paragraph 10 of this standard states that, ``[t]he auditor 
should accumulate misstatements identified during the audit, other 
than those that are clearly trivial.''
---------------------------------------------------------------------------

APPENDIX B--Qualitative Factors Related to the Evaluation of the 
Materiality of Uncorrected Misstatements

B1. Paragraph 17 of this standard states: The auditor should evaluate 
whether uncorrected misstatements are material, individually or in 
combination with other misstatements. In making this evaluation, the 
auditor should evaluate the misstatements in relation to the specific 
accounts and disclosures involved and to the financial statements as a 
whole, taking into account relevant quantitative and qualitative 
factors.\134\
---------------------------------------------------------------------------

    \134\ If the financial statements contain material 
misstatements, AU sec. 508, Reports on Audited Financial Statements, 
indicates that the auditor should issue a qualified or an adverse 
opinion on the financial statements. AU sec. 508.35 discusses 
situations in which the financial statements are materially affected 
by a departure from the applicable financial reporting framework.
---------------------------------------------------------------------------

    Note: In interpreting the federal securities laws, the Supreme 
Court of the United States has held that a fact is material if there is 
``a substantial likelihood that the * * * fact would have been viewed 
by the reasonable investor as having significantly altered the `total 
mix' of information made available.'' \135\ As the Supreme Court has 
noted, determinations of materiality require ``delicate assessments of 
the inferences a `reasonable shareholder' would draw from a given set 
of facts and the significance of those inferences to him * * * '' \136\
---------------------------------------------------------------------------

    \135\ TSC Industries v. Northway, Inc., 426 U.S. 438, 449 
(1976). See also Basic, Inc. v. Levinson, 485 U.S. 224 (1988).
    \136\ TSC Industries, 426 U.S. at 450.
---------------------------------------------------------------------------

    Note: As a result of the interaction of quantitative and 
qualitative considerations in materiality judgments, uncorrected 
misstatements of relatively small amounts could have a material effect 
on the financial statements. For example, an illegal payment of an 
otherwise immaterial amount could be material if there is a reasonable 
possibility \137\ that it could lead to a material contingent liability 
or a material loss of revenue.\138\ Also, a misstatement made 
intentionally could be material for qualitative reasons, even if 
relatively small in amount.

    \137\ There is a reasonable possibility of an event, as used in 
this standard, when the likelihood of the event is either 
``reasonably possible'' or ``probable,'' as those terms are used in 
the FASB Accounting Standards Codification, Contingencies Topic, 
paragraph 450-20-25-1.
    \138\ AU sec. 317, Illegal Acts by Clients.

B2. Qualitative factors to consider in the auditor's evaluation of the 
materiality of uncorrected misstatements, if relevant, include the 
following:
    a. The potential effect of the misstatement on trends, especially 
trends in profitability.
    b. A misstatement that changes a loss into income or vice versa.
    c. The effect of the misstatement on segment information, for 
example, the significance of the matter to a particular segment 
important to the future profitability of the company, the pervasiveness 
of the matter on the segment information, and the impact of the matter 
on trends in segment information, all in relation to the financial 
statements taken as a whole.
    d. The potential effect of the misstatement on the company's 
compliance with loan covenants, other contractual agreements, and 
regulatory provisions.
    e. The existence of statutory or regulatory reporting requirements 
that affect materiality thresholds.
    f. A misstatement that has the effect of increasing management's 
compensation, for example, by satisfying the requirements for the award 
of bonuses or other forms of incentive compensation.
    g. The sensitivity of the circumstances surrounding the 
misstatement, for example, the implications of misstatements involving 
fraud and possible illegal acts, violations of contractual provisions, 
and conflicts of interest.
    h. The significance of the financial statement element affected by 
the misstatement, for example, a misstatement affecting recurring 
earnings as contrasted to one involving a non-recurring charge or 
credit, such as an extraordinary item.
    i. The effects of misclassifications, for example, 
misclassification between operating and non-operating income or 
recurring and non-recurring income items.
    j. The significance of the misstatement or disclosures relative to 
known user needs, for example:
     The significance of earnings and earnings per share to 
public company investors.
     The magnifying effects of a misstatement on the 
calculation of purchase price in a transfer of interests (buy/sell 
agreement).
     The effect of misstatements of earnings when contrasted 
with expectations.
    k. The definitive character of the misstatement, for example, the 
precision of an error that is objectively determinable as contrasted 
with a misstatement that unavoidably involves a degree of subjectivity 
through estimation, allocation, or uncertainty.
    l. The motivation of management with respect to the misstatement, 
for example, (i) an indication of a possible pattern of bias by 
management when developing and accumulating accounting estimates or 
(ii) a misstatement precipitated by management's continued 
unwillingness to correct weaknesses in the financial reporting process.

[[Page 59355]]

    m. The existence of offsetting effects of individually significant 
but different misstatements.
    n. The likelihood that a misstatement that is currently immaterial 
may have a material effect in future periods because of a cumulative 
effect, for example, that builds over several periods.
    o. The cost of making the correction--it may not be cost-beneficial 
for the client to develop a system to calculate a basis to record the 
effect of an immaterial misstatement. On the other hand, if management 
appears to have developed a system to calculate an amount that 
represents an immaterial misstatement, it may reflect a motivation of 
management as noted in paragraph B2.l above.
    p. The risk that possible additional undetected misstatements would 
affect the auditor's evaluation.

APPENDIX C--Matters That Might Affect the Assessment of Fraud Risks

C1. If the following matters are identified during the audit, the 
auditor should take into account these matters in the evaluation of the 
assessment of fraud risks, as discussed in paragraph 28 of this 
standard:
    a. Discrepancies in the accounting records, including:
    (1) Transactions that are not recorded in a complete or timely 
manner or are improperly recorded as to amount, accounting period, 
classification, or company policy.
    (2) Unsupported or unauthorized balances or transactions.
    (3) Last-minute adjustments that significantly affect financial 
results.
    (4) Evidence of employees' access to systems and records that is 
inconsistent with the access that is necessary to perform their 
authorized duties.
    (5) Tips or complaints to the auditor about alleged fraud.
    b. Conflicting or missing evidence, including:
    (1) Missing documents.
    (2) Documents that appear to have been altered.\139\
---------------------------------------------------------------------------

    \139\ Paragraph 9 of Auditing Standard No. 15, Audit Evidence.
---------------------------------------------------------------------------

    (3) Unavailability of other than photocopied or electronically 
transmitted documents when documents in original form are expected to 
exist.
    (4) Significant unexplained items in reconciliations.
    (5) Inconsistent, vague, or implausible responses from management 
or employees arising from inquiries or analytical procedures.
    (6) Unusual discrepancies between the company's records and 
confirmation responses.
    (7) Missing inventory or physical assets of significant magnitude.
    (8) Unavailable or missing electronic evidence that is inconsistent 
with the company's record retention practices or policies.
    (9) Inability to produce evidence of key systems development and 
program change testing and implementation activities for current year 
system changes and deployments.
    (10) Unusual balance sheet changes or changes in trends or 
important financial statement ratios or relationships, e.g., 
receivables growing faster than revenues.
    (11) Large numbers of credit entries and other adjustments made to 
accounts receivable records.
    (12) Unexplained or inadequately explained differences between the 
accounts receivable subsidiary ledger and the general ledger control 
account, or between the customer statement and the accounts receivable 
subsidiary ledger.
    (13) Missing or nonexistent cancelled checks in circumstances in 
which cancelled checks are ordinarily returned to the company with the 
bank statement.
    (14) Fewer responses to confirmation requests than anticipated or a 
greater number of responses than anticipated.
    c. Problematic or unusual relationships between the auditor and 
management, including:
    (1) Denial of access to records, facilities, certain employees, 
customers, vendors, or others from whom audit evidence might be sought, 
including:\140\
---------------------------------------------------------------------------

    \140\ Denial of access to information might constitute a 
limitation on the scope of the audit that requires the auditor to 
qualify or disclaim an opinion. (See Auditing Standard No. 5, An 
Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements, and AU sec. 508, 
Reports on Audited Financial Statements.)
---------------------------------------------------------------------------

    a. Unwillingness to facilitate auditor access to key electronic 
files for testing through the use of computer-assisted audit 
techniques.
    b. Denial of access to key information technology operations staff 
and facilities, including security, operations, and systems 
development.
    (2) Undue time pressures imposed by management to resolve complex 
or contentious issues.
    (3) Management pressure on engagement team members, particularly in 
connection with the auditor's critical assessment of audit evidence or 
in the resolution of potential disagreements with management.
    (4) Unusual delays by management in providing requested 
information.
    (5) Management's unwillingness to add or revise disclosures in the 
financial statements to make them more complete and transparent.
    (6) Management's unwillingness to appropriately address significant 
deficiencies in internal control on a timely basis.
    d. Other matters, including:
    (1) Objections by management to the auditor meeting privately with 
the audit committee.
    (2) Accounting policies that appear inconsistent with industry 
practices that are widely recognized and prevalent.
    (3) Frequent changes in accounting estimates that do not appear to 
result from changing circumstances.
    (4) Tolerance of violations of the company's code of conduct.

Auditing Standard No. 15

Audit Evidence

Introduction

    1. This standard explains what constitutes audit evidence and 
establishes requirements regarding designing and performing audit 
procedures to obtain sufficient appropriate audit evidence.
    2. Audit evidence is all the information, whether obtained from 
audit procedures or other sources, that is used by the auditor in 
arriving at the conclusions on which the auditor's opinion is based. 
Audit evidence consists of both information that supports and 
corroborates management's assertions regarding the financial statements 
or internal control over financial reporting and information that 
contradicts such assertions.

Objective

    3. The objective of the auditor is to plan and perform the audit to 
obtain appropriate audit evidence that is sufficient to support the 
opinion expressed in the auditor's report.\141\
---------------------------------------------------------------------------

    \141\ Auditing Standard No. 14, Evaluating Audit Results, 
establishes requirements regarding evaluating whether sufficient 
appropriate evidence has been obtained. Auditing Standard No. 3, 
Audit Documentation, establishes requirements regarding documenting 
the procedures performed, evidence obtained, and conclusions reached 
in an audit.

---------------------------------------------------------------------------

[[Page 59356]]

Sufficient Appropriate Audit Evidence

    4. The auditor must plan and perform audit procedures to obtain 
sufficient appropriate audit evidence to provide a reasonable basis for 
his or her opinion.
    5. Sufficiency is the measure of the quantity of audit evidence. 
The quantity of audit evidence needed is affected by the following:
     Risk of material misstatement (in the audit of financial 
statements) or the risk associated with the control (in the audit of 
internal control over financial reporting). As the risk increases, the 
amount of evidence that the auditor should obtain also increases. For 
example, ordinarily more evidence is needed to respond to significant 
risks.\142\
---------------------------------------------------------------------------

    \142\ Paragraph A5 of Auditing Standard No. 12, Identifying and 
Assessing Risks of Material Misstatement.
---------------------------------------------------------------------------

     Quality of the audit evidence obtained. As the quality of 
the evidence increases, the need for additional corroborating evidence 
decreases. Obtaining more of the same type of audit evidence, however, 
cannot compensate for the poor quality of that evidence.
    6. Appropriateness is the measure of the quality of audit evidence, 
i.e., its relevance and reliability. To be appropriate, audit evidence 
must be both relevant and reliable in providing support for the 
conclusions on which the auditor's opinion is based.
Relevance and Reliability
    7. Relevance. The relevance of audit evidence refers to its 
relationship to the assertion or to the objective of the control being 
tested. The relevance of audit evidence depends on:
    a. The design of the audit procedure used to test the assertion or 
control, in particular whether it is designed to (1) test the assertion 
or control directly and (2) test for understatement or overstatement; 
and
    b. The timing of the audit procedure used to test the assertion or 
control.
    8. Reliability. The reliability of evidence depends on the nature 
and source of the evidence and the circumstances under which it is 
obtained. For example, in general:
     Evidence obtained from a knowledgeable source that is 
independent of the company is more reliable than evidence obtained only 
from internal company sources.
     The reliability of information generated internally by the 
company is increased when the company's controls over that information 
are effective.
     Evidence obtained directly by the auditor is more reliable 
than evidence obtained indirectly.
     Evidence provided by original documents is more reliable 
than evidence provided by photocopies or facsimiles, or documents that 
have been filmed, digitized, or otherwise converted into electronic 
form, the reliability of which depends on the controls over the 
conversion and maintenance of those documents.
    9. The auditor is not expected to be an expert in document 
authentication. However, if conditions indicate that a document may not 
be authentic or that the terms in a document have been modified but 
that the modifications have not been disclosed to the auditor, the 
auditor should modify the planned audit procedures or perform 
additional audit procedures to respond to those conditions and should 
evaluate the effect, if any, on the other aspects of the audit.
Using Information Produced by the Company
    10. When using information produced by the company as audit 
evidence, the auditor should evaluate whether the information is 
sufficient and appropriate for purposes of the audit by performing 
procedures to: \143\
---------------------------------------------------------------------------

    \143\ When using the work of a specialist engaged or employed by 
management, see AU sec. 336, Using the Work of a Specialist. When 
using information produced by a service organization or a service 
auditor's report as audit evidence, see AU sec. 324, Service 
Organizations, and for integrated audits, see Auditing Standard No. 
5, An Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.
---------------------------------------------------------------------------

     Test the accuracy and completeness of the information, or 
test the controls over the accuracy and completeness of that 
information; and
     Evaluate whether the information is sufficiently precise 
and detailed for purposes of the audit.

Financial Statement Assertions

    11. In representing that the financial statements are presented 
fairly in conformity with the applicable financial reporting framework, 
management implicitly or explicitly makes assertions regarding the 
recognition, measurement, presentation, and disclosure of the various 
elements of financial statements and related disclosures. Those 
assertions can be classified into the following categories:
     Existence or occurrence--Assets or liabilities of the 
company exist at a given date, and recorded transactions have occurred 
during a given period.
     Completeness--All transactions and accounts that should be 
presented in the financial statements are so included.
     Valuation or allocation--Asset, liability, equity, 
revenue, and expense components have been included in the financial 
statements at appropriate amounts.
     Rights and obligations--The company holds or controls 
rights to the assets, and liabilities are obligations of the company at 
a given date.
     Presentation and disclosure--The components of the 
financial statements are properly classified, described, and disclosed.
    12. The auditor may base his or her work on financial statement 
assertions that differ from those in this standard if the assertions 
are sufficient for the auditor to identify the types of potential 
misstatements and to respond appropriately to the risks of material 
misstatement in each significant account and disclosure that has a 
reasonable possibility \144\ of containing misstatements that would 
cause the financial statements to be materially misstated, individually 
or in combination with other misstatements.\145\
---------------------------------------------------------------------------

    \144\ There is a reasonable possibility of an event, as used in 
this standard, when the likelihood of the event is either 
``reasonably possible'' or ``probable,'' as those terms are used in 
the FASB Accounting Standards Codification, Contingencies Topic, 
paragraph 450-20-25-1.
    \145\ For an integrated audit, also see paragraph 28 of Auditing 
Standard No. 5.
---------------------------------------------------------------------------

Audit Procedures for Obtaining Audit Evidence

    13. Audit procedures can be classified into the following 
categories:
    a. Risk assessment procedures,\146\ and
---------------------------------------------------------------------------

    \146\ Auditing Standard No. 12.
---------------------------------------------------------------------------

    b. Further audit procedures,\147\ which consist of:
---------------------------------------------------------------------------

    \147\ Auditing Standard No. 13, The Auditor's Responses to the 
Risks of Material Misstatement.
---------------------------------------------------------------------------

    (1) Tests of controls, and
    (2) Substantive procedures, including tests of details and 
substantive analytical procedures.
    14. Paragraphs 15-21 of this standard describe specific audit 
procedures. The purpose of an audit procedure determines whether it is 
a risk assessment procedure, test of controls, or substantive 
procedure.
Inspection
    15. Inspection involves examining records or documents, whether 
internal or external, in paper form, electronic form, or other media, 
or physically examining an asset. Inspection of records and documents 
provides audit evidence of varying degrees of reliability, depending on 
their nature and source and, in the case of internal records and 
documents, on the effectiveness of the controls over their

[[Page 59357]]

production. An example of inspection used as a test of controls is 
inspection of records for evidence of authorization.
Observation
    16. Observation consists of looking at a process or procedure being 
performed by others, e.g., the auditor's observation of inventory 
counting by the company's personnel or the performance of control 
activities. Observation can provide audit evidence about the 
performance of a process or procedure, but the evidence is limited to 
the point in time at which the observation takes place and also is 
limited by the fact that the act of being observed may affect how the 
process or procedure is performed.\148\
---------------------------------------------------------------------------

    \148\ AU sec. 331, Inventories, establishes requirements 
regarding observation of the counting of inventory.
---------------------------------------------------------------------------

Inquiry
    17. Inquiry consists of seeking information from knowledgeable 
persons in financial or nonfinancial roles within the company or 
outside the company. Inquiry may be performed throughout the audit in 
addition to other audit procedures. Inquiries may range from formal 
written inquiries to informal oral inquiries. Evaluating responses to 
inquiries is an integral part of the inquiry process.\149\
---------------------------------------------------------------------------

    \149\ AU sec. 333, Management Representations, establishes 
requirements regarding written management representations, including 
confirmation of management responses to oral inquiries.
---------------------------------------------------------------------------

    Note: Inquiry of company personnel, by itself, does not provide 
sufficient audit evidence to reduce audit risk to an appropriately low 
level for a relevant assertion or to support a conclusion about the 
effectiveness of a control.
Confirmation
    18. A confirmation response represents a particular form of audit 
evidence obtained by the auditor from a third party in accordance with 
PCAOB standards.\150\
---------------------------------------------------------------------------

    \150\ AU sec. 330, The Confirmation Process.
---------------------------------------------------------------------------

Recalculation
    19. Recalculation consists of checking the mathematical accuracy of 
documents or records. Recalculation may be performed manually or 
electronically.
Reperformance
    20. Reperformance involves the independent execution of procedures 
or controls that were originally performed by company personnel.
Analytical Procedures
    21. Analytical procedures consist of evaluations of financial 
information made by a study of plausible relationships among both 
financial and nonfinancial data. Analytical procedures also encompass 
the investigation of significant differences from expected 
amounts.\151\
---------------------------------------------------------------------------

    \151\ AU sec. 329, Substantive Analytical Procedures, 
establishes requirements on performing analytical procedures as 
substantive procedures.
---------------------------------------------------------------------------

Selecting Items for Testing to Obtain Audit Evidence

    22. Designing substantive tests of details and tests of controls 
includes determining the means of selecting items for testing from 
among the items included in an account or the occurrences of a control. 
The auditor should determine the means of selecting items for testing 
to obtain evidence that, in combination with other relevant evidence, 
is sufficient to meet the objective of the audit procedure. The 
alternative means of selecting items for testing are:
     Selecting all items;
     Selecting specific items; and
     Audit sampling.
    23. The particular means or combination of means of selecting items 
for testing that is appropriate depends on the nature of the audit 
procedure, the characteristics of the control or the items in the 
account being tested, and the evidence necessary to meet the objective 
of the audit procedure.
Selecting All Items
    24. Selecting all items (100 percent examination) refers to testing 
the entire population of items in an account or the entire population 
of occurrences of a control (or an entire stratum within one of those 
populations). The following are examples of situations in which 100 
percent examination might be applied:
     The population constitutes a small number of large value 
items;
     The audit procedure is designed to respond to a 
significant risk, and other means of selecting items for testing do not 
provide sufficient appropriate audit evidence; and
     The audit procedure can be automated effectively and 
applied to the entire population.
Selecting Specific Items
    25. Selecting specific items refers to testing all of the items in 
a population that have a specified characteristic, such as:
     Key items. The auditor may decide to select specific items 
within a population because they are important to accomplishing the 
objective of the audit procedure or exhibit some other characteristic, 
e.g., items that are suspicious, unusual, or particularly risk-prone or 
items that have a history of error.
     All items over a certain amount. The auditor may decide to 
examine items whose recorded values exceed a certain amount to verify a 
large proportion of the total amount of the items included in an 
account.
    26. The auditor also might select specific items to obtain an 
understanding about matters such as the nature of the company or the 
nature of transactions.
    27. The application of audit procedures to items that are selected 
as described in paragraphs 25-26 of this standard does not constitute 
audit sampling, and the results of those audit procedures cannot be 
projected to the entire population.\152\
---------------------------------------------------------------------------

    \152\ If misstatements are identified in the selected items, see 
paragraphs 12-13 and paragraphs 17-19 of Auditing Standard No. 14.
---------------------------------------------------------------------------

Audit Sampling
    28. Audit sampling is the application of an audit procedure to less 
than 100 percent of the items within an account balance or class of 
transactions for the purpose of evaluating some characteristic of the 
balance or class.\153\
---------------------------------------------------------------------------

    \153\ AU sec. 350, Audit Sampling, establishes requirements 
regarding audit sampling.
---------------------------------------------------------------------------

Inconsistency in, or Doubts about the Reliability of, Audit Evidence

    29. If audit evidence obtained from one source is inconsistent with 
that obtained from another, or if the auditor has doubts about the 
reliability of information to be used as audit evidence, the auditor 
should perform the audit procedures necessary to resolve the matter and 
should determine the effect, if any, on other aspects of the audit.
Conforming Amendment to PCAOB Interim Quality Control Standards

Auditing Standards

    AU sec. 110, ``Responsibilities and Functions of the Independent 
Auditor''
    Statement on Auditing Standards (``SAS'') No. 1, ``Codification of 
Auditing Standards and Procedures'' section 110, ``Responsibilities and 
Functions of the Independent Auditor'' (AU sec. 110, ``Responsibilities 
and Functions of the Independent Auditor''), as amended, is amended as 
follows: Within footnote 1 to paragraph .02, the reference to section 
312, Audit Risk and Materiality in Conducting an Audit, is replaced 
with a reference to Auditing Standard No. 11, Consideration of 
Materiality in Planning and Performing an Audit.
    AU sec. 150, ``Generally Accepted Auditing Standards''

[[Page 59358]]

    SAS No. 95, ``Generally Accepted Auditing Standards'' (AU sec. 150, 
``Generally Accepted Auditing Standards''), as amended, is amended as 
follows:
    a. Within paragraph .02, in the third standard of field work, the 
word ``competent'' is replaced with the word ``appropriate.''
    b. Footnote 2 to paragraph .04 is deleted.
    AU sec. 210, ``Training and Proficiency of the Independent 
Auditor''
    SAS No. 1, ``Codification of Auditing Standards and Procedures'' 
section 210, ``Training and Proficiency of the Independent Auditor'' 
(AU sec. 210, ``Training and Proficiency of the Independent Auditor''), 
as amended, is amended as follows:
    The last sentence of paragraph .03 is replaced with: The engagement 
partner must exercise seasoned judgment in the varying degrees of his 
supervision and review of the work done and judgments exercised by his 
subordinates, who in turn must meet the responsibilities attaching to 
the varying gradations and functions of their work.
    AU sec. 230, ``Due Professional Care in the Performance of Work''
    SAS No. 1, ``Codification of Auditing Standards and Procedures'' 
section 230, ``Due Professional Care in the Performance of Work'' (AU 
sec. 230, ``Due Professional Care in the Performance of Work''), as 
amended, is amended as follows:
    a. The second and third sentences of paragraph .06 are replaced 
with: The engagement partner should know, at a minimum, the relevant 
professional accounting and auditing standards and should be 
knowledgeable about the client. The engagement partner is responsible 
for the assignment of tasks to, and supervision of, the members of the 
engagement team.\fn4\
    b. Footnote 3 to paragraph .06 is deleted.
    c. Within footnote 4 to paragraph .06, the phrase ``See section 
311.11'' is replaced with, ``See Auditing Standard No. 10, Supervision 
of the Audit Engagement.''
    d. Footnote 6 to paragraph .11 is deleted.
    e. In the first sentence of paragraph .11, the word ``competent'' 
is replaced with the word ``appropriate.''
    f. At the end of the fifth sentence of paragraph .12, the following 
parenthetical is added: ``(See paragraph 9 of Auditing Standard No. 15, 
Audit Evidence.)''
    AU sec. 310, ``Appointment of the Independent Auditor''
    SAS No. 1, ``Codification of Auditing Standards and Procedures'' 
section 310, ``Appointment of the Independent Auditor'' (AU sec. 310, 
``Appointment of the Independent Auditor''), as amended, is amended as 
follows:
    a. Within footnote ** to the title of the standard, the sentence 
``(See section 313.)'' is deleted.
    b. Paragraph .02 is replaced with: Audit planning is discussed in 
Auditing Standard No. 9, Audit Planning, and supervision of engagement 
team members is discussed in Auditing Standard No. 10, Supervision of 
the Audit Engagement.
    c. In paragraph .03, the sentence ``(See section 313)'' is deleted.
    d. Within footnote 3 to paragraph .06, the reference to Section 
312, Audit Risk and Materiality in Conducting an Audit, paragraph .04, 
is replaced with a reference to Paragraph A2 of Auditing Standard No. 
14, Evaluating Audit Results.
    AU sec. 311, ``Planning and Supervision''
    SAS No. 22, ``Planning and Supervision'' (AU sec. 311, ``Planning 
and Supervision''), as amended, is superseded.
    AU sec. 9311, ``Planning and Supervision: Auditing Interpretations 
of Section 311''
    AU sec. 9311, ``Planning and Supervision: Auditing Interpretations 
of Section 311'', as amended, is superseded.
    AU sec. 312, ``Audit Risk and Materiality in Conducting an Audit''
    SAS No. 47, ``Audit Risk and Materiality in Conducting an Audit'' 
(AU sec. 312, ``Audit Risk and Materiality in Conducting an Audit''), 
as amended, is superseded.
    AU sec. 9312, ``Audit Risk and Materiality in Conducting an Audit: 
Auditing Interpretations of Section 312''
    AU sec. 9312, ``Audit Risk and Materiality in Conducting an Audit: 
Auditing Interpretations of Section 312'' is superseded.
    AU sec. 313, ``Substantive Tests Prior to the Balance Sheet Date''
    SAS No. 45, ``Omnibus Statement on Auditing Standards--1983'' (AU 
sec. 313, ``Substantive Tests Prior to the Balance Sheet Date''), as 
amended, is superseded.
    AU sec. 315, ``Communications Between Predecessor and Successor 
Auditors''
    SAS No. 84, ``Communications Between Predecessor and Successor 
Auditors'' (AU sec. 315, ``Communications Between Predecessor and 
Successor Auditors''), as amended, is amended as follows:
    a. In the first sentence of paragraph .12, the word ``competent'' 
is replaced with the word ``appropriate.''
    b. In the first sentence of paragraph .18, the word ``competent'' 
is replaced with the word ``appropriate.''
    AU sec. 316, ``Consideration of Fraud in a Financial Statement 
Audit''
    SAS No. 99, ``Consideration of Fraud in a Financial Statement 
Audit'' (AU sec. 316, ``Consideration of Fraud in a Financial Statement 
Audit''), as amended, is amended as follows:
    a. The second sentence of paragraph .01 is replaced with: This 
section establishes requirements and provides direction relevant to 
fulfilling that responsibility, as it relates to fraud, in an audit of 
financial statements.\fn2\
    b. In footnote 1 to paragraph .01, delete the following 
information: (see section 312, Audit Risk and Materiality in Conducting 
an Audit,'' and the closing parenthesis at the end of that sentence.
    c. Footnote 2 to paragraph .01 is replaced with: For purposes of 
this standard, the term ``audit of financial statements'' refers to the 
financial statement portion of the integrated audit and to the audit of 
financial statements only.
    d. The following paragraph .01A is added: Auditing Standard No. 12, 
Identifying and Assessing Risks of Material Misstatement, establishes 
requirements regarding the process of identifying and assessing risks 
of material misstatement of the financial statements. Auditing Standard 
No. 13, The Auditor's Responses to the Risks of Material Misstatement, 
establishes requirements regarding designing and implementing 
appropriate responses to the risks of material misstatement. Auditing 
Standard No. 14, Evaluating Audit Results, establishes requirements 
regarding the auditor's evaluation of audit results and determination 
of whether he or she has obtained sufficient appropriate audit 
evidence.
    e. In paragraph .02:
     The third through the sixth bullet points are deleted.
     The seventh bullet point is replaced with: Responding to 
fraud risks
    This section discusses certain responses to fraud risks involving 
the nature, timing, and extent of audit procedures, including:
    [cir] Responses to assessed fraud risks relating to fraudulent 
financial reporting and misappropriation of assets (see paragraphs .52 
through .56).
    [cir] Responses to specifically address the fraud risks arising 
from management override of internal controls (see paragraphs .57 
through .67).
     The eighth bullet point is deleted.
    f. Paragraph .03 is deleted.
    g. Footnote 5 to paragraph .06 is replaced with: The auditor should 
look

[[Page 59359]]

to the requirements of the Securities and Exchange Commission for the 
company under audit with respect to accounting principles applicable to 
that company.
    h. In the third sentence of paragraph .13, the term ``the risk of 
material misstatement due to fraud'' is replaced with the term ``fraud 
risks.''
    i. Paragraphs .14 through .45 are deleted, along with the preceding 
heading, ``Discussion Among Engagement Personnel Regarding the Risks of 
Material Misstatement Due to Fraud.''
    j. Footnotes 8 through 19 related to paragraphs .14 through .45 are 
deleted.
    k. Paragraphs .46 through .50 are deleted. The heading preceding 
paragraph .46, ``Responding to the Results of the Assessment,'' is 
replaced with the heading ``Responding to Assessed Fraud Risks.''
    l. Paragraph .51 is deleted. The heading preceding paragraph .51, 
``Responses Involving the Nature, Timing, and Extent of Procedures to 
Be Performed to Address the Identified Risks,'' is replaced with the 
heading ``Responses Involving the Nature, Timing, and Extent of 
Procedures to Be Performed.''
    m. Paragraph .52 is replaced with: Paragraph 8 of Auditing Standard 
No. 13, The Auditor's Responses to the Risks of Material Misstatement, 
states that ``[t]he auditor should design and perform audit procedures 
in a manner that addresses the assessed risks of material misstatement 
due to error or fraud for each relevant assertion of each significant 
account and disclosure.'' Paragraph 12 of Auditing Standard No. 13 
states that ``the audit procedures that are necessary to address the 
assessed fraud risks depend upon the types of risks and the relevant 
assertions that might be affected.''
    Note: Paragraph 71.b. of Auditing Standard No. 12, Identifying and 
Assessing Risks of Material Misstatement, states that a fraud risk is a 
significant risk. Accordingly, the requirement for responding to 
significant risks also applies to fraud risks.
    n. In paragraph .53:
     The first sentence is replaced with: The following are 
examples of responses to assessed fraud risks involving the nature, 
timing, and extent of audit procedures:
     The fifth bullet point is replaced with: Interviewing 
personnel involved in activities in areas in which a fraud risk has 
been identified to obtain their insights about the risk and how 
controls address the risk. (See paragraph 54 of Auditing Standard No. 
12, Identifying and Assessing Risks of Material Misstatement)
     In the sixth bullet point, the term ``risk of material 
misstatement due to fraud'' is replaced with the term ``fraud risk.''
    o. Footnote 20 to paragraph .53 is replaced with: AU sec. 329, 
Substantive Analytical Procedures, establishes requirements regarding 
performing analytical procedures as substantive tests.
    p. The heading preceding paragraph .54, ``Additional Examples of 
Responses to Identified Risks of Misstatements Arising From Fraudulent 
Financial Reporting,'' is replaced with the heading ``Additional 
Examples of Audit Procedures Performed to Respond to Assessed Fraud 
Risks Relating to Fraudulent Financial Reporting.''
    q. The first sentence in paragraph .54 is replaced with: The 
following are additional examples of audit procedures that might be 
performed in response to assessed fraud risks relating to fraudulent 
financial reporting:
    r. In paragraph .54:
     In the last sentence of the first bullet point, the term 
``risk of material misstatement due to fraud'' is replaced with the 
term ``fraud risk.''
     In the first sentence of the second bullet point, the term 
``risk of material misstatement due to fraud'' is replaced with the 
term ``fraud risk.''
     In the first sentence of the third bullet point and the 
accompanying paragraph to the third bullet point, the term ``risk of 
material misstatement due to fraud'' is replaced with the term ``fraud 
risk.''
    s. Footnotes 21 and 22 to paragraph .54 are amended as follows:
     The text of footnote 21 is replaced with ``AU sec. 330, 
The Confirmation Process, establishes requirements regarding the 
confirmation process in audits of financial statements.''
     The text of footnote 22 is replaced with ``AU sec. 336, 
Using the Work of a Specialist, establishes requirements for an auditor 
who uses the work of a specialist in performing an audit of financial 
statements.''
    t. The heading preceding paragraph .55, ``Examples of Responses to 
Identified Risks of Misstatements Arising From Misappropriations of 
Assets,'' is replaced with the heading ``Examples of Audit Procedures 
Performed to Respond to Fraud Risks Relating to Misappropriations of 
Assets.''
    u. In the first sentence of paragraph .55, the term ``risk of 
material misstatement due to fraud'' is replaced with the term ``fraud 
risk.''
    v. In paragraph .56:
     The first and second sentences are replaced with: The 
audit procedures performed in response to a fraud risk relating to 
misappropriation of assets usually will be directed toward certain 
account balances. Although some of the audit procedures noted in 
paragraphs .53 and .54 and in paragraphs 8 through 15 of Auditing 
Standard No. 13, The Auditor's Responses to the Risks of Material 
Misstatement, may apply in such circumstances, such as the procedures 
directed at inventory quantities, the scope of the work should be 
linked to the specific information about the misappropriation risk that 
has been identified.
     In the third sentence, the words ``design and'' are added 
before the words ``operating effectiveness.''
    w. The heading preceding paragraph .57, ``Responses to Further 
Address the Risk of Management Override of Controls,'' is replaced with 
the heading ``Audit Procedures Performed to Specifically Address the 
Risk of Management Override of Controls.''
    x. The third sentence of paragraph .57 is replaced with: 
Accordingly, as part of the auditor's responses that address fraud 
risks, the procedures described in paragraphs .58 through .67 should be 
performed to specifically address the risk of management override of 
controls.
    y. Footnote 23 to paragraph .58 is replaced with: See paragraphs 28 
through 32 of Auditing Standard No. 12, Identifying and Assessing Risks 
of Material Misstatement.
    z. In paragraph .61:
     In the first sentence of the first bullet point, the term 
``the risk of material misstatement due to fraud'' is replaced with the 
term ``fraud risk.''
     In the second bullet point, the last two sentences are 
replaced with the following: Effective controls over the preparation 
and posting of journal entries and adjustments may affect the extent of 
substantive testing necessary, provided that the auditor has tested the 
controls. However, even though controls might be implemented and 
operating effectively, the auditor's substantive procedures for testing 
journal entries and other adjustments should include the identification 
and substantive testing of specific items.
     In item (f) of the fifth bullet point, the term ``risk of 
material misstatement due to fraud'' is replaced with the term ``fraud 
risk.''
     The last sentence of the fifth bullet point is replaced 
with: In audits of entities that have multiple locations or business 
units, the auditor should determine whether to select journal entries 
from locations based on factors set forth in paragraphs 11 through 14 
of

[[Page 59360]]

Auditing Standard No. 9, Audit Planning.
    aa. The last sentence of paragraph .63 is replaced with: Paragraphs 
24 through 27 of Auditing Standard No. 14, Evaluating Audit Results, 
discuss the auditor's responsibilities for assessing bias in accounting 
estimates and the effect of bias on the financial statements.
    bb. Paragraphs .68 through .78 are deleted, along with the 
preceding heading ``Evaluating Audit Evidence.''
    cc. Footnotes 26 through 36 related to paragraphs .68 through .78 
are deleted.
    dd. In the first sentence of paragraph .80, the term ``risks of 
material misstatement due to fraud'' is replaced with the term ``fraud 
risks.''
    ee. The last sentence of paragraph .80 is replaced with: The 
auditor also should evaluate whether the absence of or deficiencies in 
controls that address fraud risks or otherwise help prevent, deter, and 
detect fraud (see paragraphs 72-73 of Auditing Standard No. 12, 
Identifying and Assessing Risks of Material Misstatement) represent 
significant deficiencies or material weaknesses that should be 
communicated to senior management and the audit committee.
    ff. The first sentence of paragraph .81 is replaced with: The 
auditor also should consider communicating other fraud risks, if any, 
identified by the auditor.
    gg. In paragraph .83:
     The reference in the first bullet point to paragraphs .14 
through .17 is replaced with a reference to paragraphs 52 and 53 of 
Auditing Standard No. 12, Identifying and Assessing Risks of Material 
Misstatement.
     The term ``risks of material misstatement due to fraud'' 
in the first sentence of the second bullet point is replaced with the 
term ``fraud risks.'' The reference in the second bullet point to 
paragraphs .19 through .34 is replaced with references to paragraph 47, 
paragraphs 56 through 58, and paragraphs 65 through 69 of Auditing 
Standard No. 12, Identifying and Assessing Risks of Material 
Misstatement.
     The third bullet point is replaced with: The fraud risks 
that were identified at the financial statement and assertion levels 
(see paragraphs 59 through 69 of Auditing Standard No. 12, Identifying 
and Assessing Risks of Material Misstatement), and the linkage of those 
risks to the auditor's response (see paragraphs 5 through 15 of 
Auditing Standard No. 13, The Auditor's Responses to the Risks of 
Material Misstatement).
     Within the fourth bullet point, the term ``risk of 
material misstatement due to fraud'' in the first sentence is replaced 
with the term ``fraud risk,'' and the reference to paragraph .41 is 
replaced with a reference to paragraph 68 of Auditing Standard No. 12, 
Identifying and Assessing Risks of Material Misstatement.
     The fifth bullet point is replaced with: The results of 
the procedures performed to address the assessed fraud risks, including 
those procedures performed to further address the risk of management 
override of controls (See paragraph 15 of Auditing Standard No. 13, The 
Auditor's Responses to the Risks of Material Misstatements.)
     The reference in the sixth bullet point to paragraphs .68 
through .73 is replaced with a reference to paragraphs 5 through 9 of 
Auditing Standard No. 14, Evaluating Audit Results.
    hh. Paragraph .84 and the heading preceding this paragraph, 
``Effective Date,'' are deleted.
    ii. The first sentence of paragraph .85 is replaced with: This 
appendix contains examples of risk factors discussed in paragraphs 65 
through 69 of Auditing Standard No. 12, Identifying and Assessing Risks 
of Material Misstatement.
    AU sec. 317, ``Illegal Acts by Clients''
    SAS No. 54, ``Illegal Acts by Clients'' (AU sec. 317, ``Illegal 
Acts by Clients'') is amended as follows:
    a. The last sentence of paragraph .13 is replaced with: For 
example, an illegal payment of an otherwise immaterial amount could be 
material if there is a reasonable possibility that it could lead to a 
material contingent liability or a material loss of revenue.
    b. In paragraph .19, the word ``competent'' is replaced with the 
word ``appropriate.''
    AU sec. 319, ``Consideration of Internal Control in a Financial 
Statement Audit''
    SAS No. 55, ``Consideration of Internal Control in a Financial 
Statement Audit'' (AU sec. 319, ``Consideration of Internal Control in 
a Financial Statement Audit''), as amended, is superseded.
    AU sec. 322, ``The Auditor's Consideration of the Internal Audit 
Function in an Audit of Financial Statements''
    SAS No. 65, ``The Auditor's Consideration of the Internal Audit 
Function in an Audit of Financial Statements'' (AU sec. 322, ``The 
Auditor's Consideration of the Internal Audit Function in an Audit of 
Financial Statements''), as amended, is amended as follows:
    a. In the first sentence of paragraph .02, the word ``competent'' 
is replaced with the word ``appropriate.''
    b. Footnote 3 to paragraph .04, is replaced with: Auditing Standard 
No. 12, Identifying and Assessing Risks of Material Misstatement, 
describes the procedures the auditor performs to obtain an 
understanding of internal control over financial reporting.
    c. In the first sentence of paragraph .18, the word ``competent'' 
is replaced with the word ``appropriate.''
    d. Within footnote 5 to paragraph .18, the reference to section 
326, Evidential Matter, paragraph .19c. is replaced with a reference to 
paragraph 8 of Auditing Standard No. 15, Audit Evidence.
    e. Within footnote 8 to paragraph .27, the reference to section 
311, Planning and Supervision, paragraphs .11 through .14 is replaced 
with a reference to Auditing Standard No. 10, Supervision of the Audit 
Engagement.
    AU sec. 324, ``Service Organizations''
    SAS No. 70, ``Service Organizations'' (AU sec. 324, ``Service 
Organizations''), as amended, is amended as follows:
    a. In the first sentence of paragraph .07, the reference to Section 
319, Consideration of Internal Control in a Financial Statement Audit, 
is replaced with a reference to Auditing Standard No. 12, Identifying 
and Assessing Risks of Material Misstatement.
    b. In the first sentence of paragraph .16, the reference to section 
319.90 through .99 is replaced with a reference to paragraph 18 and 
paragraphs 29 through 31 of Auditing Standard No. 13, The Auditor's 
Responses to the Risks of Material Misstatement.
    c. In the second sentence of paragraph .23, the reference to 
section 312, Audit Risk and Materiality in Conducting an Audit, is 
replaced with a reference to Auditing Standard No. 14, Evaluating Audit 
Results.
    AU sec. 326, ``Evidential Matter''
    SAS No. 31, ``Evidential Matter'' (AU sec. 326, ``Evidential 
Matter''), as amended, is superseded.
    AU sec. 9326, ``Evidential Matter: Auditing Interpretations of 
Section 326''
    AU sec. 9326, ``Evidential Matter: Auditing Interpretations of 
Section 326,'' as amended, is amended as follows:
    a. Paragraphs .01-.05 are deleted, along with the preceding heading 
``1. Evidential Matter for an Audit of Interim Financial Statements.''
    b. The reference in paragraph .10 to Section 326, Evidential 
Matter, paragraph .25, is replaced with a reference to Paragraph 35 of 
Auditing Standard No. 14, Evaluating Audit Results.
    c. In the first and second sentences of paragraph .10, the word 
``competent'' is replaced with the word ``appropriate.''

[[Page 59361]]

    d. In the second sentence of paragraph .12, the word ``competent'' 
is replaced with the word ``appropriate.''
    e. The last two sentences of paragraph .12 are deleted.
    f. In the first sentence of paragraph .13, the word ``competent'' 
is replaced with the word ``appropriate.''
    g. In paragraph .17, the word ``competent'' is replaced with the 
word ``appropriate.''
    h. In the second sentence of paragraph .21, the word ``competent'' 
is replaced with the word ``appropriate.''
    i. In the fourth sentence of paragraph .22, the word ``competent'' 
is replaced with the word ``appropriate.''
    j. In paragraph .23, the word ``competent'' is replaced with the 
word ``appropriate.''
    k. Paragraphs .24-.41 are deleted, along with the headings ``3. The 
Auditor's Consideration of the Completeness Assertion'' and ``4. 
Applying Auditing Procedures to Segment Disclosures in Financial 
Statements.''
    AU sec. 328, ``Auditing Fair Value Measurements and Disclosures''
    SAS No. 101, ``Auditing Fair Value Measurements and Disclosures'' 
(AU sec. 328, ``Auditing Fair Value Measurements and Disclosures''), as 
amended, is amended as follows:
    a. In the first sentence of paragraph .03, the word ``competent'' 
is replaced with the word ``appropriate.''
    b. The phrase in paragraph .11 ``Section 319, Consideration of 
Internal Control in a Financial Statement Audit, as amended,'' is 
replaced with ``Auditing Standard No. 12, Identifying and Assessing 
Risks of Material Misstatement,''
    c. The reference in paragraph .14 to Section 319 is replaced with a 
reference to Paragraph A5, second note of Auditing Standard No. 5, An 
Audit of Internal Control Over Financial Reporting That Is Integrated 
with An Audit of Financial Statements.
    d. In the second sentence of paragraph .14, the reference ``(see 
section 316, Consideration of Fraud in a Financial Statement Audit'' is 
deleted.
    e. Within paragraph .25, in the second sentence of the second 
bullet point and in the first sentence in the third bullet point, the 
word ``competent'' is replaced with the word ``appropriate.''
    f. In the second sentence of paragraph .32, the word ``competent'' 
is replaced with the word ``appropriate.''
    g. In the first sentence of paragraph .42, the word ``competent'' 
is replaced with the word ``appropriate.''
    h. In footnote 8 to paragraph .43, the reference to section 431, 
Adequacy of Disclosure in Financial Statements, is replaced with a 
reference to ``paragraph 31 of Auditing Standard No. 14, Evaluating 
Audit Results.''
    i. In the second sentence of paragraph .44, the word ``competent'' 
is replaced with the word ``appropriate.''
    j. The reference in paragraph .47 to section 312, Audit Risk and 
Materiality in Conducting an Audit, paragraphs .36 through .41, is 
replaced with a reference to paragraphs 12 through 18 and 24 through 27 
of Auditing Standard No. 14, Evaluating Audit Results.
    AU sec. 329, ``Analytical Procedures''
    SAS No. 56, ``Analytical Procedures'' (AU sec. 329, ``Analytical 
Procedures''), as amended, is amended as follows:
    a. The title of the standard, ``Analytical Procedures,'' is 
replaced with the title, ``Substantive Analytical Procedures.''
    b. The text of paragraph .01 is replaced with: This section 
establishes requirements regarding the use of substantive analytical 
procedures in an audit.
    Note: Auditing Standard No. 12, Identifying and Assessing Risks of 
Material Misstatement, establishes requirements regarding performing 
analytical procedures as a risk assessment procedure in identifying and 
assessing risks of material misstatement.
    Note: Auditing Standard No. 14, Evaluating Audit Results, 
establishes requirements regarding performing analytical procedures as 
part of the overall review stage of the audit.
    c. The last sentence of paragraph .03 is deleted.
    d. The text of paragraph .04 is replaced with: Analytical 
procedures are used as a substantive test to obtain evidential matter 
about particular assertions related to account balances or classes of 
transactions. In some cases, analytical procedures can be more 
effective or efficient than tests of details for achieving particular 
substantive testing objectives.
    e. Paragraphs .06-.08 and the preceding heading, ``Analytical 
Procedures in Planning the Audit,'' are deleted.
    f. At the end of paragraph .09, the following new sentence is 
added: (See paragraph 11 of Auditing Standard No. 13, The Auditor's 
Responses to the Risks of Material Misstatement.)
    g. Within footnote 1 to paragraph .09, the reference to section 
326, Evidential Matter, is replaced with a reference to Auditing 
Standard No. 15, Audit Evidence.
    h. Footnote 2 to paragraph .20 is deleted.
    i. In paragraph .21:
     In the fourth sentence, the word ``likely'' is deleted.
     The reference to section 316, Consideration of Fraud in a 
Financial Statement Audit, is replaced with a reference to Auditing 
Standard No. 14, Evaluating Audit Results.
    j. Footnote 3 to paragraph .21 is deleted.
    k. Paragraph .23 and the preceding heading, ``Analytical Procedures 
Used in the Overall Review,'' and paragraph .24 and the preceding 
heading, ``Effective Date,'' are deleted.
    AU sec. 330, ``The Confirmation Process''
    SAS No. 67, ``The Confirmation Process'' (AU sec. 330, ``The 
Confirmation Process''), is amended as follows:
    a. The references in paragraph .02 to section 312, Audit Risk and 
Materiality in Conducting an Audit, and section 313, Substantive Tests 
Prior to the Balance-Sheet Date, are replaced with a reference to 
Auditing Standard No. 13, The Auditor's Responses to the Risks of 
Material Misstatement.
    b. The reference in paragraph .05 to Section 312 is replaced with a 
reference to Auditing Standard No. 8, Audit Risk.
    c. The second sentence of paragraph .06 is replaced with: See 
paragraph 8 of Auditing Standard No. 15, Audit Evidence, which 
discusses the reliability of audit evidence.
    d. In the first sentence of paragraph .11, the word ``competent'' 
is replaced with the word ``appropriate.''
    e. In the third sentence of paragraph .11, the reference to Section 
326 is replaced with a reference to Auditing Standard No. 15, Audit 
Evidence.
    f. In the first sentence of paragraph .24, the word ``competence'' 
is replaced with the word ``appropriateness.''
    g. In the last sentence of paragraph .27, the word ``competent'' is 
replaced with the word ``appropriate.''
    AU sec. 332, ``Auditing Derivative Instruments, Hedging Activities, 
and Investments in Securities''
    SAS No. 92, ``Auditing Derivative Instruments, Hedging Activities, 
and Investment in Securities'' (AU sec. 332, ``Auditing Derivative 
Instruments, Hedging Activities, and Investments in Securities''), as 
amended, is amended as follows:
    a. The reference in paragraph .01 to section 326, Evidential 
Matter, paragraphs .03-.08, is replaced with a reference to paragraphs 
11 and 12 of Auditing Standard No. 15, Audit Evidence.
    b. Paragraph .06 is replaced with: Auditing Standard No. 9, Audit 
Planning, discusses the auditor's responsibilities for consideration of 
the use of persons with specialized skill or knowledge. Auditing 
Standard No. 10,

[[Page 59362]]

Supervision of the Audit Engagement, discusses the auditor's 
responsibilities for supervision of specialists who are employed by the 
auditor. AU sec. 336, Using the Work of a Specialist, discusses the 
auditor's responsibilities for using the work of a specialist engaged 
by the auditor.
    c. The first and second sentences of paragraph .07 are deleted. The 
third sentence is replaced with:
    The auditor should design and perform audit procedures regarding 
relevant assertions of derivatives and investments in securities that 
are based on and that address the risks of material misstatement in 
those assertions.
    d. The reference in paragraph .09 to Section 319, Consideration of 
Internal Control in a Financial Statement Audit, is replaced with a 
reference to Auditing Standard No. 12, Identifying and Assessing Risks 
of Material Misstatement.
    e. The fourth sentence of paragraph .11 is replaced with 
``Paragraphs 28 through 32 and B1 through B6 of Auditing Standard No. 
12, Identifying and Assessing Risks of Material Misstatement, discuss 
the information system, including related business processes, relevant 
to financial reporting.''
    f. In paragraph .15, the reference to section 319 is replaced with 
a reference to Auditing Standard No. 12, Identifying and Assessing 
Risks of Material Misstatement.
    g. The last sentence of paragraph .35 is replaced with: In 
addition, paragraphs 24 through 27 of Auditing Standard No. 14, 
Evaluating Audit Results, describe the auditor's responsibilities for 
assessing bias in accounting estimates.
    h. In paragraph .43, subparagraph a., the word ``competent'' is 
replaced with the word ``appropriate.''
    i. In paragraph .51, the last sentence is replaced with: (See 
paragraph 31 of Auditing Standard No. 14, Evaluating Audit Results.)
    j. In paragraph .57, subparagraph c., the word ``competent'' is 
replaced with the word ``appropriate.''
    AU sec. 333, ``Management Representations''
    SAS No. 85, ``Management Representations'' (AU sec. 333, 
``Management Representations''), as amended, is amended as follows:
    a. Footnote 4 to paragraph .06 is replaced with: Auditing Standard 
No. 14, Evaluating Audit Results, indicates that a misstatement can 
arise from error or fraud and also discusses the auditor's 
responsibilities for evaluating accumulated misstatements.
    b. Within footnote 6 to paragraph .06, the reference to Section 312 
is replaced with a reference to Paragraph 11 of Auditing Standard No. 
14, Evaluating Audit Results.
    c. Within footnote 7 to paragraph .06, the reference to section 
316, Consideration of Fraud in a Financial Statement Audit, paragraphs 
.38 through .40, is replaced with a reference to section 316, 
Consideration of Fraud in a Financial Statement Audit, paragraphs .79 
through .82.
    AU sec. 334, ``Related Parties''
    SAS No. 45, ``Related Parties'' (AU sec. 334 ``Related Parties''), 
is amended as follows:
    a. In the second sentence of paragraph .09, the word ``competent'' 
is replaced with the word ``appropriate.''
    b. In the first sentence of paragraph .11, the word ``competent'' 
is replaced with the word ``appropriate.''
    c. In footnote 8 to paragraph .11, the reference to section 431, 
Adequacy of Disclosure in Financial Statements, is replaced with a 
reference to paragraph 31 of Auditing Standard No. 14, Evaluating Audit 
Results.
    AU sec. 9334, ``Related Parties: Auditing Interpretations of 
Section 334''
    AU sec. 9334, ``Related Parties: Auditing Interpretations of 
Section 334,'' is amended as follows: Within footnote 4 to paragraph 
.17, the reference to section 312, Audit Risk and Materiality in 
Conducting an Audit, is replaced with a reference to Auditing Standard 
No. 8, Audit Risk.
    AU sec. 336, ``Using the Work of a Specialist''
    SAS No. 73, ``Using the Work of a Specialist'' (AU sec. 336, 
``Using the Work of a Specialist''), is amended as follows:
    a. Footnote 1 to paragraph .01 is replaced with the following: 
Because income taxes and information technology are specialized areas 
of accounting and auditing, this section does not apply to situations 
in which an income tax specialist or information technology specialist 
participates in the audit. Auditing Standard No. 10, Supervision of the 
Audit Engagement, applies in those situations.
    b. Paragraph .05 is replaced with the following: This section does 
not apply to situations in which a specialist employed by the auditor's 
firm participates in the audit. Auditing Standard No. 10, Supervision 
of the Audit Engagement, applies in those situations.
    c. In the last sentence of paragraph .06, the word ``competent'' is 
replaced with the word ``appropriate.''
    d. In the first and last sentences of paragraph .13, the word 
``competent'' is replaced with the word ``appropriate.''
    AU sec. 9336, ``Using the Work of a Specialist: Auditing 
Interpretations of Section 336''
    AU sec. 9336, ``Using the Work of a Specialist: Auditing 
Interpretations of Section 336,'' is amended as follows:
    a. In the second sentence of paragraph .04, the word ``competent'' 
is replaced with the word ``appropriate.''
    b. In paragraph .05, the word ``competent'' is replaced with the 
word ``appropriate.''
    c. In the second sentence of paragraph .11, the word ``competent'' 
is replaced with the word ``appropriate.''
    d. The penultimate sentence of paragraph .15, is replaced with: 
Paragraph 6 of Auditing Standard No. 15, Audit Evidence, states, ``[t]o 
be appropriate, audit evidence must be both relevant and reliable in 
providing support for the conclusions on which the auditor's opinion is 
based.''
    AU sec. 341, ``The Auditor's Consideration of an Entity's Ability 
to Continue as a Going Concern''
    SAS No. 59, ``The Auditor's Consideration of an Entity's Ability to 
Continue as Going Concern'' (AU sec. 341, ``The Auditor's Consideration 
of an Entity's Ability to Continue as a Going Concern''), as amended, 
is amended as follows: The reference in paragraph .02 to section 326, 
Evidential Matter, is replaced with a reference to Auditing Standard 
No. 15, Audit Evidence.
    AU sec. 342, ``Auditing Accounting Estimates''
    SAS No. 57, ``Auditing Accounting Estimates'' (AU sec. 342, 
``Auditing Accounting Estimates''), as amended, is amended as follows:
    a. In the first sentence of paragraph .01, the word ``competent'' 
is replaced with the word ``appropriate.''
    b. In the first sentence of paragraph .07, the word ``competent'' 
is replaced with the word ``appropriate.''
    c. The text of footnote 3 to paragraph .07 is replaced with: See 
paragraph 31 of Auditing Standard No. 14, Evaluating Audit Results.
    d. The reference in paragraph .08 subparagraph b.1. to section 311, 
Planning and Supervision, is replaced with a reference to Auditing 
Standard No. 12, Identifying and Assessing Risks of Material 
Misstatement.
    e. Paragraph .14, is replaced with: Paragraphs 24 through 27 of 
Auditing Standard No. 14, Evaluating Audit Results, discuss the 
auditor's responsibilities for assessing bias and evaluating accounting 
estimates in relationship to the financial statements taken as a whole.
    AU sec. 9342, ``Auditing Accounting Estimates: Auditing 
Interpretations of Section 342''

[[Page 59363]]

    AU sec. 9342, ``Auditing Accounting Estimates: Auditing 
Interpretations of Section 342,'' is amended as follows: In the second 
sentence of paragraph .02, the word ``competent'' is replaced with the 
word ``appropriate.''
    AU sec. 350, ``Audit Sampling''
    SAS No. 39, ``Audit Sampling'' (AU sec. 350, ``Audit Sampling''), 
as amended, is amended as follows:
    a. Within footnote 2 to paragraph .02, the reference to section 
312, Audit Risk and Materiality in Conducting an Audit, is replaced 
with a reference to Auditing Standard No. 14, Evaluating Audit Results.
    b. The last sentence of paragraph .03 is replaced with: Either 
approach to audit sampling can provide sufficient evidential matter 
when applied properly. This section applies to both nonstatistical and 
statistical sampling.
    c. Paragraph .04 is deleted.
    d. In paragraph .06:
     The first sentence is deleted.
     In the last sentence, the word ``competence'' is replaced 
with the word ``appropriateness.''
     The following note is added to the paragraph:
    Note: Auditing Standard No. 15, Audit Evidence, discusses the 
appropriateness of audit evidence, and Auditing Standard No. 14, 
Evaluating Audit Results, discusses the auditor's responsibilities for 
evaluating the sufficiency and appropriateness of audit evidence.
    e. Paragraph .08 is deleted.
    f. In paragraph .09:
     The sentence in paragraph .09 referring to section 313, 
which is in parentheses, is deleted.
     The following note is added to the paragraph:
    Note: Auditing Standard No. 8, Audit Risk, describes audit risk and 
its components in a financial statement audit--the risk of material 
misstatement (consisting of inherent risk and control risk) and 
detection risk.
    g. In paragraph .11:
     The phrase ``(see section 311, Planning and Supervision)'' 
is deleted.
     The sentence ``(See section 313.)'' is deleted.
    h. The second sentence of paragraph .15 is replaced with: See 
Auditing Standard No. 9, Audit Planning.
    i. In the first bullet in paragraph .16, the phrase ``(see section 
326, Evidential Matter)'' is deleted.
    j. In the second bullet of paragraph .16, the phrase ``Preliminary 
judgments about materiality levels'' is replaced with the phrase 
``Tolerable misstatement. (See paragraphs .18-18A.)''
    k. Paragraph .18 is replaced with: Evaluation in monetary terms of 
the results of a sample for a substantive test of details contributes 
directly to the auditor's purpose, since such an evaluation can be 
related to his or her judgment of the monetary amount of misstatements 
that would be material. When planning a sample for a substantive test 
of details, the auditor should consider how much monetary misstatement 
in the related account balance or class of transactions may exist, in 
combination with other misstatements, without causing the financial 
statements to be materially misstated. This maximum monetary 
misstatement for the account balance or class of transactions is called 
tolerable misstatement.
    l. Paragraph .18A is added: Paragraphs 8-9 of Auditing Standard No. 
11, Consideration of Materiality in Planning and Performing an Audit, 
describe the auditor's responsibilities for determining tolerable 
misstatement at the account or disclosure level. When the population to 
be sampled constitutes a portion of an account balance or transaction 
class, the auditor should determine tolerable misstatement for the 
population to be sampled for purposes of designing the sampling plan. 
Tolerable misstatement for the population to be sampled ordinarily 
should be less than tolerable misstatement for the account balance or 
transaction class to allow for the possibility that misstatement in the 
portion of the account or transaction class not subject to audit 
sampling, individually or in combination with other misstatements, 
would cause the financial statements to be materially misstated.
    m. Paragraph .20 is deleted.
    n. The first sentence of paragraph .21 is replaced with the 
following sentence: The sufficiency of tests of details for a 
particular account balance or class of transactions is related to the 
individual importance of the items examined as well as to the potential 
for material misstatement.
    o. Paragraph .23 is replaced with: To determine the number of items 
to be selected in a sample for a particular substantive test of 
details, the auditor should take into account tolerable misstatement 
for the population; the allowable risk of incorrect acceptance (based 
on the assessments of inherent risk, control risk, and the detection 
risk related to the substantive analytical procedures or other relevant 
substantive tests); and the characteristics of the population, 
including the expected size and frequency of misstatements.
    p. Paragraph .23A is added: Table 1 of the Appendix describes the 
effects of the factors discussed in the preceding paragraph on sample 
sizes in a statistical or nonstatistical sampling approach. When 
circumstances are similar, the effect on sample size of those factors 
should be similar regardless of whether a statistical or nonstatistical 
approach is used. Thus, when a nonstatistical sampling approach is 
applied properly, the resulting sample size ordinarily will be 
comparable to, or larger than, the sample size resulting from an 
efficient and effectively designed statistical sample.
    q. The last sentence of paragraph .25 is replaced with: The auditor 
also should evaluate whether the reasons for his or her inability to 
examine the items have (a) implications in relation to his or her risk 
assessments (including the assessment of fraud risk), (b) implications 
regarding the integrity of management or employees, and (c) possible 
effects on other aspects of the audit.
    r. Footnote 6 to paragraph .26 is replaced with: Paragraphs 10 
through 23 of Auditing Standard No. 14, Evaluating Audit Results, 
discuss the auditor's consideration of differences between the 
accounting records and the underlying facts and circumstances.
    s. Within footnote 7 to paragraph .32, the phrase ``(see section 
319.85)'' is deleted. In the first sentence of the footnote, the phrase 
``often plans'' is replaced with the phrase ``may plan.'' The last 
sentence of the footnote, which is in brackets, is deleted.
    t. The last sentence of paragraph .38 is replaced with: When 
circumstances are similar, the effect on sample size of those factors 
should be similar regardless of whether a statistical or nonstatistical 
approach is used. Thus, when a nonstatistical sampling approach is 
applied properly, the resulting sample size ordinarily will be 
comparable to, or larger than, the sample size resulting from an 
efficient and effectively designed statistical sample.
    u. The fifth sentence of paragraph .39 is replaced with: Paragraphs 
44 through 46 of Auditing Standard No. 13, The Auditor's Responses to 
the Risks of Material Misstatement, describe the auditor's 
responsibilities for performing procedures between the interim date of 
testing and period end.
    v. In paragraph .39, the last sentence, which is in brackets, is 
deleted.
    w. In paragraph .44:
     The first sentence is replaced with: In some 
circumstances, the auditor may design a sample that will be used for 
dual purposes: as a test of control and as a substantive test.

[[Page 59364]]

     The third sentence is replaced with: For example, an 
auditor designing a test of a control over entries in the voucher 
register may design a related substantive test at a risk level that is 
based on an expectation of reliance on the control.
     The fifth sentence is replaced with: In evaluating such 
tests, deviations from the control that was tested and monetary 
misstatements should be evaluated separately using the risk levels 
applicable for the respective purposes.
     The following Note is added to the paragraph:
    Note: Paragraph 47 of Auditing Standard No. 13, The Auditor's 
Responses to the Risks of Material Misstatement, provides additional 
discussion of the auditor's responsibilities for performing dual-
purpose tests.
    x. The reference in paragraph .45 to paragraph .04 is changed to a 
reference to paragraph .03.
    y. In item 2 of paragraph .48, the last sentence is deleted.
    z. Within footnote 1 to item 4 in paragraph .48, the sentence 
``(See section 313.)'' is deleted.
    aa. The sentence in item 6 of paragraph .48 ``(See section 313.)'' 
is deleted.
    AU sec. 9350, ``Audit Sampling: Auditing Interpretations of Section 
350''
    AU sec. 9350, ``Audit Sampling: Auditing Interpretations of Section 
350,'' is superseded.
    AU sec. 380, ``Communication With Audit Committees''
    SAS No. 61, ``Communication With Audit Committees'' (AU sec. 380, 
``Communication With Audit Committees''), as amended, is amended as 
follows:
    In footnote 5 to paragraph .10, the reference to section 
316A.38-.40 is replaced with a reference to AU secs. 316.79-.82; the 
reference to section 316A is replaced with a reference to section 316.
    AU sec. 411, ``The Meaning of Present Fairly in Conformity With 
Generally Accepted Accounting Principles''
    SAS No. 69, ``The Meaning of Present Fairly in Conformity With 
Generally Accepted Accounting Principles'' (AU sec. 411, ``The Meaning 
of Present Fairly in Conformity with Generally Accepted Accounting 
Principles''), as amended, is amended as follows:
    a. In paragraph .04, the reference in (c) to section 431 is 
replaced with a reference to paragraph 31 of Auditing Standard No. 14, 
Evaluating Audit Results; in (d), the reference to section 431 is 
replaced with a reference to paragraph 31 of Auditing Standard No. 14.
    b. The reference in footnote 1 to paragraph .04 to 312.10 is 
replaced with a reference to Auditing Standard No. 11, Consideration of 
Materiality in Planning and Performing an Audit.
    AU sec. 431, ``Adequacy of Disclosure in Financial Statements''
    SAS No. 32, ``Adequacy of Disclosure in Financial Statements'' (AU 
sec. 431, ``Adequacy of Disclosure in Financial Statements''), as 
amended, is superseded.
    AU sec. 508, ``Reports on Audited Financial Statements''
    SAS No. 58, ``Reports on Audited Financial Statements'' (AU sec. 
508, ``Reports on Audited Financial Statements''), as amended, is 
amended as follows:
    a. In paragraph 18C, the phrase ``and in AU sec. 431'' is deleted.
    b. In subparagraph .20.a., the word ``competent'' is replaced with 
the word ``appropriate.''
    c. In the second sentence of paragraph .22, the word ``competent'' 
is replaced with the word ``appropriate.''
    d. In the third sentence of paragraph .24, the word ``competent'' 
is replaced with the word ``appropriate.''
    e. In footnote 15 to paragraph .38, the first sentence is replaced 
with:
    In this context, practicable means that the information is 
reasonably obtainable from management's accounts and records and that 
providing the information in the report does not require the auditor to 
assume the position of a preparer of financial information.
    f. The references in paragraph .49 to section 312, Audit Risk and 
Materiality, and to section 342, Auditing Accounting Estimates, are 
replaced with a reference to paragraph 13 of Auditing Standard No. 14, 
Evaluating Audit Results.
    g. In the first sentence of paragraph .63, the word ``competent'' 
is replaced with the word ``appropriate.''
    h. In paragraph .66, the second sentence is replaced with:
    (See paragraph 31 of Auditing Standard No. 14, Evaluating Audit 
Results.)
    AU sec. 9508, ``Reports on Audited Financial Statements: Auditing 
Interpretations of Section 508''
    AU sec. 9508, ``Reports on Audited Financial Statements: Auditing 
Interpretations of Section 508,'' is amended as follows:
    In paragraph .02, the word ``competent'' is replaced with the word 
``appropriate.''
    AU sec. 530, ``Dating of the Independent Auditor's Report''
    SAS No. 1, ``Codification of Auditing Standards and Procedures,'' 
section 530, ``Dating of the Independent Auditor's Report'' (AU sec. 
530, ``Dating of the Independent Auditor's Report''), as amended, is 
amended as follows:
    a. In the first sentence of paragraph .01, the word ``competent'' 
is replaced with the word ``appropriate.''
    b. In the second note to paragraph .01, the word ``competent'' is 
replaced with the word ``appropriate.''
    c. In the first sentence of paragraph .05, the word ``competent'' 
is replaced with the word ``appropriate.''
    AU sec. 543, ``Part of Audit Performed by Other Independent 
Auditors''
    SAS No. 1, ``Codification of Auditing Standards and Procedures,'' 
section 543 ``Part of Audit Performed by Other Independent Auditors'' 
(AU sec. 543, ``Part of Audit Performed by Other Independent 
Auditors''), as amended, is amended as follows:
    a. The following note is added as the second note to paragraph .01:
    Note: For situations in which the auditor engages an accounting 
firm or individual accountants to participate in the audit engagement 
and AU sec. 543 does not apply, the auditor should supervise them in 
accordance with the requirements of Auditing Standard No. 10, 
Supervision of the Audit Engagement.
    b. Within paragraph .12:
     Subparagraph b. is replaced with: A list of significant 
risks, the auditor's responses, and the results of the auditor's 
related procedures.
     Subparagraph f. is replaced with: A schedule of 
accumulated misstatements, including a description of the nature and 
cause of each accumulated misstatement, and an evaluation of 
uncorrected misstatements, including the quantitative and qualitative 
factors the auditor considered to be relevant to the evaluation.
    AU sec. 9543, ``Part of Audit Performed by Other Independent 
Auditors: Auditing Interpretations of Section 543''
    AU sec. 9543, ``Part of Audit Performed by Other Independent 
Auditors: Auditing Interpretations of Section 543,'' as amended, is 
amended as follows:
    a. Paragraph .16 is replaced with: Interpretation--The principal 
auditor's response should ordinarily be made by the engagement partner. 
The engagement partner should take those steps that he or she considers 
reasonable under the circumstances to be informed of known matters 
pertinent to the other auditor's inquiry. For example, the engagement 
partner may inquire of engagement team members responsible for various 
aspects of the engagement or he or she may direct engagement team 
members to bring to his or her attention

[[Page 59365]]

any significant matters of which they become aware during the audit. 
The principal auditor is not required to perform any procedures 
directed toward identifying matters that would not affect his or her 
audit or his or her report.
    b. Footnote 4 to paragraph .16 is deleted.
    AU sec. 722, ``Interim Financial Information''
    SAS No. 100, ``Interim Financial Information'' (AU sec. 722, 
``Interim Financial Information''), as amended, is amended as follows:
    a. Within footnote 7 to paragraph .11, the first sentence is 
replaced with: Paragraphs 10 through 23 of Auditing Standard No. 14, 
Evaluating Audit Results, require the auditor to accumulate and 
evaluate the misstatements identified during the audit.
    b. The reference in paragraph .13 to section 319, Consideration of 
Internal Control in a Financial Statement Audit, is replaced with a 
reference to Auditing Standard No. 12, Identifying and Assessing Risks 
of Material Misstatement.
    c. Within the last sentence of paragraph .16, the title of section 
329, ``Analytical Procedures,'' is replaced with the title 
``Substantive Analytical Procedures.''
    d. Footnote 20 to paragraph .26 is deleted.
    e. The reference in paragraph .56, subparagraph C5, to section 319 
is replaced with a reference to section 316.
    Auditing Standard No. 3, Audit Documentation
    Auditing Standard No. 3, Audit Documentation, as amended, is 
amended as follows:
    a. Within paragraph 3, subparagraph b. is replaced with: 
Supervisory personnel who review documentation prepared by other 
members of the engagement team.
    b. Paragraph 9A is added: Documentation of risk assessment 
procedures and responses to risks of misstatement should include (1) a 
summary of the identified risks of misstatement and the auditor's 
assessment of risks of material misstatement at the financial statement 
and assertion levels and (2) the auditor's responses to the risks of 
material misstatement, including linkage of the responses to those 
risks.
    c. Within paragraph 12:
     Within subparagraph a.:, (1) a footnote reference 2A is 
added at the end of the first sentence: See paragraphs 12-13 of 
Auditing Standard No. 12, Identifying and Assessing Risks of Material 
Misstatement, and paragraphs .66-.67 of AU sec. 316, Consideration of 
Fraud in a Financial Statement Audit. and (2) the second sentence of 
subparagraph a. is deleted.
     Subparagraph b. is replaced with: Results of auditing 
procedures that indicate a need for significant modification of planned 
auditing procedures, the existence of material misstatements (including 
omissions in the financial statements), and the existence of 
significant deficiencies or material weaknesses in internal control 
over financial reporting.
     Subparagraph c. is replaced with: Accumulated 
misstatements and evaluation of uncorrected misstatements, including 
the quantitative and qualitative factors the auditor considered to be 
relevant to the evaluation.
     Footnote 2B is added to subparagraph c.: See paragraphs 
10-23 of Auditing Standard No. 14, Evaluating Audit Results.
     Subparagraph d. is replaced with: Disagreements among 
members of the engagement team or with others consulted on the 
engagement about final conclusions reached on significant accounting or 
auditing matters, including the basis for the final resolution of those 
disagreements. If an engagement team member disagrees with the final 
conclusions reached, he or she should document that disagreement.
     Subparagraph f. is replaced with: Significant changes in 
the auditor's risk assessments, including risks that were not 
identified previously, and the modifications to audit procedures or 
additional audit procedures performed in response to those changes.
     Footnote 2C is added to subparagraph f.: See paragraph 74 
of Auditing Standard No. 12, Identifying and Assessing Risks of 
Material Misstatement, and paragraph 36 of Auditing Standard No. 14, 
Evaluating Audit Results.
     Subparagraph f-1. is added: Risks of material misstatement 
that are determined to be significant risks and the results of the 
auditing procedures performed in response to those risks.
    d. Within paragraph 19:
     Subparagraph b. is replaced with: A list of significant 
risks, the auditor's responses, and the results of the auditor's 
related procedures.
     Subparagraph f. is replaced with: A schedule of 
accumulated misstatements, including a description of the nature and 
cause of each accumulated misstatement, and an evaluation of 
uncorrected misstatements, including the quantitative and qualitative 
factors the auditor considered to be relevant to the evaluation.
    e. Paragraph 21 and the preceding heading, ``Effective Date,'' are 
deleted.
    Auditing Standard No. 4, Reporting on Whether a Previously Reported 
Material Weakness Continues to Exist
    Auditing Standard No. 4, Reporting on Whether a Previously Reported 
Material Weakness Continues to Exist, as amended, is amended as 
follows: In the first sentence of paragraph 18, the word ``competent'' 
is replaced with the word ``appropriate.''
    Auditing Standard No. 5, An Audit of Internal Control Over 
Financial Reporting That Is Integrated with An Audit of Financial 
Statements
    Auditing Standard No. 5, An Audit of Internal Control Over 
Financial Reporting That Is Integrated with An Audit of Financial 
Statements, is amended as follows:
    a. In the second sentence of paragraph 3, the word ``competent'' is 
replaced with the word ``appropriate.''
    b. In the first sentence of paragraph 9, the phrase ``any 
assistants'' is replaced with the phrase ``the engagement team 
members.''
    c. Within footnote 10 to paragraph 14, the reference to paragraphs 
.19-.42 of AU sec. 316, Consideration of Fraud in a Financial Statement 
Audit, is replaced with a reference to Auditing Standard No. 12, 
Identifying and Assessing Risks of Material Misstatement.
    d. The reference in paragraph 15 to AU sec. 316.44 and .45 is 
replaced with a reference to paragraphs 65-69 of Auditing Standard No. 
12, Identifying and Assessing Risks of Material Misstatement.
    e. Within footnote 11 to paragraph 20, the reference to AU sec. 
312, Audit Risk and Materiality in Conducting an Audit, is replaced 
with a reference to Auditing Standard No. 11, Consideration of 
Materiality in Planning and Performing an Audit.
    f. Within footnote 12 to paragraph 28, the reference to AU sec. 
326, Evidential Matter, is replaced with a reference to Auditing 
Standard No. 15, Audit Evidence.
    g. Within footnote 13 to the note to paragraph 31, the reference to 
AU sec. 312.39 is replaced with a reference to paragraph 14 of Auditing 
Standard No. 14, Evaluating Auditing Results. The reference to AU sec. 
316.50 is replaced with a reference to paragraph 5 of Auditing Standard 
No. 13, The Auditor's Responses to the Risks of Material Misstatement.
    h. The references in paragraph 36 to paragraphs .16-.20, .30-.32, 
and .77-.79 of AU sec. 319, Consideration of Internal Control in a 
Financial Statement Audit, are replaced with references to paragraph 29 
and

[[Page 59366]]

Appendix B of Auditing Standard No. 12, Identifying and Assessing Risks 
of Material Misstatement.
    i. In the first sentence of paragraph 51, the word ``competent'' is 
replaced with the word ``appropriate.''
    j. In the first sentence of paragraph 89, the word ``competent'' is 
replaced with the word ``appropriate.''
    k. Within the note to paragraph C6 in Appendix C, the word 
``competent'' is replaced with the word ``appropriate.''
    Auditing Standard No. 6, Evaluating Consistency of Financial 
Statements
    Auditing Standard No. 6, Evaluating Consistency of Financial 
Statements, is amended as follows:
    a. Footnote 3 to paragraph 4 is deleted.
    b. In paragraph 10, the reference to AU sec. 431, Adequacy of 
Disclosure in Financial Statements, is replaced with a reference to 
paragraph 31 of Auditing Standard No. 14, Evaluating Audit Results.
    Auditing Standard No. 7, Engagement Quality Review
    Auditing Standard No. 7, Engagement Quality Review, is amended as 
follows:
    a. Footnote 3 to paragraph 5 is replaced with: The term 
``engagement partner'' has the same meaning as the ``practitioner-in-
charge of an engagement'' in PCAOB interim quality control standard QC 
sec. 40, The Personnel Management Element of a Firm's System of Quality 
Control-Competencies Required by a Practitioner-in-Charge of an Attest 
Engagement. QC sec. 40 describes the competencies required of a 
practitioner-in-charge of an attest engagement.
    b. In paragraph 10, the note following subparagraph b. is replaced 
with: Note: A significant risk is a risk of material misstatement that 
requires special audit consideration.

Ethics Standards

    ET sec. 102, ``Integrity and Objectivity''
    ET sec. 102, ``Integrity and Objectivity,'' is amended as follows: 
Footnote 1 to paragraph .05 is replaced with: See paragraph 5.b. of 
Auditing Standard No. 10, Supervision of the Audit Engagement, and 
paragraph 12.d. of Auditing Standard No. 3, Audit Documentation.

II. Board's Statement of the Purpose of, and Statutory Basis for, the 
Proposed Rules

    In its filing with the Commission, the Board included statements 
concerning the purpose of, and basis for, the proposed rules and 
discussed any comments it received on the proposed rules. The text of 
these statements may be examined at the places specified in Item IV 
below. The Board has prepared summaries, set forth in sections A, B, 
and C below, of the most significant aspects of such statements.

A. Board's Statement of the Purpose of, and Statutory Basis for, the 
Proposed Rules

(a) Purpose
    Section 103(a) of the Act directs the Board, by rule, to establish, 
among other things, ``auditing and related attestation standards * * * 
to be used by registered public accounting firms in the preparation and 
issuance of audit reports, as required by th[e] Act or the rules of the 
Commission, or as may be necessary or appropriate in the public 
interest or for the protection of investors.'' As discussed more fully 
in Exhibit 3, the Board adopted eight auditing standards and related 
amendments that benefit investors by establishing requirements that 
enhance the effectiveness of the auditor's assessment of and response 
to the risks of material misstatement in an audit.
    In an audit performed in accordance with PCAOB standards, risk 
underlies the entire audit process, including the procedures that the 
auditor performs to support the opinion expressed in the auditor's 
report. Most of the Board's interim auditing standards relating to 
assessing and responding to risk in an audit of financial statements 
were developed in the 1980s.\154\ Those standards described in general 
terms the auditor's responsibilities for assessing and responding to 
risk. They directed auditors to vary the amount of audit attention 
related to particular financial statement accounts based on the risks 
presented by them. The standards also allowed the auditor to use tests 
of controls to reduce substantive testing.\155\
---------------------------------------------------------------------------

    \154\ Examples of those standards include AU sec. 312, Audit 
Risk and Materiality in Conducting an Audit, and AU sec. 319, 
Consideration of Internal Control in a Financial Statement Audit.
    \155\ AU sec. 319.
---------------------------------------------------------------------------

    A number of factors and events led the Board to reexamine those 
standards and seek to improve them. These included the widespread use 
of risk-based audit methodologies; recommendations to the profession on 
ways in which auditors could improve risk assessment; \156\ advice from 
the Board's Standing Advisory Group (``SAG''); \157\ adoption of 
Auditing Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements; and 
observations from the Board's oversight activities.
---------------------------------------------------------------------------

    \156\ See, e.g., Public Oversight Board, Panel on Audit 
Effectiveness (``PAE''), Report and Recommendations (August 31, 
2000). For a summary of the PAE's recommendations related to risk 
assessment, see PCAOB Standing Advisory Group (``SAG'') Meeting 
Briefing Paper, ``Risk Assessment in Financial Statement Audits'' 
(February 16, 2005), Appendix A, available at: http://
www.pcaobus.org/News_and_Events/Events/2005/02-16.aspx.
    \157\ Webcasts of SAG meetings are available on the Board's Web 
site at: http://www.pcaobus.org/News_and_Events/Webcasts.
---------------------------------------------------------------------------

    On October 21, 2008, the Board proposed a set of auditing standards 
to update the requirements for assessing and responding to risk in an 
audit (``the original proposed standards'').\158\ The original proposed 
standards were intended to improve the auditing standards and to 
benefit investors by establishing requirements that enhance the 
effectiveness of auditors' assessment of and response to risk through:
---------------------------------------------------------------------------

    \158\ PCAOB Release No. 2008-006, Proposed Auditing Standards 
Related to the Auditor's Assessment of and Response to Risk (October 
21, 2008).

 Performing procedures that provide a reasonable basis for 
identifying and assessing risks of material misstatement, whether due 
to error or fraud
 Tailoring the audit to respond appropriately to the risks of 
material misstatement
 Making a comprehensive evaluation of the evidence obtained 
during the audit to form the opinion(s) in the auditor's report

    The Board also sought to emphasize the auditor's responsibilities 
for consideration of fraud by incorporating requirements for 
identifying and responding to the risks of material misstatement due to 
fraud (``fraud risks'') and evaluating audit results from the existing 
PCAOB standard, AU sec. 316, Consideration of Fraud in a Financial 
Statement Audit.\159\ Incorporating these requirements makes clear that 
the auditor's responsibilities for assessing and responding to fraud 
risks are an integral part of the audit process rather than a separate, 
parallel process. It also benefits investors by prompting auditors to 
make a more thoughtful and thorough assessment of fraud risks and to 
develop appropriate audit responses.
---------------------------------------------------------------------------

    \159\ Paragraphs .14-.51 and paragraphs .68-.78 of AU sec. 316, 
Consideration of Fraud in a Financial Statement Audit.
---------------------------------------------------------------------------

    Improvements in the standards related to risk assessment also 
should enhance integration of the audit of financial statements with 
the audit of internal control over financial reporting (``audit of 
internal control'') by articulating a process for identifying and 
assessing risks of material misstatement that applies to both portions 
of the

[[Page 59367]]

integrated audit when the auditor is performing an integrated audit.
    The proposed rules also amend the Board's interim standards 
including superseding the following sections of PCAOB interim auditing 
standards:

 AU sec. 311, Planning and Supervision
 AU sec. 312, Audit Risk and Materiality in Conducting an Audit
 AU sec. 313, Substantive Tests Prior to the Balance Sheet Date
 AU sec. 319, Consideration of Internal Control in a Financial 
Statement Audit
 AU sec. 326, Evidential Matter
 AU sec. 431, Adequacy of Disclosure in Financial Statements

    Similarly, the auditing interpretations of AU secs. 311, 312, and 
350 have been incorporated into the risk assessment standards and thus 
are superseded. The auditing interpretations of AU sec. 326, except for 
Interpretation No. 2 (AU secs. 9326.06-.23), also are superseded.\160\
---------------------------------------------------------------------------

    \160\ Interpretation No. 2 relates in part to AU sec. 336 and AU 
sec. 337, Inquiry of a Client's Lawyer Concerning Litigation, 
Claims, and Assessments, and it will be evaluated in connection with 
standards-setting projects related to those standards.
---------------------------------------------------------------------------

(b) Statutory Basis
    The statutory basis for the proposed rules is Title I of the Act.

B. Board's Statement on Burden on Competition

    The Board does not believe that the proposed rule changes will 
result in any burden on competition that is not necessary or 
appropriate in furtherance of the purposes of the Act. The proposed 
rule changes would apply equally to all registered public accounting 
firms conducting audits in accordance with PCAOB standards.

C. Board's Statement on Comments on the Proposed Rules Received From 
Members, Participants or Others

    The Board released the proposed rules for public comment in PCAOB 
Release No. 2008-006 (October 21, 2008). The Board received 33 written 
comments. The Board considered these comments and made changes to the 
initial proposed rules. As a result, the Board again sought public 
comment in PCOAB Release No. 2009-007 (December 21, 2009). The Board 
received 23 written comment letters relating to its reproposal of the 
proposed rules. A copy of PCAOB Release Nos. 2008-006 and 2009-007 and 
the comment letters received in response to the PCAOB's request for 
comment in both releases are available on the PCAOB's Web site at 
http://www.pcaobus.org.
    The Board has carefully considered all comments it has received. In 
response to the written comments received on both the initial and 
reproposal of the proposed rules, the Board has clarified and modified 
certain aspects of the proposed rules, as discussed below.
Overview of the Risk Assessment Standards
    Many commenters on the original proposed standards were supportive 
of the Board's efforts to update its risk assessment requirements and 
offered numerous suggestions for changing the original proposed 
standards. After considering all of the comments received on those 
standards, the Board made numerous refinements to the original proposed 
standards. Because the standards address many fundamental aspects of 
the audit process and are expected to serve as a foundation for future 
standards-setting, the Board reproposed the standards for public 
comment on December 17, 2009 (``the reproposed standards'').\161\
---------------------------------------------------------------------------

    \161\ PCAOB Release No. 2009-007, Proposed Auditing Standards 
Related to the Auditor's Assessment of and Response to Risk 
(December 17, 2009).
---------------------------------------------------------------------------

    The Board received 23 comment letters on the reproposed 
standards.\162\ The Board discussed the comments received with the SAG 
on April 8, 2010.\163\ Most commenters were generally supportive of the 
reproposed standards and the improvements made to those standards. Many 
commenters also offered suggestions to improve the standards, which the 
Board has carefully analyzed.
---------------------------------------------------------------------------

    \162\ Comments on the original proposed standards and the 
reproposed standards are available on the Board's Web site at: 
http://www.pcaobus.org/Rules/Rulemaking/Pages/Docket026.aspx.
    \163\ A transcript of the portion of the meeting that related to 
the reproposed standards is available on the Board's Web site at: 
http://www.pcaobus.org/Rules/Rulemaking/Pages/Docket026.aspx.
---------------------------------------------------------------------------

    After consideration of the comments received, the Board has refined 
the standards to provide additional clarity. The Board has decided to 
adopt the following standards for assessing and responding to risk in 
an audit and the related amendments to PCAOB standards:

 Auditing Standard No. 8, Audit Risk
 Auditing Standard No. 9, Audit Planning
 Auditing Standard No. 10, Supervision of the Audit Engagement
 Auditing Standard No. 11, Consideration of Materiality in 
Planning and Performing an Audit
 Auditing Standard No. 12, Identifying and Assessing Risks of 
Material Misstatement
 Auditing Standard No. 13, The Auditor's Responses to the Risks 
of Material Misstatement
 Auditing Standard No. 14, Evaluating Audit Results
 Auditing Standard No. 15, Audit Evidence
1. Notable Areas of Change in the Standards
    The changes made to the reproposed standards reflect refinements 
rather than significant shifts in approach. This section describes the 
areas of change to the reproposed standards that are most notable, 
e.g., because they affect multiple standards or multiple sections of an 
individual standard. This Release discusses these and other changes in 
more detail.
a. Planning and Supervision Standards
    The reproposed standards included a standard covering both audit 
planning and supervision. Some commenters observed that audit planning 
and supervision should be covered in separate standards.
    Audit planning and supervision, although related in some respects, 
are distinct activities that should be presented in separate standards. 
Accordingly, the Board has divided the planning and supervision 
standard into separate standards for planning and for supervision. 
Presenting the requirements for planning and supervision in separate 
standards is a technical change that, by itself, does not affect the 
auditor's responsibilities for planning the audit or supervision of the 
work of engagement team members as described in the reproposed 
standards.
b. Requirements for Multi-Location Audits
    The reproposed standard on audit planning and supervision included 
requirements regarding establishing the scope of testing of individual 
locations in multi-location engagements. The reproposed standard on 
consideration of materiality in planning and performing an audit 
included requirements for determining materiality of individual 
locations in multi-location audits. Some commenters requested 
clarification on the Board's expectations regarding how to apply those 
requirements in audits in which part of the work is performed by other 
auditors, specifically, auditors of financial statements of individual 
locations or business units that are included in the consolidated 
financial statements.
    The multi-location requirements have been revised to take into 
account situations in which part of the work is

[[Page 59368]]

performed by other auditors.\164\ This release discusses those 
revisions in more detail and explains the Board's expectations 
regarding how to apply the respective requirements in situations 
involving other auditors.
---------------------------------------------------------------------------

    \164\ Paragraphs 11-14 of Auditing Standard No. 9, Audit 
Planning, and paragraph 10 of Auditing Standard No. 11, 
Consideration of Materiality in Planning and Performing an Audit.
---------------------------------------------------------------------------

    The reproposed standard on audit planning and supervision also 
included a statement, similar to a statement in Auditing Standard No. 
5, that ``The direction in paragraph 5 of Proposed Auditing Standard, 
The Auditor's Responses to the Risks of Material Misstatement, 
regarding incorporating an element of unpredictability in the auditing 
procedures means that the auditor should vary the nature, timing, and 
extent of audit procedures at locations or business units from year to 
year.'' Some commenters stated that the statement in the reproposed 
audit planning and supervision standard was unnecessarily prescriptive. 
After considering the comments received, the requirement regarding 
unpredictability was removed from the audit planning standard, and the 
discussion in Auditing Standard No. 13 regarding incorporating an 
element of unpredictability was expanded to include varying the testing 
in the selected locations.\165\ However, this does not change the 
requirements in Auditing Standard No. 5 regarding incorporating 
unpredictability in testing controls at individual locations in audits 
of internal control.\166\
---------------------------------------------------------------------------

    \165\ Paragraph 5 of Auditing Standard No. 13, The Auditor's 
Responses to the Risks of Material Misstatement.
    \166\ Paragraphs 61 and B13 of Auditing Standard No. 5.
---------------------------------------------------------------------------

c. Requirement for Performing Walkthroughs
    In the original proposed standards, the standard on identifying and 
assessing risks of material misstatement referred auditors to Auditing 
Standard No. 5 for a discussion of the performance of walkthroughs. 
Some commenters on the original proposed standards stated that the 
proposed standard should include a discussion of walkthroughs rather 
than referring to Auditing Standard No. 5. The reproposed standard on 
identifying and assessing risks of material misstatement included a 
discussion of the objectives for understanding likely sources of 
potential misstatements and of performing walkthroughs, which 
paralleled a discussion in Auditing Standard No. 5.\167\ Some 
commenters expressed concerns that those new requirements would lead to 
unnecessary walkthroughs, particularly in audits of financial 
statements only.
---------------------------------------------------------------------------

    \167\ Paragraph 34 of Auditing Standard No. 5.
---------------------------------------------------------------------------

    The intention of including the discussion of walkthroughs was to 
describe how to perform walkthroughs, not to impose additional 
requirements regarding when to perform walkthroughs. The discussion has 
been revised to focus on how the auditor should perform walkthroughs, 
and the discussion of the objectives for understanding likely sources 
of potential misstatements has been removed.\168\ Consequently, the 
objectives in paragraph 34 of Auditing Standard No. 5 for understanding 
potential sources of likely misstatement will continue to apply only to 
integrated audits.
---------------------------------------------------------------------------

    \168\ Paragraphs 37-38 of Auditing Standard No. 12, Identifying 
and Assessing Risks of Material Misstatement.
---------------------------------------------------------------------------

d. Requirements Regarding Financial Statement Disclosures
    Because of the importance of disclosures to the fair presentation 
of financial statements and based on observations from the Board's 
oversight activities, the reproposed standards included additional 
requirements intended to increase the auditor's attention on the 
disclosures in the financial statements. For example, the reproposed 
standard on identifying and assessing risks of material misstatement 
included a new requirement related to developing an expectation about 
the necessary financial statement disclosures as part of obtaining an 
understanding of the company and its environment. Some commenters 
stated that the requirements should be clarified as applying to 
disclosures required by the applicable financial reporting framework. 
Also, the reproposed standard on evaluating audit results included 
expanded requirements for the auditor to evaluate whether the financial 
statements include the required disclosures. Some commenters stated 
that the standard should clarify that the requirements apply only to 
material disclosures.
    After analyzing the comments, those two requirements have been 
revised to clarify that they refer to the fair presentation of the 
financial statements in conformity with the applicable financial 
reporting framework.\169\
---------------------------------------------------------------------------

    \169\ Paragraph 13 of Auditing Standard No. 12 and paragraph 31 
of Auditing Standard No. 14, Evaluating Audit Results.
---------------------------------------------------------------------------

2. Discussion of Comments That Relate to Many of the Reproposed 
Standards
    The following paragraphs discuss matters raised by commenters that 
relate to many of the reproposed standards. Section II.C.13 of this 
release contains a discussion of other topics raised by commenters on 
matters other than the risk assessment standards or the related 
amendments.
a. Consideration of Fraud in the Audit
    Section I of the Board's adopting release discusses the Board's 
objectives regarding incorporating into its risk assessment standards 
the requirements for identifying and responding to risks of material 
misstatement due to fraud (``fraud risks'') and evaluating audit 
results from AU sec. 316, Consideration of Fraud in a Financial 
Statement Audit.\170\
---------------------------------------------------------------------------

    \170\ The risk assessment standards incorporate paragraphs 
.14-.51 and .68-.78 of AU sec. 316. Accordingly, those paragraphs 
are removed from AU sec. 316 by means of a related amendment.
---------------------------------------------------------------------------

    The number of comments received on this approach to incorporate the 
requirements from AU sec. 316 declined significantly from the original 
proposed standards.\171\ The views of commenters continue to be mixed. 
One commenter supported the approach, and two commenters expressed 
concerns about the approach.
---------------------------------------------------------------------------

    \171\ As discussed in Section I, the risk assessment standards 
were originally proposed on October 21, 2008. See PCAOB Release No. 
2008-006, Proposed Auditing Standards Related to the Auditor's 
Assessment of and Response to Risk.
---------------------------------------------------------------------------

    The risk assessment standards continue to include relevant 
requirements from AU sec. 316. The Board has observed from its 
oversight activities instances in which auditors have performed the 
procedures required in AU sec. 316 mechanically, without using the 
procedures to develop insights on fraud risk or to modify the audit 
plan to address that risk. The Board also has observed instances in 
which firms have failed to respond appropriately to identified fraud 
risks.
    These observations suggest that some auditors may improperly view 
the consideration of fraud as an isolated, mechanical process rather 
than an integral part of audits under PCAOB standards. Integrating the 
requirements from AU sec. 316 into the risk assessment standards 
emphasizes to auditors that assessing and responding to fraud risks is 
an integral part of an audit in accordance with PCAOB standards, rather 
than a separate consideration. Such integration also should prompt 
auditors to make a more thoughtful and thorough assessment of the risks 
affecting the financial

[[Page 59369]]

statements, including fraud risks, and to develop appropriate audit 
responses. Furthermore, AU sec. 316, as amended, will continue to 
provide relevant information on determining the necessary procedures 
for considering fraud in a financial statement audit. (See section 
II.C.11.F.(ii). of this release for more discussion about AU sec. 316.)
b. Organization and Style of Standards (Including the Use of Notes and 
Appendices)
    In response to comments on the original proposed standards, the 
Board presented the reproposed standards using an organization and 
style that is intended to be a template for future standards of the 
Board. The organization and style includes an objective for each 
standard, which provides additional context for understanding the 
requirements in the standard, and a separate appendix for definitions 
of terms used in each standard.
    Commenters generally supported the organization and style of the 
reproposed standards, and some commenters suggested that existing PCAOB 
standards be revised to implement this organization and style. As 
stated in the release accompanying the reproposed standards, the 
organization and style used in the reproposed standards draws from 
previously issued standards of the Board, e.g., Auditing Standard No. 
7, Engagement Quality Review. Also, the Board will apply this template 
in the course of its other standards-setting activities.
    Commenters expressed concerns about including requirements in 
appendices and notes to the standard. Consistent with standards 
previously issued by the Board, the notes and appendices in the risk 
assessment standards are integral parts of the standards and carry the 
same authoritative weight as the other portions of the standards.
c. Use of Terms
    PCAOB Rule 3101, Certain Terms Used in Auditing and Related 
Professional Practice Standards, sets forth the terminology that the 
Board uses to describe the degree of responsibility that the auditing 
and related professional practice standards impose on auditors. The 
original proposed standards used terms in the requirements in a manner 
that was consistent with Rule 3101.
    Some comments received on the original proposed standards suggested 
revisions to the terms used in the requirements or asked for 
clarification about certain terms or phrases, e.g., ``take into 
account.'' The reproposed standards reflected numerous revisions to the 
terms used in the standards, and the risk assessment standards reflect 
further refinements. For example, the standards use ``should consider'' 
only when referring to a requirement to consider performing an action 
or procedure, which is consistent with Rule 3101.
    As explained in the release accompanying the reproposed standards, 
the phrase ``take into account'' has been used previously in PCAOB 
standards in reference to information or matters that the auditor 
should think about or give attention to in performing an audit 
procedure or reaching a conclusion.\172\ Accordingly, the results of 
the auditor's thinking on the relevant matters should be reflected in 
the performance and documentation of the respective audit procedure 
performed or conclusion reached. The accompanying standards continue to 
use ``take into account'' in the same way.
---------------------------------------------------------------------------

    \172\ AU sec. 316.45 and paragraphs 14, 44, 59, and B 12 of 
Auditing Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements.
---------------------------------------------------------------------------

    Some commenters asked about the meaning of certain terms, e.g., 
``assess,'' ``evaluate,'' or ``determine.'' Those commenters also 
stated that the Board should use those terms consistently throughout 
its standards. The Board has reviewed the use of each of those terms 
and has revised the standards as necessary to apply those terms more 
consistently. Subsequent sections of this release discuss specific 
revisions to the individual standards.
    One commenter expressed concerns about statements that involve the 
use of present tense in the reproposed standards. As with standards 
that the Board previously issued, the present tense is used in the risk 
assessment standards for statements that are factual or definitional, 
e.g., to provide additional explanation of a required auditing 
procedure.\173\ Subsequent sections of this release discuss specific 
instances of the use of present tense in the risk assessment standards.
---------------------------------------------------------------------------

    \173\ See, e.g., paragraph 21 of Auditing Standard No. 5 for an 
example of the use of the present tense for this purpose.
---------------------------------------------------------------------------

d. Requirements and the Application of Judgment
    Some commenters on the original proposed standards stated that the 
original proposed standards contained requirements that were ``too 
prescriptive,'' limiting the auditor's ability to ``use professional 
judgment or scale the audit,'' e.g., because of the number of 
requirements in the standards and because the standards did not 
explicitly refer to professional judgment in the requirements. In the 
release accompanying the reproposed standards, the Board discussed the 
importance of professional judgment in fulfilling the requirements of 
the standards. After examining each requirement, the Board revised 
certain provisions in the reproposed standards to streamline the 
presentation of those requirements.
    Although the Board received fewer comments on the reproposed 
standard related to this topic, two commenters continue to express 
concerns about whether the reproposed standards made adequate allowance 
for the auditor to use professional judgment in assessing and 
responding to risk in an audit.
    PCAOB standards recognize that the auditor uses judgment in 
planning and performing audit procedures and evaluating the evidence 
obtained from those procedures.\174\ As under other PCAOB standards, 
auditors need to exercise judgment in fulfilling the requirements of 
the risk assessment standards in the particular circumstances. Making 
references to judgment in selected portions of the standards, however, 
could be misinterpreted as indicating that judgment is required only in 
certain aspects of the audit. Instead of referring to judgment 
selectively, the risk assessment standards set forth principles for 
meeting the requirements of the standards and allow the auditor to 
determine the most appropriate way to comply with the requirements in 
the circumstances.
---------------------------------------------------------------------------

    \174\ See, e.g., paragraph .11 of AU sec. 230, Due Professional 
Care in the Performance of Work.
---------------------------------------------------------------------------

3. Auditing Standard No. 8--Audit Risk

a. Background
    Auditing Standard No. 8 discusses audit risk and the relationships 
among the various components of audit risk in an audit of financial 
statements. The standard applies to integrated audits and to audits of 
financial statements only.
b. Objective
    The reproposed standard stated that the objective of the auditor is 
to conduct the audit of financial statements in a manner that reduces 
audit risk to an appropriately low level. This objective provided 
important context for understanding how the concept of audit risk is 
applied in an audit.
    One commenter observed that the reproposed standards sometimes used 
the phrase, ``appropriately low level'' and occasionally used the 
phrase ``acceptably low level,'' and that

[[Page 59370]]

commenter suggested revising the standards to use ``acceptably low 
level'' in each instance. The Board continues to believe the term 
``appropriately low level'' is more suitable because it is aligned more 
closely with the degree of assurance described in the auditor's 
opinion, i.e., the auditor conducts the audit to reduce audit risk to 
an appropriately low level in order to express an opinion with 
reasonable assurance. In contrast, the term ``acceptably low'' is less 
clear and could be misinterpreted. The risk assessment standards have 
been revised to use the phrase ``appropriately low level,'' as 
applicable.
c. Due Professional Care and Sufficient Appropriate Audit Evidence
    The reproposed standard stated that, to form an appropriate basis 
for expressing an opinion on the financial statements, the auditor must 
plan and perform the audit to obtain reasonable assurance about whether 
the financial statements are free of material misstatement due to error 
or fraud. It also stated that reasonable assurance is obtained by 
reducing audit risk to an appropriately low level through applying due 
professional care, including obtaining sufficient appropriate audit 
evidence.\175\
---------------------------------------------------------------------------

    \175\ Paragraph 3 of Auditing Standard No. 8.
---------------------------------------------------------------------------

    A commenter suggested that due professional care is a 
responsibility throughout the audit, similar to professional skepticism 
and judgment, and need not be repeated throughout the Board's 
standards. The Board agrees that due professional care is a 
responsibility throughout the audit. On the other hand, existing PCAOB 
standards state that due professional care allows the auditor to obtain 
reasonable assurance,\176\ and the statement in Auditing Standard No. 8 
acknowledges that principle.
---------------------------------------------------------------------------

    \176\ AU sec. 230.10.
---------------------------------------------------------------------------

d. Audit Risk and Risk of Material Misstatement
    Some commenters on the original proposed standard requested more 
explanation about risks at the overall financial statement level, e.g., 
by providing examples of such risks. The reproposed standard elaborated 
further on risks at the financial statement level.\177\
---------------------------------------------------------------------------

    \177\ Paragraph 6 of Auditing Standard No. 8.
---------------------------------------------------------------------------

    Commenters on the reproposed standard asked for more explanation 
regarding how financial statement level risks can result in material 
misstatement of the financial statements. The examples of financial 
statement level risks in Auditing Standard No. 8 have been expanded to 
illustrate how those risks can result in material misstatement of the 
financial statements.\178\
---------------------------------------------------------------------------

    \178\ Ibid.
---------------------------------------------------------------------------

    Some individual commenters offered suggestions for refining or 
clarifying the discussion of the risk of material misstatement and its 
components. For example, one commenter suggested that the description 
of the risk of material misstatement should state that the risk exists 
``prior to the audit'' to more clearly indicate that it is the 
company's risk. The Board agrees that the risk of material misstatement 
exists irrespective of the audit, while the risk of not detecting 
material misstatement is the auditor's risk. However, the suggested 
phrase could be misinterpreted, e.g., as implying that the auditor need 
not consider the risk of misstatements occurring during the audit.
    The reproposed standard included a statement that inherent risk and 
control risk are the company's risks; they exist independently of the 
audit. One commenter suggested that the statement was not informative 
and suggested revising the standard to state that inherent risk and 
control risk are functions of the company's characteristics, but 
influence the auditor's actions. The Board agrees that more discussion 
of the auditor's consideration of inherent risk and control risk is 
appropriate. Thus, Auditing Standard No. 8 has been expanded to discuss 
the sources of evidence the auditor uses when assessing inherent risk 
and control risk.\179\ Also, the description of control risk in 
Auditing Standard No. 8 has been aligned with the discussion of 
internal control concepts in Auditing Standard No. 5.
---------------------------------------------------------------------------

    \179\ Paragraph 8 of Auditing Standard No. 8.
---------------------------------------------------------------------------

    One commenter expressed a concern that descriptions of inherent 
risk, control risk, and detection risk that included the phrase ``that 
could be material, individually or in combination with other 
misstatements,'' may be misinterpreted by the auditor as a requirement 
to consider whether the combination of dissimilar risks will result in 
a material misstatement. The commenter suggested changing 
``combination'' to ``aggregate.'' However, the standard does not 
discuss the combination of risks but, rather, the risk of a 
misstatement that could be material, individually or in combination 
with other misstatements, which is consistent with the description of 
the auditor's evaluation of uncorrected misstatements in Auditing 
Standard No. 14, Evaluating Audit Results. Thus, the term 
``combination'' was retained as proposed.
e. Detection Risk
    The reproposed standard indicated that detection risk is reduced by 
performing substantive procedures. Some commenters stated that the 
discussion of detection risk should be modified to indicate that 
auditors can reduce detection risk through procedures other than 
substantive procedures (e.g., risk assessment procedures and tests of 
controls). A commenter also suggested changing the sentence in the 
standard to refer to ``audit procedures'' instead of ``substantive 
procedures.''
    The Board acknowledges that auditors might obtain evidence of 
misstatements through procedures other than substantive procedures. 
However, that does not diminish the auditor's responsibility to plan 
and perform substantive procedures for significant accounts and 
disclosures that are sufficient to provide reasonable assurance of 
detecting misstatements that would result in material misstatement of 
the financial statements. Changing ``substantive procedures'' to 
``audit procedures,'' as suggested by the commenter, is not consistent 
with AU sec. 319, Consideration of Internal Control in a Financial 
Statement Audit, and could be misunderstood by auditors, resulting in 
inadequate substantive procedures.\180\ To provide further 
clarification, Auditing Standard No. 8 has been revised to describe the 
role of risk assessment procedures and tests of controls in assessing 
the risk of material misstatement, which, in turn, affects the 
appropriate level of detection risk.\181\
---------------------------------------------------------------------------

    \180\ AU secs. 319.81-.82. AU sec. 319, along with AU sec. 311, 
Planning and Supervision, AU sec. 312, Audit Risk and Materiality in 
Conducting an Audit, AU sec. 313, Substantive Tests Prior to the 
Balance Sheet Date, AU sec. 326, Evidential Matter, and AU sec. 431, 
Adequacy of Disclosure in Financial Statements, are superseded by 
the risk assessment standards.
    \181\ Paragraphs 8-9 of Auditing Standard No. 8.
---------------------------------------------------------------------------

    Some commenters expressed concerns that the reproposed standard did 
not adequately link the concepts of inherent risk and control risk to 
detection risk. They stated that a discussion on the relationship of 
these concepts is necessary for the auditor to determine the acceptable 
level of detection risk for the financial statement assertions, which, 
in turn, is used to determine the nature, timing, and extent of 
substantive procedures. The following discussion, which is adapted from 
AU sec. 319, was added to paragraph 10 of Auditing

[[Page 59371]]

Standard No. 8: ``The auditor uses the assessed risk of material 
misstatement to determine the appropriate level of detection risk for a 
financial statement assertion. The higher the risk of material 
misstatement, the lower the level of detection risk needs to be in 
order to reduce audit risk to an appropriately low level.'' \182\
---------------------------------------------------------------------------

    \182\ Paragraph 10 of Auditing Standard No. 8.
---------------------------------------------------------------------------

f. Integrated Audit Considerations
    Auditing Standard No. 8 applies both to audits of financial 
statements only and to the financial statement audit portion of 
integrated audits. Audit risk in the audit of financial statements 
relates to whether the auditor expresses an inappropriate audit opinion 
when the financial statements are materially misstated, while audit 
risk in an audit of internal control over financial reporting (``audit 
of internal control'') relates to whether the auditor expresses an 
inappropriate audit opinion when one or more material weaknesses exist. 
The two forms of audit risk are related, however, and Auditing Standard 
No. 12, Identifying and Assessing Risks of Material Misstatement, 
indicates that the risk assessment procedures apply to both the audit 
of financial statements and the audit of internal control.
    Some commenters suggested revisions to the first paragraph and the 
first footnote of the reproposed standard to clarify how the concepts 
of audit risk in this standard apply to audits of financial statements 
only and to integrated audits. The first paragraph has been revised to 
indicate that Auditing Standard No. 8 applies to either an audit of 
financial statements only or to an integrated audit. The first footnote 
also has been revised to clarify that, in integrated audits, the risks 
of material misstatement are the same for both the audit of financial 
statements and the audit of internal control.

4. Auditing Standard No. 9--Audit Planning

a. Background
    Auditing Standard No. 9 describes the auditor's responsibilities 
for planning an integrated audit or an audit of financial statements 
only.
b. Planning and Supervision
    The original proposed standard and the reproposed standard 
discussed both audit planning and supervision, similar to AU sec. 311. 
Some commenters observed that audit planning and supervision should be 
covered in separate standards.
    The Board agrees that audit planning and supervision of engagement 
team members are distinct activities that should be covered in separate 
standards. Accordingly, the Board has divided the requirements of the 
reproposed planning and supervision standard into separate standards. 
Dividing the requirements for planning and supervision into separate 
standards does not affect the auditor's responsibilities for planning 
the audit or supervising the work of engagement team members.
c. Responsibilities of the Engagement Partner
    AU sec. 311 stated, ``The auditor with final responsibility for the 
audit may delegate portions of the planning and supervision of the 
audit to other firm personnel.'' Auditing Standard No. 9 uses the term 
``engagement partner'' instead of ``auditor with final responsibility 
for the audit'' and states more directly that the engagement partner is 
responsible for properly planning the audit. The standard also allows 
the engagement partner to seek assistance from appropriate engagement 
team members in fulfilling his or her planning responsibilities. 
Because the requirements in Auditing Standard No. 9 apply to the 
engagement partner and engagement team members who assist the 
engagement partner in planning the audit, the standard uses the term 
``auditor,'' and a footnote was added to clarify that the requirements 
in the standard apply to the engagement partner and other engagement 
team members who participate in planning the audit.
d. Preliminary Engagement Activities
    The reproposed standard included a note in paragraph 6 stating that 
the decision regarding continuance of the client relationship and the 
determination of compliance with independence and ethics requirements 
were not limited to preliminary engagement activities and should be 
reevaluated with changes in circumstances. One commenter expressed 
concern that the note did not describe the changes in circumstances for 
which it would be appropriate for the auditor to reevaluate these 
decisions. The acceptance and continuance of the client relationship 
are discussed in QC sec. 20, System of Quality Control for a CPA Firm's 
Accounting and Auditing Practice. Other PCAOB standards discuss certain 
circumstances that warrant reevaluating the client relationship.\183\ 
Auditors also may reevaluate their engagement acceptance decision for 
other reasons. However, because auditors must comply with independence 
and ethics requirements throughout the audit, the note was moved in 
Auditing Standard No. 9 to modify paragraph 6.b. and revised to state 
that determination of compliance with independence and ethics 
requirements is not limited to preliminary engagement activities and 
should be reevaluated upon changes in circumstances.
---------------------------------------------------------------------------

    \183\ See, e.g., paragraphs .18-.21 of AU sec. 317, Illegal Acts 
by Clients.
---------------------------------------------------------------------------

e. Planning Activities
    The reproposed standard stated that, as part of establishing the 
audit strategy and audit plan, the auditor should evaluate whether 
certain matters specified in the standard are important to the 
company's financial statements and internal control over financial 
reporting (``internal control'') and, if so, how those matters would 
affect the auditor's procedures. The requirement in the reproposed 
standard was the same as in paragraph 9 of Auditing Standard No. 5, 
thus extending its application to an audit of financial statements.
    Evaluation of the matters listed in paragraph 7 of Auditing 
Standard No. 9 can lead auditors to develop more effective audit 
strategies and audit plans. For example, evaluation of those matters 
can highlight areas that might warrant additional attention during the 
auditor's risk assessment procedures, which, in turn, could affect the 
audit procedures performed in response to the risks of material 
misstatement. Also, evaluation of the internal control related matters 
can help the auditor develop an appropriate audit strategy, e.g., in 
determining accounts for which reliance on controls might be 
appropriate in the audit of financial statements.
    Some commenters suggested changes to the requirement, including 
deleting some of the matters discussed in the requirement, moving other 
matters elsewhere within the standard, or making specific revisions to 
the language of the standard. Also, some commenters suggested using 
``should consider'' instead of ``should evaluate.''
    The Board considered the suggested changes to the standard and 
determined that those changes would not substantially improve the 
standard. Also, it is important for the language in this requirement to 
be identical to the language in Auditing Standard No. 5 to emphasize 
that this required procedure is to be performed only once in an 
integrated audit, with the results of the procedure to be applied in 
planning both the financial statement audit and the audit of internal 
control. Also, reframing the requirement from ``should evaluate'' to 
``should consider'' would

[[Page 59372]]

weaken the requirement. Therefore, Auditing Standard No. 9 retains the 
wording from the reproposed standard.
f. Audit Strategy and Audit Plan
    Auditing Standard No. 9 requires the auditor to take into account 
certain matters when establishing the overall audit strategy, including 
the reporting objectives of the engagement and the nature of the 
communications required by PCAOB standards; the factors that are 
significant in directing the activities of the engagement team; the 
results of preliminary engagement activities and the auditor's 
evaluation of certain important matters; and the nature, timing, and 
extent of resources necessary to perform the engagement.\184\ These 
matters generally relate to information that auditors obtain through 
other required procedures. One commenter suggested that this 
requirement should discuss the need for specialists. Auditing Standard 
No. 9 was revised to include a reference to paragraph 16 regarding the 
requirement for the auditor to determine whether specialized skill or 
knowledge is needed to perform the engagement.
---------------------------------------------------------------------------

    \184\ Paragraph 9 of Auditing Standard No. 9.
---------------------------------------------------------------------------

    The reproposed standard required the auditor to develop and 
document an audit plan that includes the planned nature, timing, and 
extent of the risk assessment procedures. One commenter suggested that 
it was unnecessary to document the timing of the risk assessment 
procedures because risk assessment is an ongoing process that occurs 
throughout the execution of the audit. Auditing Standard No. 9 retains 
the requirement to document the timing of the risk assessment 
procedures. Identifying and appropriately assessing the risks of 
material misstatement provide a basis for designing and implementing 
responses to the risks of material misstatement, so the timing of the 
risk assessment procedures is important to determine the timing of 
other audit procedures.
    The reproposed standard also required the auditor to develop and 
document the planned nature, timing, and extent of tests of controls 
and substantive procedures. One commenter suggested that the 
requirement should specify that the audit plan include planned tests at 
the ``relevant assertion level.'' Auditing Standard No. 9 retains the 
requirement as reproposed. Audit procedures are not performed only at 
the assertion level, e.g., certain general audit procedures and tests 
of certain entity-level controls in the audit of internal control over 
financial reporting. Therefore, it is not appropriate to update the 
standard with the suggested language.
g. Requirements for Multi-Location Engagements
    Auditing Standard No. 9 establishes requirements that apply to 
audits of companies with operations in multiple locations or business 
units. Auditing Standard No. 9 requires the auditor to determine the 
extent to which audit procedures should be performed at selected 
locations or business units to obtain sufficient appropriate evidence 
to obtain reasonable assurance about whether the consolidated financial 
statements are free of material misstatement. This includes determining 
the locations or business units at which to perform audit procedures, 
as well as the nature, timing, and extent of the procedures to be 
performed at those individual locations or business units. The auditor 
is required to assess the risks of material misstatement to the 
consolidated financial statements associated with the location or 
business unit and correlate the amount of audit attention devoted to 
the location or business unit with the degree of risk of material 
misstatement associated with that location or business unit. Auditing 
Standard No. 9 also lists factors that are relevant to the assessment 
of the risks of material misstatement associated with a particular 
location or business unit and the determination of the necessary audit 
procedures. These requirements are risk-focused and aligned with the 
requirements in Auditing Standard No. 5.
    An example was added to one of the factors in Auditing Standard No. 
9 to highlight that the auditor's consideration of risks associated 
with a location or business unit includes whether significant unusual 
transactions are executed at that location or business unit, e.g., 
whether certain transactions were conducted at the location or business 
unit to achieve a particular accounting result. AU sec. 316 already 
requires the auditor to perform procedures regarding significant 
unusual transactions.
    The reproposed standard included a statement, similar to Auditing 
Standard No. 5, that ``The direction in paragraph 5 of Proposed 
Auditing Standard, The Auditor's Responses to the Risks of Material 
Misstatement, regarding incorporating an element of unpredictability in 
the auditing procedures means that the auditor should vary the nature, 
timing, and extent of audit procedures at locations or business units 
from year to year.'' Some commenters stated that the statement in the 
reproposed standard was unnecessarily prescriptive. After considering 
the comments received, the requirement regarding unpredictability was 
removed from the audit planning standard, and the requirements in 
Auditing Standard No. 13, The Auditor's Responses to the Risks of 
Material Misstatement, regarding incorporating an element of 
unpredictability were expanded to include discussion of varying the 
testing in the selected locations.\185\ However, this does not change 
the requirements in Auditing Standard No. 5 regarding incorporating 
unpredictability in testing controls at individual locations in audits 
of internal control.\186\
---------------------------------------------------------------------------

    \185\ Paragraph 5 of Auditing Standard No. 13.
    \186\ Paragraphs 61 and B13 of Auditing Standard No. 5.
---------------------------------------------------------------------------

    The reproposed standard included a requirement for the auditor to 
determine the extent to which auditing procedures should be performed 
at selected locations or business units to obtain sufficient 
appropriate evidence to obtain reasonable assurance about whether the 
consolidated financial statements are free of material misstatements. 
One commenter was concerned that the use of the term ``consolidated 
financial statements'' is inconsistent with the terminology used 
elsewhere in the standards and that the financial statements of 
companies with multiple divisions might not meet the definition of 
consolidated. The use of ``consolidated financial statements'' is 
consistent with the term used in Auditing Standard No. 5. The use of 
the term ``consolidated'' applies to situations in which the company 
has multiple locations or business units. Auditing Standard No. 9 
retains the language as reproposed.
    Some commenters requested clarification on how the requirements are 
expected to be applied in audits in which part of the work is performed 
by other auditors of financial statements of individual locations or 
business units that are included in the consolidated financial 
statements. A paragraph was added to Auditing Standard No. 9 to clarify 
that the auditor should apply the requirements in paragraphs 11-13 to 
determine the locations or business units for testing when the auditor 
plans to use the work and reports of other independent auditors who 
have audited the financial statements of one or more of the locations 
or business units (including subsidiaries, divisions, branches, 
components, or investments) that are included in the consolidated 
financial statements. AU sec. 543, Part of Audit Performed by Other

[[Page 59373]]

Independent Auditors, describes the auditor's responsibilities when the 
auditor uses the work and reports of other independent auditors.\187\
---------------------------------------------------------------------------

    \187\ Paragraph 14 of Auditing Standard No. 9.
---------------------------------------------------------------------------

h. Persons With Specialized Skill or Knowledge
    Auditing Standard No. 9 indicates that the auditor should determine 
whether specialized skill or knowledge is needed to perform appropriate 
risk assessments, plan or perform audit procedures, or evaluate audit 
results. The responsibility has been extended from a similar 
requirement in AU sec. 311 regarding considering whether specialized 
information technology (``IT'') skill or knowledge is needed in an 
audit. The requirement was extended to specialized skill or knowledge 
in areas besides IT, e.g., valuation specialists, actuarial 
specialists, income tax specialists, and forensic specialists, because 
of the prevalent use of such individuals by auditors.
    The reproposed standard included a note that described the term 
``specialized skill or knowledge'' as persons engaged or employed by 
the auditor who have specialized skill or knowledge. Some commenters 
suggested that this note be removed because paragraph 17 included a 
similar description. The note was removed from Auditing Standard No. 9 
because it was unnecessary and redundant.
    One commenter suggested revising the standard to require the 
auditor to consider using a fraud specialist. The suggested requirement 
to consider using a fraud specialist was not added to Auditing Standard 
No. 9 because the requirement in the reproposed standard already covers 
fraud specialists, and the types of specialized skill or knowledge that 
might be needed on a particular audit depend on the particular 
circumstances and the skill and knowledge of the engagement team.
    Some commenters suggested that the requirements relating to the 
involvement of specialists be reframed as ``assisting'' the auditor. 
Such a formulation is too narrow to describe the range of involvement 
of specialists, which could include providing assistance to the auditor 
or actually performing audit procedures.
    Paragraph 17 of Auditing Standard No. 9 describes the required 
level of knowledge of the subject matter in terms of the general types 
of procedures that the auditor should be able to perform with regard to 
the person with specialized skill or knowledge. Paragraph 17, by 
itself, does not impose procedural requirements for working with 
persons with specialized skill or knowledge because those 
responsibilities already are described in either the supervision 
provisions of Auditing Standard No. 10, Supervision of the Audit 
Engagement, or AU sec. 336, Using the Work of a Specialist, as 
applicable.
5. Auditing Standard No. 10--Supervision of the Audit Engagement
a. Background
    Auditing Standard No. 10 sets forth requirements for supervising 
the audit engagement, including supervising the work of engagement team 
members.
    Auditing Standard No. 10 retains the basic requirements regarding 
supervision from AU sec. 311, with changes to align the requirements 
more closely with the other risk assessment standards. Auditing 
Standard No. 10 does not change the responsibilities for supervision 
from those in the supervision section of the reproposed standard on 
audit planning and supervision. However, the language in the standard 
has been revised in certain respects to describe more directly the 
supervisory responsibilities of the engagement partner and engagement 
team members who assist the engagement partner in supervision. As 
discussed later in this section, the Board has separate standards-
setting projects regarding specialists and principal auditors, which 
will likely result in changes to the auditor's responsibilities 
regarding the auditor's use of specialists and use of other auditors, 
and, in turn, may result in changes to Auditing Standard No. 10.
b. Planning and Supervision
    As discussed in section II.C.4.b., the original proposed standard 
and the reproposed standard included requirements for both audit 
planning and supervision, similar to AU sec. 311. Some commenters 
observed that audit planning and supervision should be covered in 
separate standards.
    The Board agrees that audit planning and supervision of engagement 
team members are distinct activities that should be covered in separate 
standards. Accordingly, the Board has divided the requirements of the 
planning and supervision standard into separate standards. Dividing the 
requirements for planning and supervision into separate standards does 
not affect the auditor's responsibilities for planning the audit or 
supervising the work of engagement team members.
c. Objective
    When the requirements for planning and supervision were divided 
into separate standards, the objective for supervision of the work of 
engagement team members was adapted from the elements of proper 
supervision in the reproposed standard. Auditing Standard No. 10 
states, ``The objective of the auditor is to supervise the audit 
engagement, including supervising the work of engagement team members 
so that the work is performed as directed and supports the conclusions 
reached.'' The revised objective does not alter the supervision 
responsibilities included in the original proposed standard or the 
reproposed standard.
d. Responsibilities of the Engagement Partner
    AU sec. 311 stated, ``The auditor with final responsibility for the 
audit may delegate portions of the planning and supervision of the 
audit to other firm personnel.'' Auditing Standard No. 10 uses the term 
``engagement partner'' instead of ``auditor with final responsibility 
for the audit.''
    Auditing Standard No. 10 states that the engagement partner is 
responsible for the engagement and its performance. Accordingly, the 
engagement partner is responsible for proper supervision of the work of 
engagement team members and for compliance with PCAOB standards, 
including standards regarding using the work of specialists,\188\ other 
auditors,\189\ internal auditors,\190\ and others who are involved in 
testing controls.\191\ As discussed previously, as the Board considers 
changes to the auditor's responsibilities regarding the auditor's use 
of specialists and use of other auditors, it also may consider changes 
to Auditing Standard No. 10.
---------------------------------------------------------------------------

    \188\ See Section II.C.5.f.
    \189\ Ibid.
    \190\ AU sec. 322, The Auditor's Consideration of the Internal 
Audit Function in an Audit of Financial Statements.
    \191\ Paragraphs 16-19 of Auditing Standard No. 5.
---------------------------------------------------------------------------

    Auditing Standard No. 10 allows the engagement partner to seek 
assistance from appropriate engagement team members in fulfilling his 
or her responsibilities pursuant to the standard. Engagement team 
members who assist the engagement partner in supervision should comply 
with the relevant requirements of Auditing Standard No. 10. The 
requirements in PCAOB standards for assignment of responsibilities to 
engagement team members also apply to assignments that involve 
assisting the engagement

[[Page 59374]]

partner with his or her responsibilities pursuant to the standard.\192\
---------------------------------------------------------------------------

    \192\ See, e.g. AU sec. 230.06 and paragraph 5 of Auditing 
Standard No. 13, The Auditor's Responses to the Risks of Material 
Misstatement.
---------------------------------------------------------------------------

 e. Supervision of the Work of Engagement Team Members
    Previously adopted PCAOB standards use either the term ``engagement 
team members'' or the term ``assistants.'' Auditing Standard No. 10 
uses ``engagement team members,'' which is consistent with the other 
risk assessment standards. The Board is amending other PCAOB standards 
to conform to this terminology.
    Auditing Standard No. 10 describes the required supervisory 
activities that should be performed by the engagement partner and, as 
applicable, by other engagement team members with supervisory 
responsibilities.\193\ Those activities include informing engagement 
team members of their responsibilities and information relevant to 
those responsibilities, directing engagement team members to bring 
significant accounting and auditing issues arising during the audit to 
the attention of the engagement partner or other engagement team 
members performing supervisory activities, and reviewing the work of 
engagement team members as described in the standard.
---------------------------------------------------------------------------

    \193\ Paragraph 5 of Auditing Standard No. 10.
---------------------------------------------------------------------------

    Auditing Standard No. 10 describes the factors that should be taken 
into account in determining the necessary extent of supervision, i.e., 
the extent of supervision necessary so that the work of engagement team 
members is performed as directed and appropriate conclusions are formed 
based on the results of their work.\194\ Factors that affect the 
necessary extent of supervision include the risks of material 
misstatement, the nature of work assigned to the engagement team 
member, and the nature of the company, which includes the 
organizational structure of the company and its size and complexity. 
The extent of supervision of the work of an individual engagement team 
member increases or decreases, but cannot be eliminated, based on those 
factors. For example, the extent of supervision should be commensurate 
with the risks of material misstatement, which means, among other 
things, that the higher risk areas of the audit require more 
supervisory attention from the engagement partner.
---------------------------------------------------------------------------

    \194\ Paragraph 6 of Auditing Standard No. 10.
---------------------------------------------------------------------------

    One commenter suggested that the standard provide examples of 
``levels of supervision in relation to review,'' such as face-to-face 
review when reviewing higher risk areas. Auditing Standard No. 10 does 
not prescribe a particular method of review, so the engagement partner 
can determine the most effective way to comply with the requirements 
regarding the necessary nature of supervisory activities and necessary 
extent of supervision.
f. Persons with Specialized Skill or Knowledge and Other Auditors, 
Accounting Firms, and Individual Accountants
    Auditing Standard No. 10 states that the engagement partner is 
responsible for, among other things, compliance with PCAOB standards 
regarding using of the work of specialists and refers to AU sec. 336. 
AU sec. 336 applies to situations in which the auditor engages a 
specialist in an area other than accounting or auditing and uses the 
work of that specialist as audit evidence.\195\ Paragraphs 5-6 of 
Auditing Standard No. 10 describe the nature and extent of the 
supervisory activities necessary for proper supervision of a person 
with specialized skill or knowledge who participates in the audit and 
is either (a) employed by the auditor or (b) engaged by the auditor to 
provide services in a specialized area of accounting or auditing. AU 
sec. 336 has been amended to clarify when the auditor should look to 
the supervisory requirements in Auditing Standard No. 10 instead of AU 
sec. 336.
---------------------------------------------------------------------------

    \195\ AU sec. 336 also applies to situations in which the 
auditor uses the work of a specialist engaged or employed by 
management. The discussion in this section of the release focuses on 
the auditor's use of specialists who are employed or engaged by the 
auditor.
---------------------------------------------------------------------------

    AU sec. 543 describes the principal auditor's \196\ 
responsibilities for using the work and reports of other independent 
auditors who have audited the financial statements of one or more 
subsidiaries, divisions, branches, components, or investments included 
in the financial statements presented. The principal auditor should 
look to the requirements in AU sec. 543 \197\ in those situations. For 
situations in which the auditor engages an accounting firm or 
individual accountants to participate in the audit engagement and AU 
sec. 543 does not apply,\198\ the auditor should supervise them in 
accordance with the requirements of Auditing Standard No. 10. AU sec. 
543 has been amended to emphasize those points.
---------------------------------------------------------------------------

    \196\ AU sec. 543 uses the term ``principal auditor'' to refer 
to the auditor who issues the audit report on the financial 
statements presented.
    \197\ For integrated audits, see also paragraphs C8-C11 of 
Auditing Standard No. 5.
    \198\ Examples of situations that are not covered by AU sec. 543 
include loan staff arrangements.
---------------------------------------------------------------------------

    It should be noted, however, that the Board has separate standards-
setting projects regarding specialists and principal auditors, which 
will include comprehensive reviews of AU sec. 336 and AU sec. 543, 
respectively, in light of, among other things, observations from the 
Board's inspection activities. Those projects will likely result in 
changes to the auditor's responsibilities regarding the auditor's use 
of specialists and use of other auditors, and, in turn, may result in 
changes to Auditing Standard No. 10.
g. Differences of Opinion Within an Engagement Team
    The original proposed standard included a requirement, adapted from 
AU sec. 311.14, that the engagement partner and other engagement team 
members should make themselves aware of the procedures to be followed 
when differences of opinion concerning accounting and auditing issues 
exist among the engagement team members. Since the intention of 
including this provision was to require adequate documentation of 
disagreements, this paragraph was removed from the reproposed standard, 
and the documentation requirements from the original proposed standard 
were incorporated into an amendment to Auditing Standard No. 3, Audit 
Documentation.\199\ The documentation requirements regarding 
disagreements among members of the engagement team or with others 
consulted on the engagement about final conclusions reached on 
significant accounting or auditing matters include documenting the 
basis for the final resolution of those disagreements. If an engagement 
team member disagrees with the final conclusions reached, he or she 
should document that disagreement.
---------------------------------------------------------------------------

    \199\ Paragraph 12.d. of Auditing Standard No. 3.
---------------------------------------------------------------------------

    One commenter indicated concern that the requirement for the 
engagement partner and other engagement team members to be aware of how 
disagreements should be handled has been removed. The commenter 
indicated that disagreements are a sensitive area and that it is 
important that engagement team members are aware of how disagreements 
should be handled. In connection with the requirement to direct 
engagement team members to bring significant accounting and auditing 
issues to the attention of the engagement partner or other engagement 
team members performing supervisory activities, Auditing Standard No. 
10 also states that each engagement team member has a responsibility to 
bring to the attention of

[[Page 59375]]

appropriate persons, disagreements or concerns the engagement team 
member might have with respect to accounting and auditing issues that 
he or she believes are of significance to the financial statements or 
the auditor's report regardless of how those disagreements or concerns 
may have arisen.\200\
---------------------------------------------------------------------------

    \200\ Note to paragraph 5.b. of Auditing Standard No. 10.
---------------------------------------------------------------------------

6. Auditing Standard No. 11--Consideration of Materiality in Planning 
and Performing an Audit
a. Background
    Auditing Standard No. 11 discusses the auditor's responsibilities 
for applying the concept of materiality, as described by the courts in 
interpreting the federal securities laws, in planning the audit and 
determining the scope of the audit procedures. The standard applies to 
integrated audits and audits of financial statements only.
b. Materiality in the Context of an Audit
    Auditing Standard No. 11 discusses the concept of materiality that 
is applicable to audits performed in accordance with PCAOB standards, 
which is the articulation of materiality used by the courts in 
interpreting the federal securities laws.\201\ The Supreme Court of the 
United States has held that a fact is material if there is ``a 
substantial likelihood that the * * * fact would have been viewed by 
the reasonable investor as having significantly altered the `total mix' 
of information made available.'' \202\
---------------------------------------------------------------------------

    \201\ Paragraph 2 of Auditing Standard No. 11.
    \202\ See TSC Industries Northway, Inc., 426 U.S. 438, 449 
(1976). See also Basic, Inc. v. Levinson, 485 U.S. 224 (1988).
---------------------------------------------------------------------------

    Some commenters questioned the use of the court's articulation in 
the reproposed standard and suggested that this articulation might be 
difficult for auditors to apply. Also, some commenters asked whether 
the use of this articulation of materiality, in contrast to the 
quotation from a FASB Concept Statement\203\ used in AU sec. 312 was 
intended to result in a change in audit practice.
---------------------------------------------------------------------------

    \203\ Financial Accounting Standards Board Statement of 
Financial Accounting Concepts No. 2, Qualitative Characteristics of 
Accounting Information. FASB Concepts Statements are not included in 
FASB's Codification of Accounting Standards.
---------------------------------------------------------------------------

    Although the discussion of materiality in the accounting literature 
might help auditors understand how accounting standards-setters view 
materiality in the context of preparation and presentation of financial 
statements, the concept of materiality that is relevant for audits to 
which PCAOB standards apply is the concept used by the courts in 
interpreting the Federal securities laws. Because the auditor has a 
responsibility to plan and perform audit procedures to detect 
misstatements that, individually or in combination with other 
misstatements, would result in material misstatement of the financial 
statements, it is important for the auditor to plan and perform his or 
her audit procedures based on the applicable concept of materiality. 
Accordingly, Auditing Standard No. 11 uses the concept of materiality 
articulated by the courts.
    Because the courts' articulation of the concept of materiality is 
not new, using that articulation in Auditing Standard No. 11 is not 
intended to result in changes in practice for most auditors. Auditing 
Standard No. 11 emphasizes that an auditor's consideration of 
materiality should reflect matters that would affect the judgment of a 
reasonable investor.
c. Establishing a Materiality Level for the Financial Statements as a 
Whole
    Auditing Standard No. 11 requires the auditor to establish an 
appropriate materiality level for the financial statements as a 
whole.\204\ This materiality level should be established in light of 
the particular circumstances based on factors that could influence the 
judgment of a reasonable investor. The standard states that this 
requirement includes consideration of the company's earnings and other 
relevant factors. This statement is intended to emphasize that a 
company's net earnings are often an important factor in the total mix 
of information available to a reasonable investor, but Auditing 
Standard No. 11 does not require the use of earnings as the basis for 
the established materiality level in all cases. Other factors besides 
earnings might be more relevant depending on the particular 
circumstances, e.g., based on a company's industry or situations in 
which the company's earnings were near zero. Auditors are expected to 
consider the factors that would be relevant to the judgment of a 
reasonable investor.
---------------------------------------------------------------------------

    \204\ Paragraph 6 of Auditing Standard No. 11.
---------------------------------------------------------------------------

d. Qualitative Considerations
    The concept of materiality involves consideration of both 
quantitative and qualitative factors.\205\ Under Auditing Standard No. 
11, qualitative considerations can affect the auditor's establishment 
of materiality levels in the following ways:
---------------------------------------------------------------------------

    \205\ Paragraph 3 of Auditing Standard No. 11.
---------------------------------------------------------------------------

     Establishing a materiality level for the financial 
statements as a whole that is appropriate in light of the particular 
circumstances. This involves matters such as consideration of the 
elements of the financial statements that are more important to a 
reasonable investor and the level of misstatements that would influence 
the judgment of a reasonable investor.
     Establishing lower levels of materiality for certain 
accounts or disclosures when, in light of the particular circumstances, 
there are certain accounts or disclosures for which there is a 
substantial likelihood that misstatements of lesser amounts than the 
materiality level established for the financial statements as a whole 
would influence the judgment of a reasonable investor. The requirement 
in the standard \206\ is consistent with the principle of considering 
the judgment of a reasonable investor when establishing materiality 
levels because it recognizes that, in certain circumstances, 
misstatements in some accounts might have more significant consequences 
than in other accounts. The following are examples of such 
circumstances:
---------------------------------------------------------------------------

    \206\ Paragraph 7 of Auditing Standard No. 11.
---------------------------------------------------------------------------

    [cir] Laws, regulations, or the applicable financial reporting 
framework affect investors' expectations about the measurement or 
disclosure of certain items, e.g., related party transactions and 
compensation of senior management.
    [cir] Significant attention has been focused on a particular aspect 
of a company's business that is separately disclosed in the financial 
statements, e.g., a recent business acquisition.
    [cir] Certain disclosures are particularly important to investors 
in the industry in which the company operates.
    Auditing Standard No. 11 does not allow the auditor to establish a 
materiality level for an account or disclosure at an amount that 
exceeds the materiality level for the financial statements as a whole.
    The reproposed standard included a statement, adapted from AU sec. 
312, that ordinarily it is not practical to design audit procedures to 
detect misstatements that are material based solely on qualitative 
factors.\207\ One commenter suggested removing the word ``ordinarily'' 
from the statement because, in the commenter's view, it is not 
practical to design audit procedures to detect misstatements that are 
material based solely on qualitative factors. Auditing Standard No. 11 
retains the

[[Page 59376]]

statement as proposed. This statement reflects the principle that 
judgments about whether a particular misstatement is material involve 
consideration of the particular circumstances, including the nature of 
the misstatement and its effect on the financial statements. Also, if 
an auditor is aware of potential misstatements that would be material 
based on qualitative factors, he or she has a responsibility to design 
audit procedures to detect such misstatements.
---------------------------------------------------------------------------

    \207\ AU sec. 312.20.
---------------------------------------------------------------------------

e. Tolerable Misstatement
    The reproposed standard required the auditor to determine tolerable 
misstatement for purposes of assessing risks of material misstatement 
and planning and performing audit procedures at the account or 
disclosure level.\208\ Tolerable misstatement is a concept used in 
determining the scope of audit procedures. AU sec. 350, Audit Sampling, 
indicates that tolerable misstatement is the maximum amount of 
misstatement in an account or a class of transactions that may exist 
without causing the financial statements to be materially 
misstated.\209\ Tolerable misstatement is required to be set at an 
amount less than the materiality level for the financial statements as 
a whole and for particular accounts or disclosures, if lower 
materiality levels were established for particular accounts or 
disclosures.
---------------------------------------------------------------------------

    \208\ Paragraphs 8-9 of Auditing Standard No. 11.
    \209\ AU sec. 350.18.
---------------------------------------------------------------------------

    Some commenters suggested replacing the term ``tolerable 
misstatement'' in the reproposed standard with the term ``performance 
materiality,'' which is the term used in the International Standards on 
Auditing (``ISA'').
    The Board decided to retain the term ``tolerable misstatement'' in 
its standards. The concept of tolerable misstatement is already 
understood by auditors, and the Board is not seeking to change the 
concept as described in PCAOB standards. Because the term ``performance 
materiality'' uses the word ``materiality,'' it could be misunderstood, 
e.g., by nonauditors, as having a meaning other than that intended in 
the standard. The concept of materiality that applies to financial 
statements of companies that are audited in accordance with PCAOB 
standards is rooted in case law and reflects a reasonable investor's 
perspective. In contrast, tolerable misstatement is a concept used in 
audit scoping decisions at the account level, considering potential 
uncorrected and undetected misstatement.
    One commenter stated that the requirement to establish tolerable 
misstatement eliminated the need to establish a lower level of 
materiality for particular accounts or disclosures. However, the two 
concepts are designed for different purposes. The requirement to 
establish a lower materiality level is intended to address the need for 
a lower threshold when, in light of the particular circumstances, 
misstatements of lesser amounts have a substantial likelihood of 
influencing the judgment of a reasonable investor. As mentioned 
previously, tolerable misstatement is a concept used in audit scoping 
decisions at the account level, considering potential uncorrected and 
undetected misstatement.
    The reproposed standard also required the auditor to take into 
account the nature, cause (if known), and amount of misstatements that 
were accumulated in audits of financial statements of prior periods. 
One commenter suggested that the Board should clarify its intent 
regarding this requirement and provide additional guidance regarding 
its application. Tolerable misstatement is affected by the expected 
level of misstatement in the account or disclosure, and the nature, 
cause, and amount of misstatements from prior periods are relevant to 
developing expectations about the level of misstatement. Generally, as 
the expected level of misstatement increases, the amount of tolerable 
misstatement decreases.
f. Consideration of Materiality for Multi-location Engagements
    The reproposed standard included requirements for establishing 
materiality levels in multi-location engagements. The reproposed 
standard stated that when the auditor plans to perform procedures at 
selected locations or business units, the auditor should establish the 
materiality level for the individual locations or business units at an 
amount that reduces to an appropriately low level the probability that 
the total of uncorrected and undetected misstatements would result in 
material misstatement of the consolidated financial statements. The 
reproposed standard also stated that the materiality level for the 
selected locations or business units generally should be lower than the 
materiality level for the consolidated financial statements. Those 
requirements were an application of the fundamental principles to 
audits of consolidated financial statements of companies with multiple 
locations or business units.
    Some commenters suggested removing the word ``generally'' as it 
could be misinterpreted as permitting the use of the materiality level 
for the consolidated financial statements as a whole for planning and 
performing audit procedures at the individual location or business unit 
level. Other commenters questioned how the requirements would be 
applied when a principal auditor makes reference to the report of 
another auditor in the auditor's report on consolidated financial 
statements in accordance with AU sec. 543.
    After considering the comments, the Board has made certain 
clarifying revisions to the requirements for multi-location 
engagements.\210\ First, the language in the standard has been revised 
to use term ``tolerable misstatement'' for an individual location to 
more clearly distinguish that term from the materiality level for the 
financial statements as a whole. In addition, the requirements were 
revised to state that tolerable misstatement for a location or business 
unit should be less than the materiality level for the financial 
statements as a whole. The word ``generally'' was removed from the 
requirements to reduce the risk of misinterpretation of the provision. 
Also, the phrase ``to be used in performing audit procedures'' has been 
removed from the requirement to determine tolerable misstatement for 
the individual locations or business units to avoid a misinterpretation 
about the principal auditor's responsibilities for situations in which 
the principal auditor makes reference to the report of the other 
auditor in accordance with AU sec. 543. Auditing Standard No. 11 
requires the principal auditor to determine tolerable misstatement for 
the location or business unit audited by the other auditor, but the 
principal auditor is not expected to impose that determination of 
tolerable misstatement on the other auditor. Rather, tolerable 
misstatement for the location or business unit audited by the other 
auditor would be relevant to certain requirements under AU sec. 543 
\211\ and in determining an appropriate amount of tolerable 
misstatement for the remaining locations or business units included in 
the consolidated financial statements.
---------------------------------------------------------------------------

    \210\ Paragraph 10 of Auditing Standard No. 11.
    \211\ For example, AU sec. 543.10 states that the auditor should 
adopt measures to assure the coordination of the principal auditor's 
activities with those of the other auditor in order to achieve a 
proper review of matters affecting the consolidating or combining of 
accounts in the financial statements.

---------------------------------------------------------------------------

[[Page 59377]]

g. Reevaluating the Materiality Level and Tolerable Misstatement
    The reproposed standard stated that the established materiality 
level and tolerable misstatement should be reevaluated if changes in 
the particular circumstances or additional information comes to the 
auditor's attention that are likely to influence the judgment of a 
reasonable investor. In addition, the reproposed standard provided 
examples of situations that would require such reevaluation, and 
additional examples were discussed in the release accompanying the 
reproposed standards.
    Some commenters suggested that the examples in the release should 
be included in the reproposed standard. The examples in Auditing 
Standard No. 11 have been revised to clarify the types of situations 
that would require reevaluation of the established materiality level 
and tolerable misstatement.
    The reevaluation required by Auditing Standard No. 11 is important 
because if that reevaluation results in a lower materiality level or 
levels and tolerable misstatement than the auditor's initial 
determination, the standard states that the auditor should (1) evaluate 
the effect, if any, of the lower amount or amounts on his or her risk 
assessments and audit procedures and (2) modify the nature, timing, and 
extent of audit procedures as necessary to obtain sufficient 
appropriate audit evidence.\212\
---------------------------------------------------------------------------

    \212\ Paragraph 12 of Auditing Standard No. 11.
---------------------------------------------------------------------------

    Auditing Standard No. 11 does not allow the auditor to modify the 
established level or levels of materiality and tolerable misstatement 
solely because they are approximately equal to or are exceeded by the 
amount of uncorrected misstatements. Such a practice is inconsistent 
with the requirement to reevaluate the established materiality level or 
levels or tolerable misstatement if changes in the particular 
circumstances or additional information come to the auditor's attention 
that are likely to affect the judgments of a reasonable investor. 
Rather, Auditing Standard No. 14 establishes requirements for 
evaluating uncorrected misstatements \213\ and describes the auditor's 
responsibilities in situations in which uncorrected misstatements 
approach established materiality level or levels used in planning and 
performing an audit.\214\
---------------------------------------------------------------------------

    \213\ Paragraphs 17-23 of Auditing Standard No. 14.
    \214\ Paragraph 14.b. of Auditing Standard No. 14.
---------------------------------------------------------------------------

7. Auditing Standard No. 12--Identifying and Assessing Risks of 
Material Misstatement

a. Background
    Auditing Standard No. 12 describes the auditor's responsibilities 
for the process of identifying and assessing risks of material 
misstatement in an audit of financial statements only and in an 
integrated audit. This process includes (1) performing information-
gathering procedures, known as risk assessment procedures, and (2) 
identifying and assessing the risks of material misstatement using 
information obtained from the risk assessment procedures.
    As discussed in the release accompanying the reproposed standards, 
the requirements in this standard are intended to improve the auditor's 
risk assessments and ability to focus on areas of increased risk in 
audits of financial statements only and in integrated audits. The 
effectiveness of a risk-based audit depends on whether the auditor 
identifies the risks of material misstatement and has an appropriate 
basis for assessing those risks. Inappropriate identification or 
assessment of risks of material misstatements can lead to overlooking 
relevant risks to the financial statements, e.g., business conditions 
that affect asset quality or create pressures to manipulate the 
financial statements, or assessing risks too low without having an 
appropriate basis for the assessment. In turn, these situations can 
lead to misdirected or inadequate audit work.
    Auditing Standard No. 12 employs a top-down approach to risk 
assessment. Such an approach begins at the financial statement level 
and with the auditor's overall understanding of the company and its 
environment and works down to the significant accounts and disclosures 
and their relevant assertions. Also, the requirements for performing 
risk assessment procedures are designed to be scalable to companies of 
varying size and complexity.
    In an integrated audit, the risks of material misstatement affect 
both the audit of financial statements and the audit of internal 
control, so the risk assessment process described in Auditing Standard 
No. 12 is for a single process that applies to both the audit of 
financial statements and the audit of internal control. Auditing 
Standard No. 12 seeks to enhance the integration of the audit of 
financial statements with the audit of internal control by aligning 
these risk assessment standards with Auditing Standard No. 5. 
Accordingly, Auditing Standard No. 12 reflects certain foundational 
risk assessment principles from Auditing Standard No. 5 that also apply 
to audits of financial statements. On the other hand, the provisions of 
this standard also are designed to be tailored for audits of financial 
statements only, e.g., the requirements relating to the understanding 
of internal control over financial reporting.
b. Objective
    Some commenters recommended that the Board revise the objective in 
the reproposed standard to indicate that the auditor's identification 
and assessment of risks are through understanding of the company and 
its environment. The objective in Auditing Standard No. 12 was retained 
from the reproposed standard. The revision suggested by the commenters 
is too narrow because Auditing Standard No. 12 requires other risk 
assessment procedures beyond obtaining an understanding of the company 
and its environment.
c. Performing Risk Assessment Procedures
    The overarching requirement for risk assessment procedures in 
Auditing Standard No. 12 is that the auditor should perform risk 
assessment procedures that are sufficient to provide a reasonable basis 
for the identification and assessment of the risks of material 
misstatement, whether due to error or fraud, and to design further 
audit procedures.\215\ Auditing Standard No. 12 discusses the auditor's 
responsibilities for determining and performing the risk assessment 
procedures necessary to satisfy that overarching requirement.\216\
---------------------------------------------------------------------------

    \215\ Paragraph 4 of Auditing Standard No. 12. The phrase 
``design further audit procedures'' applies to substantive 
procedures and to tests of controls in the audit of financial 
statements and the audit of internal control over financial 
reporting.
    \216\ Paragraphs 5-58 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    Risks of material misstatement may exist at the financial statement 
level or at the assertion level. Risks of material misstatement also 
can arise from a variety of sources, including external factors, such 
as conditions in the company's industry and environment, and company-
specific factors, such as the nature of the company, its activities, 
and internal control over financial reporting. Since the risks of 
material misstatement come from various sources, the auditor's risk 
assessment procedures need to encompass both external factors and 
company-specific factors. Auditing Standard No. 12 requires the 
following risk assessment procedures:

[[Page 59378]]

     Obtaining an understanding of the company and its 
environment; \217\
---------------------------------------------------------------------------

    \217\ Paragraphs 7-17 of Auditing Standard No. 12.
---------------------------------------------------------------------------

     Obtaining an understanding of the company's internal 
control over financial reporting; \218\
---------------------------------------------------------------------------

    \218\ Paragraphs 18-40 of Auditing Standard No. 12.
---------------------------------------------------------------------------

     Considering information from the client acceptance and 
retention evaluation, audit planning activities, past audits, and other 
engagements performed for the company; \219\
---------------------------------------------------------------------------

    \219\ Paragraphs 41-45 of Auditing Standard No. 12.
---------------------------------------------------------------------------

     Performing analytical procedures; \220\
---------------------------------------------------------------------------

    \220\ Paragraphs 46-48 of Auditing Standard No. 12.
---------------------------------------------------------------------------

     Conducting a discussion among engagement team members 
regarding the risks of material misstatement; \221\ and
---------------------------------------------------------------------------

    \221\ Paragraphs 49-53 of Auditing Standard No. 12.
---------------------------------------------------------------------------

     Inquiring of the audit committee, management, and others 
within the company about the risks of material misstatement.\222\
---------------------------------------------------------------------------

    \222\ Paragraphs 54-58 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    The reproposed standard required the auditor to perform risk 
assessment procedures that are designed to help the auditor identify 
the areas of greater risk, appropriately assess those risks, and design 
and perform further audit procedures to address risks of material 
misstatements in the financial statements, whether due to error or 
fraud. One commenter suggested adding the phrase ``and to design 
further audit procedures focused on the areas of greatest risk'' to the 
end of the sentence in paragraph 4. The suggested language is not 
included in Auditing Standard No. 12 because that principle is already 
addressed in Auditing Standard No. 13.
    One commenter on the reproposed standard asked for more discussion 
of the connection between the components of audit risk and the risk 
assessment process. That discussion has been added to Auditing Standard 
No. 8.\223\
---------------------------------------------------------------------------

    \223\ Paragraphs 8-11 of Auditing Standard No. 8.
---------------------------------------------------------------------------

d. Obtaining an Understanding of the Company and Its Environment
    Like the reproposed standard, Auditing Standard No. 12 requires the 
auditor to obtain an understanding of the company and its environment 
to understand the events, conditions, and company activities that might 
reasonably be expected to have a significant effect on the risks of 
material misstatement (``obtaining an understanding of the 
company'').\224\ These requirements are an expansion of requirements 
that were in AU sec. 311 regarding obtaining knowledge of matters that 
relate to the nature of the entity's business, its organization, and 
its operating characteristics as part of audit planning.\225\ The 
expanded requirements are intended to focus the auditor on the degree 
of ``knowledge of the company'' that is necessary for a risk-based 
audit and to explain how knowledge of the company informs the auditor's 
identification and assessment of risk.
---------------------------------------------------------------------------

    \224\ Paragraph 7 of Auditing Standard No. 12.
    \225\ AU secs. 311.06-.09.
---------------------------------------------------------------------------

    Auditing Standard No. 12 requires that the understanding of the 
company and its environment include understanding the following:
     Relevant industry, regulatory, and other external factors;
     The nature of the company;
     The company's selection and application of accounting 
principles, including related disclosures;
     The company's objectives and strategies and those related 
business risks that might reasonably be expected to result in risks of 
material misstatement; and
     The company's measurement and analysis of its financial 
performance.\226\
---------------------------------------------------------------------------

    \226\ Paragraph 7 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    Auditing Standard No. 12 requires the auditor to evaluate whether 
significant changes in the company from prior periods, including 
changes in its internal control over financial reporting, affect the 
risks of material misstatement.\227\ This requirement builds on the 
requirement in paragraph 7 of Auditing Standard No. 9 to evaluate 
whether, among other things, the extent of recent changes, if any, in 
the company, its operations, or its internal control over financial 
reporting is important to the company's financial statements and 
internal control over financial reporting and, if so, how those changes 
will affect the auditor's procedures. PCAOB standards have recognized 
that many risks of material misstatement arise due to changes in the 
company. For example, AU sec. 319 listed the following examples of 
circumstances that can result in risks or changes to existing risks: 
changes in operating environment; new personnel; new or revamped 
information systems; rapid growth; new technology; new business models, 
products, or activities; corporate restructurings; expanded foreign 
operations; and new accounting pronouncements.\228\
---------------------------------------------------------------------------

    \227\ Paragraph 8 of Auditing Standard No. 12.
    \228\ AU sec. 319.38.
---------------------------------------------------------------------------

    Paragraphs 9-17 of Auditing Standard No. 12 explain more fully the 
necessary understanding of the preceding aspects of the company and its 
environment, e.g., what it means to obtain an understanding of the 
nature of the company. The discussion of relevant industry, regulatory, 
and other external factors is adapted from AU sec. 311. The discussion 
of the nature of the company is also adapted from AU sec. 311 and has 
been updated to reflect certain changes in business practices since AU 
sec. 311 was originally issued (e.g., to encompass alternative 
investments and financing arrangements and to recognize the development 
of new business models).
    One commenter said that the requirement to obtain an understanding 
of the company and its environment should be revised because none of 
the aspects of the company and its environment listed in paragraph 7 is 
an event, condition, or company activity. However, the understanding of 
those aspects should lead the auditor to obtain an understanding of 
relevant events, conditions, and company activities. For example, 
obtaining an understanding of relevant industry, regulatory, and 
external factors helps an auditor understand the external conditions in 
which the company operates that represent risks of material 
misstatement at the financial statement level.
    The reproposed standard contained a note about how the size and 
complexity of the company can affect the risks of misstatement and the 
controls necessary to address those risks. This note was intended to be 
a reminder to auditors that both size and complexity affect risks. One 
commenter stated that complexity rather than size is likely to heighten 
risk. Auditing Standard No. 12 retains the note as reproposed.\229\ The 
size and complexity of the company can affect the risks of misstatement 
and the controls necessary to address those risks. Scaling the audit is 
most effective as a natural extension of the risk-based approach and 
applies to all audits, and the requirements in Auditing Standard No. 12 
are intended to be scalable to companies of varying size and 
complexity. Auditing Standard No. 12 contains certain notes regarding 
scaling the audit based on a company's size and complexity.
---------------------------------------------------------------------------

    \229\ First note to paragraph 10 of Auditing Standard No. 12.
---------------------------------------------------------------------------

(i). Additional Procedures to Obtain an Understanding of the Company 
and its Environment
    The reproposed standard presented a list of procedures that the 
auditor should consider performing as part of obtaining an 
understanding of the company and its environment. These

[[Page 59379]]

procedures include reading public information about the company, 
observing or reading transcripts of earnings calls, obtaining an 
understanding of compensation arrangements with senior management, and 
obtaining information about significant unusual developments regarding 
trading activity in the company's securities. The auditor's decisions 
about whether to perform one or more of the additional procedures and 
the extent of those procedures depend on whether the matters addressed 
in those procedures are important to the company's internal control or 
financial statements and whether such procedures are necessary to meet 
the overall requirements for obtaining an understanding of the company 
and performing risk assessment procedures.
    Members of the Board's Standing Advisory Group (``SAG'') suggested 
that these matters could provide valuable information for identifying 
risks of material misstatement, e.g., to obtain information about 
business risks relevant to financial reporting or to identify 
incentives or pressures on management to manipulate financial 
results.\230\ Also, the Public Oversight Board, Panel on Audit 
Effectiveness, Report and Recommendations (``PAE Report''), recommended 
that auditors consider published analysts' reports and forecasts when 
gaining an understanding of the company's business and industry, 
assessing risks, and evaluating identified misstatements.\231\
---------------------------------------------------------------------------

    \230\ February 16, 2005. Webcasts of SAG meetings are available 
on the Board's Web site at: http://www.pcaobus.org/News_and_
Events/Webcasts.
    \231\ Public Oversight Board, Panel on Audit Effectiveness, 
Report and Recommendations (August 31, 2000), p. 58.
---------------------------------------------------------------------------

    Commenters requested clarification of the Board's expectations 
regarding these procedures and expressed concern that the broad 
language used to describe some of the procedures might lead auditors to 
expend considerable efforts to decide and document whether to perform 
certain procedures. This requirement is not intended to require 
auditors to make a specific determination about each bit of data to 
which a procedure might be applied, e.g., to document each individual 
item of publicly available information to decide whether it should be 
reviewed.
    Instead, the intention is for auditors to consider whether and to 
what extent such procedures should be performed to achieve the 
objectives in paragraphs 4 and 7 of Auditing Standard No. 12. For 
example, observing the company's earnings calls and other meetings with 
investors are likely to provide important information about the 
measurement and review of the company's financial performance, 
particularly the performance measures monitored by investors and 
analysts. Likewise, an understanding of compensation arrangements with 
senior management often can provide important information about 
incentives or pressures on management to manipulate the financial 
statements.
    Auditing Standard No. 12 was revised to clarify that considering 
whether to perform the procedures listed in paragraph 11 also includes 
consideration of the extent of the procedures.
(ii). Selection and Application of Accounting Principles, Including 
Related Disclosures
    PCAOB standards require auditors to obtain an understanding of the 
accounting practices common to the industry and to evaluate the quality 
of a company's accounting principles as part of his or her response to 
fraud risks and in determining matters to be communicated to the audit 
committee.\232\ Auditing Standard No. 12 imposes a responsibility to 
obtain an understanding of the applicable financial reporting framework 
and to evaluate whether the company's selection and application of 
accounting principles are consistent with the applicable accounting 
framework and the accounting principles used in the relevant 
industry.\233\ Such procedures can provide important information for 
identifying relevant matters such as (1) accounts that are susceptible 
to misstatement, e.g., if an account balance is determined using 
accounting principles that are inconsistent with the applicable 
financial reporting framework or (2) more general conditions that 
affect risks of material misstatement, e.g., if the company's selection 
or application of accounting principles is more aggressive than 
prevailing practices in the relevant industry.
---------------------------------------------------------------------------

    \232\ See AU sec. 316 and AU sec. 380, Communication With Audit 
Committees.
    \233\ Paragraph 12 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    In connection with obtaining an understanding of the applicable 
financial reporting framework and evaluating the company's selection 
and application of accounting principles, including related 
disclosures, Auditing Standard No. 12 requires the auditor to develop 
expectations about the disclosures that are necessary for the company's 
financial statements to be presented fairly in conformity with the 
applicable financial reporting framework.\234\ The language in this 
requirement was revised to clarify that the auditor should develop an 
expectation about the disclosures as part of the risk assessment 
procedures and that the expectations should be based on the disclosures 
necessary for the fair presentation of the financial statements in 
conformity with the applicable financial reporting framework.
---------------------------------------------------------------------------

    \234\ Ibid.
---------------------------------------------------------------------------

    Auditing Standard No. 12 also presents a list of matters that, if 
present, are relevant to the necessary understanding of the company's 
selection and application of accounting principles.\235\ The amount of 
auditor attention devoted to an individual matter would depend on its 
importance in meeting the overall requirements for obtaining an 
understanding of the company and performing risk assessment 
procedures.\236\
---------------------------------------------------------------------------

    \235\ Paragraph 13 of Auditing Standard No. 12.
    \236\ Paragraphs 4 and 7 of Auditing Standard No. 12.
---------------------------------------------------------------------------

(iii). Company Objectives, Strategies, and Related Business Risks
    The reproposed standard required the auditor to obtain an 
understanding of the company's objectives, strategies, and related 
business risks in order to identify those business risks that could 
reasonably be expected to result in material misstatement of the 
financial statements. The PAE Report recommended that auditors be 
required to obtain an understanding of the company's business 
risks.\237\
---------------------------------------------------------------------------

    \237\ PAE Report, p. 20.
---------------------------------------------------------------------------

    Commenters on the reproposed standard requested additional 
discussion about business risks, including going concern risks, fraud 
risks, and how business risks can result in misstatements of the 
financial statements. Additional discussion has been added to Auditing 
Standard No. 8 and Auditing Standard No. 12.\238\
---------------------------------------------------------------------------

    \238\ Paragraph 6 of Auditing Standard No. 8 and the note to 
paragraph 15 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    Auditing Standard No. 12 discusses how business risks can lead to 
misstatements and provides examples of business risks that may result 
in a risk of material misstatement of the financial statements.\239\ 
However, the list of examples is meant to be illustrative rather than a 
checklist of factors to consider. Auditors would need to consider the 
business risks that are relevant to the particular company and 
industry. For example, in today's economic environment, business risks

[[Page 59380]]

might include financing risks (e.g., access to necessary financing) or 
product risks (e.g., investments in certain financial products).
---------------------------------------------------------------------------

    \239\ Paragraphs 5 and 14-15 of Auditing Standard No. 12.
---------------------------------------------------------------------------

(iv). The Company's Measurement and Analysis of its Financial 
Performance
    The risk assessment procedures in the reproposed standard included 
obtaining an understanding of the company's performance measures. The 
purpose of obtaining that understanding is to identify those 
performance measures, whether external or internal, that affect the 
risks of material misstatement. For example, understanding performance 
measures can help the auditor identify accounts or disclosures that 
might be susceptible to manipulation to achieve certain performance 
targets (or to conceal failures to achieve those targets) or to 
understand how management uses performance measures to monitor risks 
affecting the financial statements.
    Commenters requested clarification regarding the examples of 
performance measures. A note was added to Auditing Standard No. 12 to 
explain the significance of the individual examples.\240\
---------------------------------------------------------------------------

    \240\ Paragraph 17 of Auditing Standard No 12.
---------------------------------------------------------------------------

e. Obtaining an Understanding of Internal Control Over Financial 
Reporting
    Auditing Standard No. 12 describes the auditor's responsibilities 
for obtaining an understanding of internal control over financial 
reporting (``understanding of internal control''). Auditing Standard 
No. 12 requires the auditor to obtain a sufficient understanding of 
each component of internal control over financial reporting to (a) 
identify the types of potential misstatements, (b) assess the factors 
that affect the risks of material misstatement, and (c) design further 
audit procedures.\241\ These requirements are, in substance, equivalent 
to those in AU sec. 319, but the formulation in the proposed standard 
is aligned more clearly with Auditing Standard No. 5. Like the 
requirements in AU sec. 319, the requirements in Auditing Standard No. 
12 indicate that although the auditor's primary focus is on internal 
control over financial reporting, the auditor may obtain an 
understanding of controls related to operations or compliance 
objectives if they pertain to data that the auditor plans to use in 
applying auditing procedures.\242\
---------------------------------------------------------------------------

    \241\ Paragraph 18 of Auditing Standard No. 12.
    \242\ Paragraph 19 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    Auditing Standard No. 12 sets forth certain principles regarding 
the sufficiency of the auditor's understanding of internal control. The 
size and complexity of the company; the auditor's existing knowledge of 
the company's internal control; the nature of the company's internal 
controls, including the company's use of IT; the nature and extent of 
changes in systems and operations; and the nature of the company's 
documentation of its internal control over financial reporting affect 
the nature, timing, and extent of procedures necessary to obtain an 
understanding of internal control. For example, the auditor's 
procedures to obtain an understanding of internal control would be more 
extensive when the auditor plans to test controls more extensively 
(e.g., in an integrated audit), the company's internal control is more 
complex, or the company's controls have changed significantly.
    The reproposed standard stated that the auditor's understanding of 
internal control includes evaluating the design of controls and 
determining whether the controls are implemented. Commenters observed 
that the reproposed standard stated that walkthroughs that include the 
necessary procedures ordinarily are sufficient to evaluate design 
effectiveness, but the reproposed standard did not make a similar 
statement about the use of walkthroughs to determine whether controls 
have been implemented. Auditing Standard No. 12 has been revised to 
include a statement that walkthroughs that include the procedures 
described in the standard ordinarily are sufficient to determine 
whether a control has been implemented.\243\ Under Auditing Standard 
No. 12, as under AU sec. 319,\244\ the amount of audit attention 
devoted to design and operating effectiveness will vary based on the 
auditor's plan for testing controls. For example, if the auditor plans 
to test controls, more attention should be devoted to controls that the 
auditor plans to test.
---------------------------------------------------------------------------

    \243\ Paragraph 20 of Auditing Standard No. 12.
    \244\ AU sec. 319.58.
---------------------------------------------------------------------------

(i). Obtaining an Understanding of Individual Components of Internal 
Control Over Financial Reporting
    To describe the auditor's responsibilities for obtaining an 
understanding of internal control, it was necessary to describe the 
components of internal control over financial reporting. The components 
described in Auditing Standard No. 12 are similar to those in AU sec. 
319.\245\ Auditing Standard No. 12 also states that auditors may use 
other suitable, recognized frameworks \246\ in accordance with the 
provisions of the standard. If the auditor uses a suitable, recognized 
internal control framework with components that differ from those in 
the standard, the auditor should adapt the requirements in the standard 
for the components in the framework used.\247\
---------------------------------------------------------------------------

    \245\ Paragraph 21 of Auditing Standard No. 12.
    \246\ See Securities Exchange Act Release No. 34-47986 (June 5, 
2003) for a description of the characteristics of a suitable, 
recognized framework.
    \247\ Paragraph 22 of Auditing Standard No. 12.
---------------------------------------------------------------------------

(ii). Control Environment
    Auditing Standard No. 12 requires the auditor to assess the 
following matters as part of obtaining an understanding of the control 
environment:
     Whether management's philosophy and operating style 
promote effective internal control over financial reporting;
     Whether sound integrity and ethical values, particularly 
of top management, are developed and understood; and
     Whether the board or audit committee understands and 
exercises oversight responsibility over financial reporting and 
internal control.\248\
---------------------------------------------------------------------------

    \248\ Paragraph 24 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    Although this requirement is aligned with a similar requirement in 
Auditing Standard No. 5 for evaluating the control environment, the 
auditor's process for assessing the control environment in an audit of 
financial statements only is not expected to be the same as that 
required when expressing an opinion on internal control over financial 
reporting. For audits of financial statements only, Auditing Standard 
No. 12 allows the auditor to base his or her assessment on evidence 
obtained as part of obtaining an understanding of the control 
environment and other relevant knowledge possessed by the auditor.\249\
---------------------------------------------------------------------------

    \249\ Ibid.
---------------------------------------------------------------------------

    Because of the importance of an effective control environment to 
address fraud risks, Auditing Standard No. 12 states that if the 
auditor identifies a control deficiency in the company's control 
environment, the auditor should evaluate the extent to which this 
control deficiency is indicative of a fraud risk factor.\250\
---------------------------------------------------------------------------

    \250\ Paragraph 25 of Auditing Standard No. 12.
---------------------------------------------------------------------------

(iii) The Company's Risk Assessment Process
    Auditing Standard No. 12 requires the auditor to obtain an 
understanding of management's risk assessment process for (a) 
identifying risks relevant to financial reporting objectives, including 
risks of material misstatement due to fraud, (b) assessing the 
likelihood and significance of misstatements resulting from those 
risks, and (c) deciding about

[[Page 59381]]

actions to address those risks.\251\ The standard also requires the 
auditor to obtain an understanding of the risks of material 
misstatement identified and assessed by management and the actions 
taken to address those risks.\252\ Compliance with these requirements 
will help make sure that the auditor's risk assessments are 
appropriately informed by management's risk assessments and the 
controls that management put in place to address the risks.
---------------------------------------------------------------------------

    \251\ Paragraph 26 of Auditing Standard No. 12.
    \252\ Paragraph 27 of Auditing Standard No. 12.
---------------------------------------------------------------------------

(iv) Information and Communication
    The reproposed standard required the auditor to obtain an 
understanding of the information system, including the related business 
processes, relevant to financial reporting. One commenter suggested 
removing the requirement to understand the company's business 
processes. The requirement was retained as reproposed.\253\ Obtaining 
an understanding of the company's business processes assists the 
auditor in obtaining an understanding of how transactions are 
initiated, authorized, processed, and recorded. Also, the requirement 
to understand business processes is a recommendation in the PAE 
Report.\254\ Auditing Standard No. 12 describes the necessary 
understanding of business processes to help auditors identify those 
business processes that are relevant to financial reporting.\255\
---------------------------------------------------------------------------

    \253\ Paragraph 28 of Auditing Standard No. 12.
    \254\ PAE Report, p. 15.
    \255\ Paragraphs 28-32 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    Auditing Standard No. 12 also contains requirements for 
understanding the period-end financial reporting process \256\ and 
describes important elements of that process.\257\ Because the period-
end financial reporting process is a common source of potential 
misstatements, it is important for the auditor to have an adequate 
understanding of the aspects of the period-end financial reporting 
process in all audits, including audits of financial statements only. 
Auditing Standard No. 12 requires the auditor only to obtain an 
understanding \258\ of the process, as compared to Auditing Standard 
No. 5, which requires the auditor also to evaluate that process in the 
audit of internal control.
---------------------------------------------------------------------------

    \256\ AU sec. 319.49 used the term ``financial reporting process 
used to prepare the entity's financial statements,'' but Auditing 
Standard No. 12 uses the same term as used in Auditing Standard No. 
5.
    \257\ Paragraphs 28 and 32 of Auditing Standard No. 12.
    \258\ Paragraph 20 of Auditing Standard No. 12 discusses 
procedures that the auditor performs to obtain an understanding of 
internal control.
---------------------------------------------------------------------------

    To appropriately highlight the importance of IT risks in 
determining the scope of the audit, the standard requires the auditor 
to obtain an understanding of how IT affects the company's flow of 
transactions. The standard also contains a note that states that the 
identification of risks and controls within IT is not a separate 
evaluation. Instead, it is an integral part of the approach used to 
identify significant accounts and disclosures and their relevant 
assertions and, when applicable, to select the controls to test, as 
well as to assess risk and allocate audit effort.
    Regarding the auditor's understanding of communication, one 
commenter suggested that the standard clarify that the auditor should 
understand how the company communicates financial reporting roles and 
responsibilities and significant matters relating to financial 
reporting. The requirement in Auditing Standard No. 12 has been revised 
to clarify that point.\259\
---------------------------------------------------------------------------

    \259\ Paragraph 33 of Auditing Standard No. 12.
---------------------------------------------------------------------------

(v) Control Activities
    The reproposed standard required the auditor to obtain an 
understanding of control activities that is sufficient to assess the 
factors that affect the risks of material misstatement and to design 
further audit procedures. As under AU sec. 319, a more extensive 
understanding of control activities is needed in areas in which the 
auditor plans to test controls. Thus, for purposes of evaluating the 
effectiveness of internal control over financial reporting in an 
integrated audit, the auditor's understanding of control activities 
encompasses a broader range of accounts and disclosures than that which 
is normally obtained in an audit of financial statements only.
    Some commenters expressed concern that the language in the 
requirement could be misinterpreted as requiring the auditor to obtain 
an understanding of all controls, even in an audit of financial 
statements only in which the auditor does not plan to test controls. A 
few commenters suggested framing the requirement in terms of 
understanding control activities relevant to the audit.
    The Board did not intend to expand the auditor's responsibilities 
for obtaining an understanding of control activities beyond what is 
required in AU sec. 319. The discussion in Auditing Standard No. 12 on 
obtaining an understanding of control activities has been revised, 
primarily using language adapted from AU sec. 319, to clarify that the 
substance of the requirement has not changed.\260\
---------------------------------------------------------------------------

    \260\ AU sec. 319.42 and paragraph 34 of Auditing Standard No. 
12.
---------------------------------------------------------------------------

(vi). Performing Walkthroughs
    The original proposed standard referred auditors to Auditing 
Standard No. 5 for a discussion of the performance of walkthroughs. 
Some commenters on the original proposed standard stated that the 
standard should include a discussion of walkthroughs rather than 
referring to Auditing Standard No. 5. The reproposed standard included 
a discussion of performing walkthroughs as part of meeting certain 
specified objectives, which paralleled a requirement in Auditing 
Standard No. 5 \261\ regarding understanding likely sources of 
potential misstatements. Some commenters expressed concerns that the 
discussion would lead to unnecessary walkthroughs, particularly in 
audits of financial statements only.
---------------------------------------------------------------------------

    \261\ Paragraph 34 of Auditing Standard No. 5.
---------------------------------------------------------------------------

    The intention of including the discussion of walkthroughs was to 
explain how to perform walkthroughs rather than to impose requirements 
regarding when walkthroughs should be performed. The standard has been 
revised to focus on how the auditor should perform walkthroughs, e.g., 
in connection with understanding the flow of transactions in the 
information system relevant to financial reporting, evaluating the 
design of controls relevant to the audit, and determining whether those 
controls have been implemented.\262\ The discussion of the objectives 
for understanding likely sources of potential misstatements has been 
removed from Auditing Standard No. 12, so those objectives would 
continue to apply only to integrated audits.
---------------------------------------------------------------------------

    \262\ Paragraph 37 of Auditing Standard No. 12.
---------------------------------------------------------------------------

(vii). Relationship of Understanding of Internal Control to Tests of 
Controls
    Auditing Standard No. 12, like the reproposed standard, contains a 
discussion about the relationship between obtaining an understanding of 
controls and testing controls, including entity-level controls.\263\ 
The requirements in Auditing Standard No. 12 clarify that the objective 
of obtaining an understanding of internal control as a risk assessment 
procedure is different from testing controls for the purpose of 
assessing control risk \264\ or for the purpose of expressing an 
opinion on internal control over financial reporting

[[Page 59382]]

in the audit of internal control.\265\ The standard allows the auditor 
the flexibility of obtaining an understanding of internal control 
concurrently with performing tests of controls if he or she obtains 
sufficient appropriate evidence to achieve the objectives of both 
procedures.\266\
---------------------------------------------------------------------------

    \263\ Paragraph 39 of Auditing Standard No. 12.
    \264\ Paragraphs 16-31 of Auditing Standard No. 13.
    \265\ Paragraph B1 of Auditing Standard No. 5.
    \266\ Paragraph 39 of Auditing Standard No. 12.
---------------------------------------------------------------------------

f. Information Obtained from Past Audits and Other Engagements
(i). Information from Past Audits
    The reproposed standard included a requirement for the auditor to 
incorporate knowledge obtained during past audits into the auditor's 
process for identifying risks of material misstatement. One commenter 
asked for clarification of the meaning of the term ``incorporate.'' Two 
commenters stated that the most important issue is to determine whether 
information from past audits is still relevant.
    The term ``incorporate'' is not new and should be familiar to most 
auditors. For example, it has been used in AU sec. 316 regarding the 
requirement to incorporate an element of unpredictability in the audit 
in response to fraud risks. The requirement in the reproposed standard 
was similar to a requirement in Auditing Standard No. 5 to incorporate 
knowledge obtained during past audits in subsequent year audits of 
internal control.\267\ Accordingly the term has been retained in 
Auditing Standard No. 12.
---------------------------------------------------------------------------

    \267\ Paragraph 57 of Auditing Standard No. 5.
---------------------------------------------------------------------------

    Auditing Standard No. 12 also states that if the auditor plans to 
limit the nature, timing, or extent of his or her risk assessment 
procedures by relying on information from past audits, the auditor 
should evaluate whether the prior-years' information remains relevant 
and reliable.\268\
---------------------------------------------------------------------------

    \268\ Paragraph 43 of Auditing Standard No. 12.
---------------------------------------------------------------------------

(ii). Information from Other Engagements
    The reproposed standard included a requirement for the auditor to 
take into account relevant information obtained through other 
engagements performed by the auditor for the company.\269\ This 
requirement was intended to focus on the responsibility to take 
relevant information into account in identifying and assessing risks 
rather than to prescribe a particular method for obtaining that 
information.
---------------------------------------------------------------------------

    \269\ PCAOB Rule 1001, Definitions of Terms Employed in Rules, 
states that, when used in rules of the PCAOB, unless the context 
otherwise requires, ``[t]he term `auditor' means both public 
accounting firms registered with the Public Company Accounting 
Oversight Board and associated persons thereof.''
---------------------------------------------------------------------------

    Some commenters suggested that the requirement should be limited to 
consideration of other engagements performed by the engagement partner. 
The suggested change would weaken the standard. Limiting the 
consideration of information to engagements performed for the company 
by the engagement partner is too narrow because it omits other 
important information sources that are available to the engagement 
team. Also, limiting the consideration to engagements performed by the 
engagement partner is inconsistent with prior PCAOB standards. For 
example, AU sec. 311.04 stated that procedures the auditor may consider 
in planning an audit usually involve discussions with other firm 
personnel, and includes the following example ``Discussing matters that 
may affect the audit with firm personnel responsible for non-audit 
services to the entity.'' Also, paragraph 03 of AU sec. 9311, Planning 
and Supervision: Auditing Interpretations of Section 311, stated:

    The auditor should consider the nature of non-audit services 
that have been performed. He should assess whether the services 
involve matters that might be expected to affect the entity's 
financial statements or the performance of the audit, for example, 
tax planning or recommendations on a cost accounting system. If the 
auditor decides that the performance of the non-audit services or 
the information likely to have been gained from it may have 
implications for his audit, he should discuss the matter with 
personnel who rendered the services and consider how the expected 
conduct and scope of his audit may be affected. In some cases, the 
auditor may find it useful to review the pertinent portions of the 
work papers prepared for the non-audit engagement as an aid in 
determining the nature of the services rendered or the possible 
audit implications.

    Other commenters suggested that the requirement be revised to use 
more of the language from AU sec. 9311. The requirement in Auditing 
Standard No. 12 \270\ has been revised as follows:
---------------------------------------------------------------------------

    \270\ Paragraph 45 of Auditing Standard No. 12.

    The auditor should obtain an understanding of the nature of the 
services that have been performed for the company by the auditor or 
affiliates of the firm\271\ and should take into account relevant 
information obtained from those engagements in identifying risks of 
material misstatement.\272\
---------------------------------------------------------------------------

    \271\ See PCAOB Rule 3501(a)(i), which defines ``affiliate of 
the accounting firm.''
    \272\ Paragraph 7 of Auditing Standard No. 9.

    One commenter stated that audit firms will need to develop very 
costly reporting systems to enable them to convey relevant information 
about nonassurance engagements to audit engagement teams. Existing 
PCAOB and SEC rules already require firms to track and report nonaudit 
services provided to the company. Complying with these requirements 
would mean that the audit firms have a mechanism in place to track 
these services. For example, PCAOB Rules 3524 \273\ and 352 \274\ 
require the auditor to describe to the company's audit committee, among 
other things, the scope of and the potential effect on independence of 
other services provided by the firm. It is expected that the system 
used to capture, track, and monitor these services for compliance with 
these PCAOB independence rules would also be applicable to comply with 
the requirements of Auditing Standard No. 12.
---------------------------------------------------------------------------

    \273\ PCAOB Rule 3524, Audit Committee Pre-approval of Certain 
Tax Services.
    \274\ PCAOB Rule 3526, Communication With Audit Committees 
Concerning Independence.
---------------------------------------------------------------------------

g. Performing Analytical Procedures
    The reproposed standard retained requirements from AU sec. 329, 
Analytical Procedures, to perform analytical procedures during the 
planning phase of the audit.\275\ Such analytical procedures are, in 
essence, risk assessment procedures, so the respective requirements and 
direction have been incorporated into Auditing Standard No. 12.\276\ 
One commenter stated that it is unclear whether the PCAOB intends a 
change in practice regarding the execution of analytical procedures 
performed as risk assessment procedures, e.g., because the requirements 
in the reproposed standard discussed developing expectations and 
comparing them to recorded amounts. AU sec. 329, states that analytical 
procedures involve developing expectations and comparing those 
expectations to recorded amounts.\277\
---------------------------------------------------------------------------

    \275\ AU secs. 329.06-.08.
    \276\ Paragraphs 46-48 of Auditing Standard No. 12.
    \277\ AU sec. 329.05.
---------------------------------------------------------------------------

    Auditing Standard No. 12 states that analytical procedures 
performed as risk assessment procedures often use data that is 
preliminary or data that is aggregated at a high level and that in 
those instances such analytical procedures are not designed with the 
level of precision necessary for substantive analytical 
procedures.\278\ In those situations, the auditor's expectations in 
performing analytical procedures as risk assessment procedures do not 
require the same

[[Page 59383]]

degree of precision as substantive analytical procedures.
---------------------------------------------------------------------------

    \278\ Paragraph 48 of Auditing Standard No. 12.
---------------------------------------------------------------------------

h. Conducting a Discussion Among Engagement Team Members Regarding 
Risks of Material Misstatement
    Like the reproposed standard, Auditing Standard No. 12 includes a 
requirement that key engagement team members discuss (1) the company's 
selection and application of accounting principles, including related 
disclosure requirements and (2) the susceptibility of the company's 
financial statements to material misstatement due to error or 
fraud.\279\ The standard explains that key engagement team members 
include the engagement partner and all engagement team members who have 
significant engagement responsibilities.\280\ The term ``significant 
engagement responsibilities'' should be familiar to auditors because it 
is already used in AU sec. 316 regarding the appropriate assignment of 
engagement team members in the overall responses to fraud risks.
---------------------------------------------------------------------------

    \279\ Paragraph 49 of Auditing Standard No. 12.
    \280\ Paragraph 50 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    One commenter stated that the requirement for participation in the 
discussion among engagement team members on the reproposed standard 
should be revised to use the language in ISA 315, Identifying and 
Assessing the Risks of Material Misstatement through Understanding the 
Entity and its Environment, so that the engagement partner makes the 
determination of what needs to be reported to whom on a ``need to 
know'' basis.
    The language in Auditing Standard No. 12 was retained as 
reproposed. The Board believes that the discussion among engagement 
team members is an important part of the auditor's risk assessment 
procedures. Through its oversight activities, the Board has observed 
deficiencies relating to discussions among engagement team members 
regarding fraud risks, including instances in which key engagement team 
members did not participate.\281\
---------------------------------------------------------------------------

    \281\ PCAOB Release 2007-001, Observations on Auditors' 
Implementation of PCAOB Standards Relating to Auditors' 
Responsibilities with Respect to Fraud (January 22, 2007).
---------------------------------------------------------------------------

(i). Discussion of the Potential for Material Misstatement Due to Fraud
    A number of comments were received regarding the requirements for 
discussing the risks of material misstatement due to fraud.
    One commenter suggested that the standard should require the 
auditor to consider using a fraud specialist. The Board believes that 
this point is already covered by the requirement in Auditing Standard 
No. 9 to evaluate whether a person with specialized skill or knowledge 
is needed to assess risks.\282\
---------------------------------------------------------------------------

    \282\ Paragraphs 16-17 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    One commenter suggested that the requirement to discuss how the 
financial statements could be materially misstated through omitting or 
presenting incomplete disclosures also should include the possibility 
of presenting inaccurate disclosures. The requirement has been revised 
to include that topic.\283\Another commenter stated that the standard 
should provide more ``guidance'' about how fraud risks relate to 
disclosures. The manner in which management might intentionally omit 
disclosures or present inaccurate or incomplete disclosures to commit 
or conceal intentional misstatement of the financial statements 
necessarily depends on the circumstances, including the incentives or 
pressures and the opportunities to manipulate the financial statements. 
The discussion of fraud risks required by the standard should prompt 
engagement team members to consider ways in which omissions or 
inaccuracies in disclosures might be involved with fraudulent financial 
reporting.
---------------------------------------------------------------------------

    \283\ Paragraph 52 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    Another commenter stated that the requirement for the auditor to 
emphasize certain matters regarding fraud to the engagement team 
members during the fraud risk discussion does not assign the 
responsibility to a specific person. The requirement focuses on the 
communication of important matters rather than on the person 
communicating the matters. Since the engagement partner has the overall 
responsibility for the audit engagement, the engagement partner is 
likely to be the most appropriate person to make the communications. 
However, Auditing Standard No. 12 allows the communications to be made 
by another engagement team member, when appropriate.
(ii) Communication Among Engagement Team Members
    Auditing Standard No. 12 states that communication among the 
engagement team members about significant matters affecting the risks 
of material misstatement should continue throughout the audit, 
including when conditions change. This requirement carries forward and 
builds upon a requirement in AU sec. 316.\284\
---------------------------------------------------------------------------

    \284\ AU sec. 316.18.
---------------------------------------------------------------------------

i. Inquiring of the Audit Committee, Management, and Others Within the 
Company About the Risks of Material Misstatement
    Like the reproposed standard, Auditing Standard No. 12 requires the 
auditor to make inquiries of the audit committee, or equivalent (or its 
chair), management, the internal audit function, and others within the 
company who might reasonably be expected to have information that is 
important to the identification and assessment of risks of material 
misstatement.\285\ The requirement to inquire of others who ``might 
reasonably be expected to have information'' is similar to a 
requirement in AU sec. 316 for making inquiries of others about the 
existence or suspicion of fraud, and it establishes a principle to 
guide the auditor in determining those other persons to whom the 
inquiries should be addressed.\286\
---------------------------------------------------------------------------

    \285\ Paragraph 54 of Auditing Standard No. 12.
    \286\ AU sec. 316.24.
---------------------------------------------------------------------------

(i). Inquiries Regarding Fraud Risks
    The reproposed standard also required the auditor to make inquiries 
of the audit committee (or its chair), management, the internal audit 
function, and others within the company about the risks of fraud. 
Commenters suggested that the requirements for identifying other 
individuals within the company to whom inquiries should be directed 
should include determining the extent of such inquiries. Auditing 
Standard No. 12 reflects the suggested revision to that requirement 
because inquiries of other individuals should be designed to obtain 
information relevant to identifying and assessing fraud risks.\287\
---------------------------------------------------------------------------

    \287\ Paragraph 57 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    The reproposed standard included a requirement to take into account 
the fact that management is often in the best position to commit fraud 
when evaluating management's responses to inquiries about fraud risks 
and determining when it is necessary to corroborate management's 
responses. One commenter stated that the requirement was unclear and 
the use of the term ``take into account'' did not seem consistent with 
the Board's explanation in the release accompanying the reproposed 
standards. This requirement has been revised to clarify the requirement 
and to use ``take into account'' in a manner that is consistent with 
the other PCAOB standards.\288\
---------------------------------------------------------------------------

    \288\ Paragraph 58 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    Auditing Standard No. 12 requires that the auditor use his or her

[[Page 59384]]

knowledge of the company and its environment, as well as information 
from other risk assessment procedures, to determine the nature of the 
inquiries about risks of material misstatement. This requirement 
carries forward and builds upon a requirement in AU sec. 316.\289\
---------------------------------------------------------------------------

    \289\ AU sec. 316.24.
---------------------------------------------------------------------------

    Auditing Standard No. 12 includes an additional required inquiry of 
the internal auditor about whether he or she is aware of instances of 
management override of controls and the nature and circumstances of 
such overrides. Also, Auditing Standard No. 12 requires the auditor to 
make inquiries of management and the audit committee, or equivalent 
regarding tips or complaints about the company's financial 
reporting.\290\ These required inquiries were added in light of 
research indicating that many incidents of fraud are uncovered through 
tips.\291\ These inquiries can provide important evidence about fraud 
risks.
---------------------------------------------------------------------------

    \290\ Paragraph 56 of Auditing Standard No. 12.
    \291\ See, e.g., Association of Certified Fraud Examiners, 2008 
Report to the Nation on Occupational Fraud & Abuse (2008).
---------------------------------------------------------------------------

    Auditing Standard No. 12 requires the auditor, when evaluating 
management's responses to inquiries about fraud risks and determining 
when it is necessary to corroborate management's responses, to take 
into account the fact that management is often in the best position to 
commit fraud. The standard also requires the auditor to obtain evidence 
to address inconsistencies in responses to inquiries. This requirement 
carries forward and builds upon a requirement in AU sec. 316.\292\
---------------------------------------------------------------------------

    \292\ AU sec. 316.27.
---------------------------------------------------------------------------

j. Identifying and Assessing the Risks of Material Misstatement
    Auditing Standard No. 12 sets forth a process for identifying and 
assessing the risks of material misstatement using the information 
obtained from the risk assessment procedures and other relevant 
knowledge possessed by the auditor.\293\ This process involves:
---------------------------------------------------------------------------

    \293\ Under Auditing Standard No. 12, the auditor has a 
responsibility to perform risk assessment procedures that provide an 
appropriate basis for his or her risk assessment. Auditing Standard 
No. 12 does not include the provision in the prior interim standards 
that allowed the auditor to assess risk at the maximum solely for 
efficiency reasons. Rather, the auditor needs to have a sufficient 
understanding of the company and its environment, including its 
internal control, in order to determine the risks of material 
misstatement and, in turn, to design effective tests of controls and 
substantive procedures.
---------------------------------------------------------------------------

     Identifying risks of misstatement using information 
obtained from risk assessment procedures and considering the 
characteristics of the accounts and disclosures in the financial 
statements.
     Evaluating whether the identified risks relate pervasively 
to the financial statements as a whole and potentially affect many 
assertions.
     Evaluating the types of potential misstatements that could 
result from the identified risks and the accounts, disclosures, and 
assertions that could be affected. This includes evaluating how risks 
at the financial statement level could affect risks at the assertion 
level.
     Assessing the likelihood of misstatement, including the 
possibility of multiple misstatements, and the magnitude of potential 
misstatement to assess the possibility that the risk could result in 
material misstatement of the financial statements. In making this 
assessment, the auditor may take into account the planned degree of 
reliance on controls that the auditor plans to test, if the auditor 
performs tests of controls in accordance with PCAOB standards.
     Identifying significant accounts and disclosures and their 
relevant assertions.
     Determining whether any of the identified and assessed 
risks of material misstatement are significant risks.\294\
---------------------------------------------------------------------------

    \294\ Paragraph 59 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    One commenter suggested that the word ``material'' should be 
inserted before the word ``misstatement'' in paragraph 56.a. of the 
reproposed standard. No change was made to Auditing Standard No. 12 
because inserting the word ``material'' would inappropriately narrow 
the auditor's focus on only material risks too early in the process of 
identifying and assessing risks of misstatement, i.e., before assessing 
the likelihood and magnitude of potential misstatements related to the 
risks.
    Commenters suggested that the standard should clarify that the 
likelihood and magnitude of potential misstatements should be 
considered in determining which risks are significant risks. Auditing 
Standard No. 12 includes an additional requirement that states, ``To 
determine whether an identified and assessed risk is a significant 
risk, the auditor should evaluate whether the risk requires special 
audit consideration because of the nature of the risk or the likelihood 
and potential magnitude of misstatement related to the risk.'' \295\ 
Also, the list of factors that should be evaluated in determining which 
risks are significant risks was expanded to include ``the effect of the 
quantitative and qualitative risk factors discussed in paragraph 60 of 
the standard [on identifying significant accounts and disclosures and 
their relevant assertions] on the likelihood and potential magnitude of 
misstatements.'' \296\ Including this new factor highlights the 
relationship between the identification of significant accounts and 
disclosures and their relevant assertions and the identification of 
significant risks. Specifically, risk factors that form the basis for 
identifying significant accounts and disclosures and their relevant 
assertions also inform the identification of significant risks, and 
significant risks affect one or more relevant assertions of significant 
accounts or disclosures.
---------------------------------------------------------------------------

    \295\ Paragraph 70 of Auditing Standard No. 12.
    \296\ Paragraph 71 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    Another commenter on the reproposed standard suggested that the 
term ``likelihood'' be defined more in terms of reasonable possibility 
as that term is used in Auditing Standard No. 5. However, that change 
would be inconsistent with the requirement to assess the likelihood of 
misstatements, i.e., the possibility that the risk would result in 
misstatement of the financial statements.
    One commenter indicated that the requirement in the note to 
paragraph 59.c. of the reproposed standard ``inappropriately infers 
that the auditor should, and can, associate the risks at the financial 
statement level with particular assertions in order to assess risks at 
the assertion level.'' Auditing Standard No. 8 states that risks of 
material misstatement at the financial statement level have a pervasive 
effect on the financial statements as a whole and potentially affect 
many assertions, and the standard provides examples of how risks at the 
financial statement level can result in misstatements.\297\ It is 
important for the auditor to take into account risks of material 
misstatement at the financial statement level in order to evaluate 
types of misstatements that could occur.
---------------------------------------------------------------------------

    \297\ Paragraph 6 of Auditing Standard No. 8.
---------------------------------------------------------------------------

    Under PCAOB standards, significant accounts and disclosures and 
their relevant assertions are identified based upon their risk 
characteristics. Thus, the auditor needs to identify and assess the 
risks in order to identify the relevant assertions of significant 
accounts and disclosures in accordance with PCAOB standards. For 
example, Auditing Standard No. 5 requires the auditor to identify 
significant accounts and disclosures and their relevant assertions in 
integrated audits.\298\ Also, AU sec. 319 required the auditor to 
perform substantive procedures for the relevant assertions of 
significant accounts and

[[Page 59385]]

disclosures for all audits of financial statements, which implicitly 
required the auditor to identify those accounts, disclosures, and 
assertions.\299\ Auditing Standard No. 12 imposes a more explicit 
requirement on the auditor to identify significant accounts and 
disclosures and their relevant assertions in all audits.
---------------------------------------------------------------------------

    \298\ Paragraph 28 of Auditing Standard No. 5.
    \299\ Ibid.
---------------------------------------------------------------------------

(i). Factors Relevant To Identifying Fraud Risks
    Auditing Standard No. 12 requires that the auditor evaluate whether 
the information gathered from the risk assessment procedures indicates 
that one or more fraud risk factors are present and should be taken 
into account in identifying and assessing fraud risks.\300\ The 
reproposed standard included a paragraph that stated that the auditor 
should not assume that all of the fraud risk factors discussed in must 
be observed to conclude that a fraud risk exists. Commenters suggested 
that the language was not clear as to the action that auditors would 
need to take to ``not assume.'' The paragraph has been revised to 
clarify that all of the conditions are not required to be observed or 
evident to conclude that a fraud risk exists.\301\
---------------------------------------------------------------------------

    \300\ Paragraph 65 of Auditing Standard No. 12.
    \301\ Paragraph 66 of Auditing Standard No. 12.
---------------------------------------------------------------------------

    (ii). Consideration of the Risk of Omitted or Incomplete 
Disclosures
    The reproposed standard stated that the auditor's evaluation of 
fraud risk factors should include an evaluation of how fraud could be 
perpetrated or concealed by omitting required disclosures or by 
presenting incomplete disclosures. One commenter stated that the 
requirement should also include consideration of the possibility of 
presenting inaccurate disclosures. Other commenters stated that the 
requirement should be revised to refer to disclosures required by the 
applicable financial reporting framework. The requirement has been 
revised to encompass inaccurate disclosures and to refer to disclosures 
required for the fair presentation of the financial statements in 
conformity with the applicable financial reporting framework.\302\
---------------------------------------------------------------------------

    \302\ Paragraph 67 of Auditing Standard No. 12.
---------------------------------------------------------------------------

(iii). Presumption of Fraud Risk Involving Improper Revenue Recognition
    Like the reproposed standard, Auditing Standard No. 12 contains a 
requirement that the auditor should presume that there is a fraud risk 
involving improper revenue recognition and evaluate which types of 
revenue, revenue transactions, or assertions may give rise to such 
risks.\303\ One commenter recommended rewording this paragraph to state 
that while revenue recognition should be presumed to be a higher level 
of risk, there are exceptions. The requirement was retained as stated 
in the reproposed standard because a significant number of financial 
reporting frauds relate to revenue recognition.\304\
---------------------------------------------------------------------------

    \303\ Paragraph 68 of Auditing Standard No. 12.
    \304\ See, e.g., Committee of Sponsoring Organizations of the 
Treadway Commission, Fraudulent Financial Reporting: 1998-2007 (May 
2010).
---------------------------------------------------------------------------

k. Definition of Significant Risk
    The reproposed standard defined significant risk as a risk of 
material misstatement that requires special audit consideration. Some 
commenters stated that the definition of ``significant risk'' in the 
reproposed standard should be revised to indicate that significant 
risks are ``identified risks'' and that they are determined using the 
``auditor's judgment'' or risks that the auditor ``determines.'' Adding 
a reference to the auditor's determination or auditor's judgment is 
unnecessary because those points are inherent in the requirements for 
identifying significant risks, e.g., in the required evaluation of the 
likelihood and potential magnitude of misstatements related to the 
risk. Similarly, the reference to ``identified risks'' is unnecessary 
because it is already mentioned in the requirement for determining 
significant risks. Accordingly, the definition of significant risk 
included in the reproposed standard is retained.

8. Auditing Standard No. 13--The Auditor's Responses to the Risks of 
Material Misstatement

a. Background
    Auditing Standard No. 13 establishes requirements for responding to 
the risks of material misstatement, including responses regarding the 
general conduct of the audit and responses involving audit procedures. 
Auditing Standard No. 13 applies to integrated audits and audits of 
financial statements only.
b. Linking Assessed Risks and Auditor's Responses
    The reproposed standard included a requirement for the auditor to 
design and implement appropriate responses to the ``assessed risks of 
material misstatement'' to address comments received on the original 
proposed standard for improving the linkage between the auditor's 
responses and the identification and assessment of risks of material 
misstatement. Acknowledging the improvements in the reproposed 
standard, some commenters continued to suggest that the objective also 
should state that the auditor is to address the assessed risks of 
material misstatement.
    In the Board's view, obtaining sufficient appropriate evidence to 
support the auditor's opinion requires the auditor to adequately 
respond to the risks of material misstatement. Accordingly, the title 
and objective of the standard continue to refer to responding to the 
risks of material misstatement. However, the Board recognizes that the 
appropriate identification and assessment of the risks of material 
misstatement in accordance with Auditing Standard No. 12 enable the 
auditor to effectively respond to the risks of material misstatement. 
Auditing Standard No. 13 continues to impose on auditors an 
unconditional responsibility to design and implement responses that 
address the risks of material misstatement identified and assessed in 
accordance with Auditing Standard No. 12.\305\ As with the reproposed 
standard, noncompliance with the requirements in Auditing Standard No. 
12 that leads to a failure to identify or appropriately assess a risk 
of material misstatement also could result in a failure to 
appropriately respond to the risk of material misstatement in 
accordance with this standard.\306\
---------------------------------------------------------------------------

    \305\ Paragraph 3 of Auditing Standard No. 13.
    \306\ Failure to address a risk of material misstatement also 
might indicate a failure to comply with Auditing Standard No. 12.
---------------------------------------------------------------------------

c. Overall Responses to Risks
    The reproposed standard included a requirement for the auditor to 
respond to the risks of material misstatement through overall responses 
and responses involving the nature, timing, and extent of audit 
procedures. Overall responses relate to the general conduct of the 
audit, e.g., appropriately assigning and properly supervising 
engagement team members, incorporating an element of unpredictability 
into the audit, evaluating the company's selection and application of 
significant accounting principles, and making pervasive changes to the 
audit. Such responses are required by AU sec. 316 in response to fraud 
risks, but the reproposed standard extended the requirement to apply to 
risks of material misstatement due to error or fraud. These responses, 
by their nature, are appropriate for addressing risks of material 
misstatement due to error or fraud.
    Some commenters expressed concerns regarding the expansion of the 
requirement for incorporating an

[[Page 59386]]

element of unpredictability to apply to risks of material misstatement 
other than fraud risks.
    In the Board's view, although incorporating an element of 
unpredictability is intended primarily to address fraud risks, it also 
can enable the auditor to detect errors or control deficiencies that 
could otherwise remain undetected. In addition, the requirement to 
incorporate an element of unpredictability when testing controls 
already exists in Auditing Standard No. 5. Auditing Standard No. 13 
continues to indicate that the auditor should incorporate an element of 
unpredictability as part of the response to the risks of material 
misstatement, including fraud risks.\307\
---------------------------------------------------------------------------

    \307\ Paragraph 5.c. of Auditing Standard No. 13.
---------------------------------------------------------------------------

    One commenter requested clarification regarding the differences 
between the first and third examples used to illustrate ways to 
incorporate an element of unpredictability in paragraph 5.c. of the 
reproposed standard. The first example in Auditing Standard No. 13 is 
intended to illustrate that the auditor may decide to perform audit 
procedures for a particular account, disclosure, or assertion even 
though the auditor's risk assessment did not identify specific risks 
associated with those accounts.\308\ The third example is intended to 
illustrate that when sampling a particular financial statement amount, 
the auditor may consider selecting items with amounts lower than the 
threshold that the auditor had used in the past, or expanding the 
selection to other sections of the population that the auditor had not 
tested in the past.\309\
---------------------------------------------------------------------------

    \308\ Paragraph 5.c. (1) of Auditing Standard No. 13.
    \309\ Paragraph 5.c. (3) of Auditing Standard No. 13.
---------------------------------------------------------------------------

    The reproposed standard required the auditor to evaluate whether it 
is necessary to make pervasive changes to the audit to adequately 
address the assessed risks of material misstatement. The reproposed 
standard did not require that pervasive changes be made in every audit. 
Instead, it required the auditor to evaluate whether pervasive changes 
that affect many aspects of the audit are needed to address the 
assessed risks of material misstatement. Commenters questioned the use 
of the term ``pervasive'' in the requirement. Auditing Standard No. 13 
provides additional explanation of the types of circumstances in which 
pervasive changes might be necessary.\310\
---------------------------------------------------------------------------

    \310\ Paragraph 6 of Auditing Standard No. 13.
---------------------------------------------------------------------------

    Existing PCAOB standards require the auditor to apply professional 
skepticism as part of due care,\311\ and Auditing Standard No. 13 
states that the auditor's response to fraud risks involves the 
application of professional skepticism in gathering and evaluating 
audit evidence.\312\ The requirement is intended to emphasize the 
importance of professional skepticism in responding to risks of 
material misstatement without limiting its application to the auditor's 
responses.
---------------------------------------------------------------------------

    \311\ AU secs. 230.07-.09.
    \312\ Paragraph 7 of Auditing Standard No. 13.
---------------------------------------------------------------------------

    One commenter expressed concern that the reproposed standard did 
not explicitly require the auditor to implement overall responses to 
risks at the financial statement level. Such an explicit requirement 
would inappropriately limit the auditor's overall responses to risks at 
the financial statement level. Many of the overall responses also apply 
to risks at the assertion level, e.g., assigning more experienced 
personnel or applying a greater extent of supervision to accounts or 
disclosures with higher risk.
d. Responses Involving the Nature, Timing, and Extent of Audit 
Procedures
    The reproposed standard required the auditor to design and perform 
audit procedures in a manner that addresses the assessed risks of 
material misstatement for each relevant assertion of each significant 
account and disclosure. Auditing Standard No. 13 retained this 
requirement as reproposed. The requirement emphasizes that the auditor 
should focus on each relevant assertion of each significant account and 
disclosure and the risks of material misstatement associated with the 
relevant assertion when designing and performing audit procedures.
    The reproposed standard also included requirements for the auditor 
to design the testing of controls to accomplish the objectives of both 
the audit of financial statements and the audit of internal control in 
an integrated audit. This requirement is aligned with Auditing Standard 
No. 5. One commenter suggested that that the requirement be removed 
because it relates only to integrated audits. The requirement was 
retained as reproposed because Auditing Standard No. 13 applies to 
integrated audits as well as audits of financial statements only, and 
tests of controls are a necessary response in the audit of internal 
control.\313\
---------------------------------------------------------------------------

    \313\ Paragraph 9.c. of Auditing Standard No. 13.
---------------------------------------------------------------------------

e. Tests of Controls in an Audit of Internal Control
    Auditing Standard No. 13 includes requirements for performing tests 
of controls in the audit of financial statements.\314\
---------------------------------------------------------------------------

    \314\ Paragraphs 16-35 of Auditing Standard No. 13.
---------------------------------------------------------------------------

    In an integrated audit, the tests of controls performed in the 
audit of internal control are part of the auditor's responses to the 
risks of material misstatement, as indicated in paragraph 9-10 of 
Auditing Standard No. 13.\315\ To help facilitate the integration of 
tests of controls in an integrated audit, the standard continues to use 
language similar to that of Auditing Standard No. 5 when describing 
analogous terms and concepts relating to the testing of controls.
---------------------------------------------------------------------------

    \315\ Paragraph 39 of Auditing Standard No. 5 states, ``The 
auditor should test those controls that are important to the 
auditor's conclusion about whether the company's controls 
sufficiently address the assessed risk of misstatement to each 
relevant assertion.''
---------------------------------------------------------------------------

f. Tests of Controls and Control Risk Assessment in the Audit of 
Financial Statements
(i). Requirements on When to Test Controls
    AU sec. 319 required auditors to obtain evidence about the design 
effectiveness and operating effectiveness of controls (a) when the 
auditor plans to rely on selected controls to reduce his or her 
substantive procedures and (b) in those limited circumstances in which 
the auditor cannot obtain sufficient appropriate evidence through 
substantive procedures alone.\316\ Thus, except in those limited 
circumstances, AU sec. 319 provided auditors with flexibility to decide 
when or whether to test controls.
---------------------------------------------------------------------------

    \316\ AU sec. 319.66.
---------------------------------------------------------------------------

    Auditing Standard No. 13 does not change the requirements in AU 
sec. 319 regarding when testing controls is necessary in audits of 
financial statements only.\317\ In those audits, auditors continue to 
have the same flexibility in deciding when or whether to test controls 
to reduce their substantive procedures.\318\ Auditing Standard No. 13 
includes additional statements that emphasize the flexibility that 
auditors have in making these decisions and provides additional 
examples, adapted from AU sec. 319.68, of situations in which auditors 
cannot obtain sufficient appropriate audit evidence through substantive 
procedures alone.\319\
---------------------------------------------------------------------------

    \317\ Certain clarifying revisions were made to the discussion 
of relying on controls to modify the auditor's substantive 
procedures, in response to comments on the reproposed standard. See 
footnote 12 to paragraph 16 of Auditing Standard No. 13.
    \318\ Paragraph 16 of Auditing Standard No. 13.
    \319\ Paragraph 17 of Auditing Standard No. 13.

---------------------------------------------------------------------------

[[Page 59387]]

(ii). Period of Reliance
    Auditing Standard No. 13 states that when the auditor relies on 
controls to assess control risk at less than the maximum, the auditor 
must obtain evidence that the controls selected for testing are 
designed effectively and operated effectively during the entire period 
of reliance.\320\ The concept of the period of reliance was introduced 
in Auditing Standard No. 5 and discussed further in the PCAOB staff 
guidance, Staff Views: An Audit of Internal Control Over Financial 
Reporting That Is Integrated with an Audit of Financial Statements--
Guidance for Auditors of Smaller Public Companies. Auditing Standard 
No. 13 provides a definition of ``period of reliance'' that parallels 
the language in paragraph B4 of Auditing Standard No. 5.\321\
---------------------------------------------------------------------------

    \320\ Paragraph 16 of Auditing Standard No. 13.
    \321\ Paragraph A.3 of Auditing Standard No. 13.
---------------------------------------------------------------------------

(iii). Evidence About the Effectiveness of Controls
    Auditing Standard No. 13 describes the principle, adapted from AU 
sec. 319,\322\ that the evidence necessary to support the auditor's 
control risk assessment depends on the degree of reliance the auditor 
plans to place on the effectiveness of a control. In applying that 
principle, Auditing Standard No. 13 requires the auditor to obtain more 
persuasive audit evidence from tests of controls the greater the 
reliance the auditor places on the effectiveness of a control. In 
addition, Auditing Standard No. 13 requires the auditor to obtain more 
persuasive evidence about the effectiveness of controls for each 
relevant assertion for which the audit approach consists primarily of 
tests of controls, including situations in which substantive procedures 
alone cannot provide sufficient appropriate audit evidence.\323\
---------------------------------------------------------------------------

    \322\ AU sec. 319.90.
    \323\ Paragraph 18 of Auditing Standard No. 13.
---------------------------------------------------------------------------

(iv). Testing Operating Effectiveness
    Auditing Standard No. 13 requires the auditor to determine, among 
other things, whether the person performing the control possesses the 
necessary authority and competence to perform the control 
effectively.\324\ This requirement is intended to call to the auditor's 
attention that whether he or she possesses the appropriate level of 
authority and the knowledge and skills necessary to perform the control 
function is essential to whether a person can effectively perform the 
control. Thus, the auditor is required to make such determination 
before he or she can conclude about the effectiveness of the control.
---------------------------------------------------------------------------

    \324\ Paragraph 21 of Auditing Standard No. 13.
---------------------------------------------------------------------------

(v). Timing of Tests of Controls--Evidence Obtained During an Interim 
Period
    The reproposed standard stated that the auditor must obtain 
evidence about the effectiveness of controls selected for testing for 
the entire period of reliance. When the auditor tests controls during 
an interim period, additional evidence that is necessary concerning the 
operation of those controls for the remaining period of reliance 
depends on a series of factors listed in the reproposed standard, 
including, among other factors, the possibility of significant changes 
in internal control over financial reporting occurring subsequent to 
the interim date.
    One commenter suggested adding ``control environment'' to the list 
of factors that could affect the auditor's determination of what 
additional evidence is necessary. The control environment has an 
important, but indirect, effect on the likelihood that a misstatement 
will be prevented or detected on a timely basis. Also, unlike 
monitoring controls, the control environment is not designed to 
identify possible breakdowns in other controls. Accordingly, the 
control environment, by itself, does not reduce the amount of evidence 
needed concerning controls over specific relevant assertions for the 
remaining period. The control environment is not included in the list 
of factors in Auditing Standard No. 13.
    Another commenter suggested adding a requirement for the auditor to 
obtain, when applicable, audit evidence about subsequent changes to the 
controls tested during the interim period. A note has been added to 
Auditing Standard No. 13 requiring the auditor to obtain evidence about 
such subsequent changes, if significant.\325\
---------------------------------------------------------------------------

    \325\ Paragraph 30 of Auditing Standard No. 13.
---------------------------------------------------------------------------

(vi). Timing of Tests of Controls--Evidence from Past Audits
    Auditing Standard No. 13 states that the auditor should obtain 
evidence during the current year audit about the design and operating 
effectiveness of controls upon which the auditor relies.\326\ This 
requirement is based on the principle that auditors should support 
their control risk assessments each year with current evidence. 
However, when the auditor has tested the controls in the past and plans 
to rely on the same controls for the current year audit, the amount of 
evidence needed will vary based on the relevant factors listed in the 
standard.\327\ These additional factors generally relate to the degree 
of reliance on the control, the risk that the control will fail to 
operate as designed, and the nature and amount of evidence that the 
auditor has already obtained regarding the effectiveness of the 
controls. These requirements are consistent with Auditing Standard No. 
5. Also, the standard allows the auditor to use a benchmarking 
strategy, when appropriate, for automated application controls for 
subsequent years' audits, as do the provisions of Auditing Standard No. 
5. However, the standard does not permit testing controls once every 
third year because the standard requires evidence regarding the 
effectiveness of controls to be obtained each year.
---------------------------------------------------------------------------

    \326\ Paragraph 31 of Auditing Standard No. 13.
    \327\ Ibid.
---------------------------------------------------------------------------

    Some commenters expressed concern that the requirements in the 
reproposed standard for determining the amount of evidence needed in 
the current year could be interpreted as requiring the auditor to 
consider each factor listed for each of the controls that the auditor 
tested in the past, regardless of whether or not the auditor plans to 
rely on those controls for purposes of the current year audit. The 
requirement was intended to apply when the auditor tested the controls 
in the past audits and plans to rely on those controls and use evidence 
about the effectiveness of those controls obtained in prior years for 
purposes of the current year audit. That requirement is clarified in 
Auditing Standard No. 13.\328\
---------------------------------------------------------------------------

    \328\ Ibid.
---------------------------------------------------------------------------

(vii). Assessing Control Risk
    Auditing Standard No. 13 requires the auditor to assess control 
risk for relevant assertions.\329\ This requirement is not new. AU sec. 
319 established requirements for the auditor to assess control risk, 
and Auditing Standard No. 5 discusses control risk assessment in the 
financial statement audit portion of the integrated audit.\330\
---------------------------------------------------------------------------

    \329\ Paragraphs 32-34 of Auditing Standard No. 13.
    \330\ AU secs. 319.70, .83-.90 and paragraphs B4-B5 of Auditing 
Standards No. 5.
---------------------------------------------------------------------------

    Auditing Standard No. 13 requires the auditor to assess the control 
risk at the maximum level for relevant assertions when the controls 
necessary to sufficiently address the assessed risk of material 
misstatement in those assertions are missing or ineffective or when the 
auditor has not obtained sufficient appropriate evidence to support a 
control risk assessment below the maximum level.\331\
---------------------------------------------------------------------------

    \331\ Paragraph 33 of Auditing Standard No. 13.
---------------------------------------------------------------------------

    One commenter expressed a concern that the reproposed standard 
seemed to

[[Page 59388]]

indicate that no reduction of the control risk assessment should occur 
based on understanding the design effectiveness of controls. The 
commenter suggested that a control that does not exist or is not 
designed effectively should have a different impact on the auditor's 
testing than a control that is designed effectively but not tested by 
the auditor.
    The risk assessment standards already address the points raised by 
the commenter regarding the effect of control deficiencies on the 
auditor's testing. Auditing Standard No. 12 requires the auditor to 
obtain an understanding of the design of the company's controls as part 
of his or her risk assessment procedures.\332\ If the auditor 
identifies design deficiencies in the company's controls, the auditor 
would take that into account in identifying and assessing the risks of 
material misstatement, and Auditing Standard No. 13 requires the 
auditor to implement responses to address those risks of material 
misstatement. When deficiencies are detected during the auditor's 
testing of controls that the auditor plans to rely on, Auditing 
Standard No. 13 requires the auditor to (1) perform tests of other 
controls related to the same assertion as the ineffective controls, or 
(2) revise the control risk assessment and modify the planned 
substantive procedures as necessary in light of the increased 
assessment of risk.\333\
---------------------------------------------------------------------------

    \332\ Paragraph 20 of Auditing Standard No. 12.
    \333\ Paragraph 34 of Auditing Standard No. 13.
---------------------------------------------------------------------------

    Another commenter suggested that the reproposed standard provide 
more direction about evaluating control deviations by adding a 
paragraph from Auditing Standard No. 5 regarding evaluating control 
deficiencies. The referenced paragraph does not apply specifically to 
assessing control risk in a financial statement audit, and Auditing 
Standard No. 13 requires the auditor to evaluate the evidence from all 
sources, including the results of test of controls, when assessing 
control risk for relevant assertions.\334\
---------------------------------------------------------------------------

    \334\ Paragraph 32 of Auditing Standard No. 13.
---------------------------------------------------------------------------

g. Substantive Procedures
    Auditing Standard No. 13 requires the auditor to perform 
substantive procedures for each relevant assertion of each significant 
account and disclosure, regardless of the assessed level of control 
risk.\335\ By definition, a relevant assertion of a significant account 
and disclosure has a reasonable possibility of containing a 
misstatement or misstatements that would cause the financial statements 
to be materially misstated.\336\ The requirement to obtain evidence 
from substantive procedures for each relevant assertion of each 
significant account and disclosure reflects the principle that the 
auditors need to implement appropriate responses to address the 
assessed risks of material misstatement.
---------------------------------------------------------------------------

    \335\ Paragraph 36 of Auditing Standard No. 13.
    \336\ Paragraph A9 of Auditing Standard No. 5.
---------------------------------------------------------------------------

    Existing PCAOB standards indicate that some risks of material 
misstatement might require more evidence from substantive procedures 
because of certain inherent limitations of internal control.\337\ For 
example, more evidence from substantive procedures ordinarily is needed 
for relevant assertions that have a higher susceptibility to management 
override or to lapses in judgment or breakdowns resulting from human 
failures. Observations from the Board's oversight activities have 
underscored the importance of this principle. Auditing Standard No. 13 
includes this principle because it is particularly relevant to the 
determination of the nature, timing, and extent of substantive 
procedures. It is also consistent with the principles regarding 
detection risk discussed in Auditing Standard No. 8.
---------------------------------------------------------------------------

    \337\ See, e.g., paragraph .14 of AU sec. 328, Auditing Fair 
Value Measurements and Disclosures.
---------------------------------------------------------------------------

h. Timing of Substantive Procedures
    The reproposed standard included a requirement for the auditor to 
take into account certain factors in determining whether it is 
appropriate to perform substantive procedures at an interim date. One 
commenter suggested that another point be added to the standard to 
require the auditor to review ``the internal control changes that have 
been made to date and the nature and extent of monitoring such changes 
by the client staff.'' Auditing Standard No. 13 requires the auditor to 
consider the effect of known or expected changes in the company, its 
environment, and its internal control over financial reporting during 
the remaining period on its risk assessments when determining whether 
to perform substantive procedures at an interim date.\338\ This 
additional requirement recognizes that both changes in controls and 
other changes to the company and its environment can affect the risks 
of material misstatement and, thus, the effectiveness of interim 
substantive procedures. For example, significant changes in industry or 
market conditions near year end could increase the risk of material 
misstatement regarding the valuation of assets at year end, which, in 
turn, would require significant audit attention during the remaining 
period.
---------------------------------------------------------------------------

    \338\ Paragraph 44.a.(3) of Auditing Standard No. 13.
---------------------------------------------------------------------------

    The reproposed standard stated that when an auditor performs 
substantive procedures as of an interim date, the auditor should 
perform substantive procedures, or substantive procedures combined with 
tests of controls, that provide a reasonable basis for extending the 
audit conclusions from the interim date to the period end. The 
reproposed standard also required that the auditor perform certain 
procedures that were adapted from AU sec. 313.
    Some commenters suggested that the Board remove the mandatory 
procedures in the reproposed standard, arguing that the procedures 
should be determined by the auditor based on professional judgment. 
Removing those requirements as suggested by the commenters would weaken 
PCAOB standards. Observations from the Board's oversight activities 
have included instances in which inadequate audit work was performed 
when extending the conclusion reached at the interim date to the end of 
the period covered by the financial statements. Therefore, retaining 
the mandatory procedures in this standard continues to be 
appropriate.\339\
---------------------------------------------------------------------------

    \339\ Paragraph 45 of Auditing Standard No. 13.
---------------------------------------------------------------------------

i. Substantive Procedures Responsive to Significant Risks
    Like the original proposed standard, the reproposed standard stated 
that the auditor should perform substantive procedures, including tests 
of details, that are specifically responsive to the significant risks. 
AU sec. 329 indicates that tests of details should be performed in 
response to significant risks.\340\
---------------------------------------------------------------------------

    \340\ AU sec. 329.09.
---------------------------------------------------------------------------

    One commenter continued to express concern about imposing a 
presumptively mandatory responsibility for auditors to perform tests of 
details in response to significant risks. Auditing Standard No. 13 
retains the requirement as reproposed.\341\ The nature and importance 
of significant risks warrant a high level of assurance from substantive 
procedures to adequately address the risk. Also, analytical procedures 
alone are not well suited to detecting certain types of misstatements 
related to significant risks, including, in particular, fraud risks. 
For example, when fraud risks are present, management might be able to 
override controls to allow adjustments that result in artificial 
changes to the financial statement relationships being analyzed,

[[Page 59389]]

causing the auditor to draw erroneous conclusions.
---------------------------------------------------------------------------

    \341\ Paragraph 11 of Auditing Standard No. 13.
---------------------------------------------------------------------------

j. Dual-purpose Test
    Auditing Standard No. 13 recognized that, in certain situations, 
the auditor might perform a substantive test of a transaction 
concurrently with a test of a control relevant to that transaction, 
i.e., a dual-purpose test. The auditor is required to design the dual-
purpose test to achieve the objectives of both the test of the control 
and the substantive test. In addition, the auditor is required to 
evaluate the results of the test in forming conclusions about both the 
assertion and the effectiveness of the control being tested.\342\ The 
standard refers the auditors to the relevant requirements in AU sec. 
350, Audit Sampling, for determining the proper sample size in a dual-
purpose test.
---------------------------------------------------------------------------

    \342\ Paragraph 47 of Auditing Standard No. 13.
---------------------------------------------------------------------------

9. Auditing Standard No. 14--Evaluating Audit Results

a. Background
    Auditing Standard No. 14 describes the auditor's responsibilities 
regarding the process of evaluating the results of the audit and 
determining whether sufficient appropriate audit evidence has been 
obtained in order to form the opinion to be expressed in the auditor's 
report. This standard consolidates into one auditing standard the 
requirements that were previously included in five separate auditing 
standards.\343\ The standard highlights matters that are important to 
the auditor's conclusions about the financial statements and the 
effectiveness of internal control.
---------------------------------------------------------------------------

    \343\ AU sec. 312, regarding evaluating audit results, including 
uncorrected misstatements; AU sec. 316, regarding fraud 
considerations that are relevant to evaluating audit results; AU 
sec. 329, regarding performing the overall review; AU sec. 326, 
regarding determining whether sufficient appropriate audit evidence 
has been obtained; and AU sec. 431, regarding the evaluation of 
disclosures.
---------------------------------------------------------------------------

b. Definition of Misstatement
    The reproposed standard defined the term ``misstatement'' as 
follows:

    A misstatement, if material individually or in combination with 
other misstatements, causes the financial statements not to be 
presented fairly in conformity with the applicable financial 
reporting framework.\344\ A misstatement may relate to a difference 
between the amount, classification, presentation, or disclosure of a 
reported financial statement item and the amount, classification, 
presentation, or disclosure that should be reported in conformity 
with the applicable financial reporting framework. Misstatements can 
arise from error (i.e., unintentional misstatement) or fraud.
---------------------------------------------------------------------------

    \344\ The auditor should look to the requirements of the 
Securities and Exchange Commission for the company under audit with 
respect to accounting principles applicable to that company.

    Some commenters indicated that the definition applied to ``material 
misstatement'' rather than ``misstatement'' and suggested revisions to 
the definition, e.g., moving the second sentence to the beginning of 
the definition.
    Auditing Standard No. 14 carries forward the definition of 
``misstatement'' as reproposed.\345\ This definition is not a 
definition of the term ``material misstatement.'' Rather, the 
definition emphasizes that misstatements prevent financial statements 
from being fairly presented in conformity with the applicable financial 
reporting framework, as discussed in AU sec. 411, The Meaning of 
Present Fairly in Conformity With Generally Accepted Accounting 
Principles. The phrase used in the definition, ``if material 
individually or in combination with other misstatements,'' is 
equivalent to the phrase ``In the absence of materiality 
considerations,'' which was used in the description of the term 
``misstatement'' in an auditing interpretation of AU sec. 312.\346\ The 
second sentence of the definition in Auditing Standard No. 14 describes 
the most common types of misstatements.\347\
---------------------------------------------------------------------------

    \345\ Paragraph A2 of Appendix A to Auditing Standard No. 14.
    \346\ Paragraph .02 of AU sec. 9312, Audit Risk and Materiality 
in Conducting an Audit: Auditing Interpretations of Section 312, 
which is superseded by the risk assessment standards, stated ``In 
the absence of materiality considerations, a misstatement causes the 
financial statements not to be in conformity with generally accepted 
accounting principles.''
    \347\ See also paragraph A2 of Auditing Standard No. 14.
---------------------------------------------------------------------------

c. Performing Analytical Procedures in the Overall Review
    Auditing Standard No. 14 adapted the requirements that were 
previously included in AU secs. 316 and 329 to read the financial 
statements and disclosures and perform analytical procedures in the 
overall review. The standard imposes on auditors a responsibility to 
read the financial statements and disclosures and perform analytical 
procedures to (a) evaluate the auditor's conclusions formed regarding 
significant accounts and disclosures and (b) assist in forming an 
opinion on whether the financial statements as a whole are free of 
material misstatement.\348\ In particular, Auditing Standard No. 14 
requires the auditor to evaluate whether (a) evidence gathered in 
response to unusual or unexpected transactions, events, amounts, or 
relationships previously identified during the audit is sufficient and 
(b) unusual or unexpected transactions, events, amounts, or 
relationships indicate risks of material misstatement that were not 
identified previously.\349\ Performing analytical procedures in the 
overall review assists the auditor in assessing the conclusions reached 
and in evaluating the overall financial statement presentation.
---------------------------------------------------------------------------

    \348\ Paragraph 5 of Auditing Standard No. 14.
    \349\ Paragraph 6 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    Auditing Standard No. 14 adapted a requirement, which previously 
existed in AU sec. 316, for the auditor to perform analytical 
procedures relating to revenue through the end of the period.\350\ 
These procedures are intended to identify unusual or unexpected 
relationships involving revenue accounts that might indicate a material 
misstatement, including a material misstatement due to fraud. 
Performing analytical procedures relating to revenue is important in 
light of the generally higher risk of financial statement fraud 
involving revenue accounts.
---------------------------------------------------------------------------

    \350\ Paragraph 7 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    Auditing Standard No. 14 requires the auditor to corroborate 
management's explanations regarding significant unusual or unexpected 
transactions, events, amounts, or relationships. The standard also 
states that if management's responses to the auditor's inquiries appear 
to be implausible, inconsistent with other audit evidence, imprecise, 
or not at a sufficient level of detail to be useful, the auditor should 
perform procedures to address the matter.\351\ Auditing Standard No. 
15, Audit Evidence, states that inquiry of company personnel, by 
itself, does not provide sufficient audit evidence to reduce audit risk 
to an appropriately low level.\352\ Therefore, obtaining corroboration 
of management's responses is important in obtaining sufficient 
appropriate audit evidence.
---------------------------------------------------------------------------

    \351\ Paragraph 8 of Auditing Standard No. 14.
    \352\ Paragraph 17 of Auditing Standard No. 15.
---------------------------------------------------------------------------

d. Clearly Trivial
    Auditing Standard No. 14 requires the auditor to accumulate 
misstatements identified during the audit, other than those that are 
clearly trivial.\353\ Like AU sec. 312, the standard allows the auditor 
to set a threshold for accumulating misstatements, provided that the 
threshold is set at a de minimis level that could not result in 
material misstatement of the financial statements, individually or in 
combination with other misstatements, after considering the possibility 
of

[[Page 59390]]

further undetected misstatement.\354\ The specific limitation on 
setting a threshold for accumulating misstatements is important to 
assure a proper evaluation of the effect of uncorrected misstatements 
on the financial statements.
---------------------------------------------------------------------------

    \353\ Paragraph 10 of Auditing Standard No. 14.
    \354\ Paragraph 11 of Auditing Standard No. 14.
---------------------------------------------------------------------------

e. Accumulating Misstatements
    The reproposed standard required the auditor to accumulate 
identified misstatements other than those that are clearly trivial. The 
reproposed standard also required the auditor to use his or her best 
estimate of the total misstatement in the accounts and disclosures that 
the auditor has tested, not just the amount of misstatements 
specifically identified. This includes misstatements related to 
accounting estimates and projected misstatements from substantive 
procedures that involve audit sampling.\355\
---------------------------------------------------------------------------

    \355\ Paragraphs 10-12 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    Commenters suggested that the standard should use terms such as 
``known and likely misstatement'' or other terms to categorize the 
misstatements. Auditing Standard No. 14 uses the term ``identified 
misstatement'' to refer to misstatements that are identified during the 
audit and the term ``accumulated misstatements'' to refer to 
misstatements that are more than clearly trivial and, thus, should be 
accumulated by the auditor. Because Auditing Standard No. 14 requires 
the auditor to use his or her best estimate of the misstatements (which 
is how AU sec. 312 described ``likely misstatements''), it is not 
necessary to use the term ``known and likely misstatements.''
f. Correction of Misstatements
    Auditing Standard No. 14 requires that if management made 
corrections to accounts or disclosures in response to misstatements 
detected by the auditor, the auditor should evaluate management's work 
to determine whether the corrections have been recorded properly and to 
determine whether uncorrected misstatements remain.\356\ The standard 
imposes on auditors a responsibility to determine whether misstatements 
identified by the auditor and communicated to management are correctly 
recorded in the accounting records.
---------------------------------------------------------------------------

    \356\ Paragraph 16 of Auditing Standard No. 14.
---------------------------------------------------------------------------

g. Considerations When Accumulated Misstatements Approach the 
Materiality Level or Levels Used in Planning and Performing Audit 
Procedures
    Auditing Standard No. 14 requires the auditor to determine whether 
the overall strategy needs to be revised when the aggregate of 
misstatements accumulated during the audit approaches the materiality 
level or levels used in planning and performing the audit. When the 
aggregate of misstatements approaches the materiality level or levels 
used in planning and performing an audit, there likely will be greater 
than an appropriately low level of risk that possible undetected 
misstatements, combined with uncorrected misstatements accumulated 
during the audit, could be material to the financial statements. If the 
auditor assesses this risk to be unacceptably high, he or she should 
perform additional audit procedures or determine that management has 
adjusted the financial statements so that the risk that the financial 
statements are materially misstated has been reduced to an 
appropriately low level.\357\
---------------------------------------------------------------------------

    \357\ Paragraph 14 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    The reproposed standard stated that when the aggregate of 
accumulated misstatements approaches the materiality used in planning 
and performing the audit, the auditor should perform additional 
procedures or determine that management has adjusted the financial 
statements so that the risk of material misstatement has been reduced 
to an appropriately low level. One commenter suggested that it is not 
clear what the additional procedures are and that more work is not 
always the answer. The additional procedures that are necessary depend 
upon, among other things, the procedures performed by the auditor to 
date and the nature of the misstatements that were detected.
h. Requirement to Reevaluate the Materiality Level
    Auditing Standard No. 11 includes a requirement to reevaluate the 
established materiality level or levels in certain circumstances. 
Auditing Standard No. 14 states that if the reevaluation of the 
materiality level or levels established in accordance with Auditing 
Standard No. 11 results in a lower amount for the materiality level or 
levels, the auditor should take into account that lower materiality 
level in the evaluation of uncorrected misstatements.\358\ The 
requirements are intended to prevent the auditor from incorrectly 
concluding that uncorrected misstatements are immaterial because he or 
she used outdated financial statement information. However, the 
standard does not allow the auditor to establish a higher level or 
levels of materiality when uncorrected misstatements exceed the 
initially established level or levels of materiality.
---------------------------------------------------------------------------

    \358\ Paragraph 17 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    Reevaluating the established materiality level or levels prior to 
evaluating the effect of uncorrected misstatements will cause audit 
results to be evaluated based on the latest financial information.
i. Evaluating Uncorrected Misstatements
    The reproposed standard stated that the auditor should evaluate the 
uncorrected misstatements in relation to accounts and disclosures and 
to the financial statements as a whole, taking into account relevant 
quantitative and qualitative factors. The reproposed standard retained 
the provisions regarding qualitative factors that were included in an 
auditing interpretation to AU sec. 312,\359\ with some minor revisions 
to align the factors more closely to the terminology in the reproposed 
standard and to omit qualitative factors that apply only to nonissuers. 
A commenter indicated that the term ``profitability,'' which is 
included in the qualitative factors in Appendix B, is not defined, and 
the commenter suggested including examples of profitability in the 
reproposed standard. Although this term is not explicitly defined in 
Auditing Standard No. 14, it should be familiar to auditors because the 
related auditing interpretation was issued in 2000. Auditing Standard 
No. 14 carries forward the requirements and the related list of 
qualitative factors that are substantially the same as those in the 
auditing interpretation.\360\
---------------------------------------------------------------------------

    \359\ AU sec. 9312.15-17.
    \360\ AU sec. 9312 and paragraph 17 and Appendix B of Auditing 
Standard No. 14.
---------------------------------------------------------------------------

    Auditing Standard No. 14 requires an evaluation of the effects of 
both uncorrected misstatements detected in prior years and 
misstatements detected in the current year that relate to prior 
years.\361\ The standard does not address how to evaluate the effects 
of prior period misstatements because that is an accounting and 
financial reporting matter. For example, the SEC staff has provided 
guidance in SEC Staff Accounting Bulletin (``SAB'') Topic 1.N, 
Considering the Effects of Prior Year Misstatements when Quantifying 
Misstatements in Current Year Financial Statements, on the effects of 
prior year misstatements when quantifying

[[Page 59391]]

misstatements in the current year financial statements. This SAB 
provides the SEC staff's views regarding evaluating the quantitative 
and qualitative factors regarding the materiality of uncorrected 
misstatements and evaluating the effects of prior year misstatements.
---------------------------------------------------------------------------

    \361\ Paragraph 18 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    Auditing Standard No. 14 states that the auditor cannot assume that 
an instance of error or fraud is an isolated occurrence and that the 
auditor should evaluate the nature and effects of the individual 
misstatements accumulated during the audit on the assessed risks of 
material misstatement.\362\ This procedure is important to inform the 
auditor's conclusions about whether the auditor's risk assessments 
remain appropriate and whether he or she has obtained sufficient 
appropriate evidence to support his or her opinion.
---------------------------------------------------------------------------

    \362\ Paragraph 19 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    The reproposed standard included a requirement to evaluate the 
nature and effects of the individual misstatements accumulated during 
the audit on the assessed risks of material misstatement. A commenter 
suggested that this evaluation should be performed at the time the 
misstatement is identified. In the Board's view, it is not necessary to 
prescribe the timing for the evaluation of the nature and effects of 
misstatements on the risk assessments. However, performing this 
evaluation during the course of the audit could allow the auditor to 
make the necessary modifications to his or her planned audit procedures 
on a more timely basis.
    The reproposed standard required the auditor to evaluate whether 
identified misstatements might be indicative of fraud and, in turn, how 
they affect the auditor's evaluation of materiality and the related 
audit responses. This requirement is adapted from AU sec. 316.\363\ One 
commenter suggested that when there is an indicator of fraud, the 
requirement should make clear that clearly trivial misstatements may 
need to be evaluated to determine if they should be included in the 
accumulated misstatements. Like AU sec. 316, the requirement in the 
reproposed standard was phrased in terms of identified misstatements 
rather than accumulated misstatements because fraud of relatively small 
amounts can be material to the financial statements.
---------------------------------------------------------------------------

    \363\ AU sec. 316.75.
---------------------------------------------------------------------------

    Auditing Standard No. 14 retains the requirement as 
reproposed.\364\ If an auditor detects a misstatement, he or she should 
evaluate whether the misstatement is indicative of fraud when deciding 
whether a misstatement is clearly trivial and thus does not warrant 
being included with accumulated misstatements. Additionally, in 
situations in which the auditor believes that a misstatement is or 
might be intentional and the effect on the financial statements could 
be material or cannot be readily determined, Auditing Standard No. 14 
requires that the auditor perform procedures to obtain additional audit 
evidence to determine whether the fraud has occurred or is likely to 
have occurred. If the fraud has occurred or is likely to have occurred, 
the auditor is required to determine its effect on the financial 
statements and the auditor's report thereon.
---------------------------------------------------------------------------

    \364\ Paragraph 20 of Auditing Standard No. 14.
---------------------------------------------------------------------------

j. Communication of Accumulated Misstatements to Management
    The reproposed standard required the auditor to communicate 
accumulated misstatements to management on a timely basis to provide 
management with an opportunity to correct them. The reproposed standard 
also required the auditor to obtain an understanding of the reasons 
that management decided not to correct misstatements communicated by 
the auditor.
    Some commenters suggested that the standard should specifically 
require the auditor to request management to correct the misstatements.
    Auditing Standard No. 14 retains the requirement as 
reproposed.\365\ It is not necessary to specifically require the 
auditor to request that management correct the misstatements because 
management has its own legal responsibilities in relation to the 
preparation and maintenance of the company's books, records, and 
financial statements. Section 13(i) of the Securities and Exchange Act 
of 1934, 15 U.S.C. 78m(i), requires the financial statements filed with 
the SEC to reflect all material correcting adjustments identified by 
the auditor.
---------------------------------------------------------------------------

    \365\ Paragraphs 15 and 25 of Auditing Standard No. 14.
---------------------------------------------------------------------------

k. Communication of Illegal Acts
    Auditing Standard No. 14 requires the auditor to determine his or 
her responsibility under AU secs. 316.79-.82A, AU sec. 317, and Section 
10A of the Securities and Exchange Act of 1934, 15 U.S.C. 78j-1, if the 
auditor becomes aware of information indicating that fraud or another 
illegal act has occurred or might have occurred.\366\
---------------------------------------------------------------------------

    \366\ Paragraph 23 of Auditing Standard No. 14.
---------------------------------------------------------------------------

l. Evaluating the Qualitative Aspects of the Company's Accounting 
Practices
    Auditing Standard No. 14 requires the auditor to evaluate the 
qualitative aspects of the company's accounting practices, including 
potential bias in management's judgments regarding the amounts and 
disclosures in the financial statements.\367\
---------------------------------------------------------------------------

    \367\ Paragraph 24 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    Auditing Standard No. 14 also states that if the auditor identifies 
bias in management's judgments about the amounts and disclosures in the 
financial statements, the auditor should evaluate whether the effect of 
that bias, together with the effect of uncorrected misstatements, 
results in material misstatement of the financial statements. Also, the 
standard states that the auditor should evaluate whether the auditor's 
risk assessments, including, in particular, the assessment of fraud 
risks, and the related audit responses remain appropriate.\368\
---------------------------------------------------------------------------

    \368\ Paragraph 26 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    The reproposed standard included an example of management bias, 
which was based on observations from the Board's oversight activities. 
This example indicated that when management identifies adjusting 
entries that offset misstatements identified by the auditor, the 
auditor should perform procedures to determine why the underlying 
misstatement was not identified previously. The auditor also should 
evaluate the implications on the integrity of management, and the 
auditor's risk assessments, including fraud risk assessments, and 
perform additional procedures as necessary to address the risk of 
further undetected misstatements. A commenter suggested using the 
phrase ``identified misstatements other than those that are * * * 
clearly trivial'' instead of ``identified misstatements.'' The 
requirement has been revised to refer to misstatements accumulated by 
the auditor as required by paragraph 10 of Auditing Standard No. 
14.\369\
---------------------------------------------------------------------------

    \369\ Paragraph 25 of Auditing Standard No. 14.
---------------------------------------------------------------------------

m. Assessment of Fraud Risks
    The reproposed standard required the auditor to evaluate whether 
the accumulated results of auditing procedures and other observations 
affect the auditor's assessment of fraud risks made throughout the 
audit and whether the audit procedures need to be modified to respond 
to those risks.\370\ The reproposed standard included a reference to 
Appendix C, which listed matters that might affect the assessment of 
fraud risks. Appendix C stated that if

[[Page 59392]]

the matters listed in the appendix are identified during the audit, the 
auditor should determine whether the assessment of fraud risks remains 
appropriate or needs to be revised. This requirement was included 
because the evaluation provides additional insight regarding the fraud 
risks and the potential need to perform additional procedures to 
support the opinion to be expressed in the auditor's report.
---------------------------------------------------------------------------

    \370\ Paragraph 28 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    Some commenters indicated that the requirement in Appendix C seems 
to indicate that the auditor is required to determine if each item 
identified during the audit individually affects the assessment of 
fraud risks, which appears to be inconsistent with paragraph 28. Those 
commenters suggested revisions to the first sentence of Appendix C. 
After considering these comments, the first sentence of Appendix C has 
been revised to state that if the matters listed in the appendix are 
identified during the audit, the auditor should take into account these 
matters in the evaluation of the assessment of fraud risks, as 
discussed in paragraph 28.\371\
---------------------------------------------------------------------------

    \371\ Paragraph C1 of Appendix C to Auditing Standard No. 14.
---------------------------------------------------------------------------

    One commenter suggested including in Appendix C specific procedures 
that the auditor could perform to evaluate fraud risk, such as 
evaluating journal entries with round numbers or amounts slightly below 
a specified threshold. This type of procedure could be appropriate for 
selecting journal entries for testing, but it is different in nature 
from the matters listed in Appendix C.
    Auditing Standard No. 14 includes a requirement for the engagement 
partner to determine whether there has been appropriate communication 
with the other engagement team members throughout the audit regarding 
information or conditions that are indicative of fraud risks.\372\ This 
requirement is adapted from the existing PCAOB standards.\373\
---------------------------------------------------------------------------

    \372\ Paragraph 29 of Auditing Standard No. 14.
    \373\ AU sec. 316.18.
---------------------------------------------------------------------------

n. Evaluating Financial Statement Disclosures
    The reproposed standard included a requirement, adapted from AU 
sec. 431, for the auditor to evaluate whether the financial statements 
contain the required disclosures and, if the required disclosures are 
not included in the financial statements, to express a qualified or 
adverse opinion in accordance with AU sec. 508, Reports on Audited 
Financial Statements. The reproposed standard also stated that 
evaluation of disclosures includes consideration of the form, 
arrangement, and content of the financial statements (including the 
accompanying notes), encompassing matters such as the terminology used, 
the amount of detail given, the classification of items in the 
statements, and the bases of amounts set forth. These requirements were 
included in the reproposed standard because of the importance of 
disclosures to the fair presentation of financial statements.
    Some commenters stated that the requirements regarding evaluation 
of disclosures should be qualified based on materiality considerations. 
Auditing Standard No. 14 states that the auditor should evaluate 
whether the financial statements contain the information essential for 
a fair presentation of the financial statements in conformity with the 
applicable financial reporting framework, which is aligned with an 
analogous requirement in AU sec. 508.41.\374\ AU sec. 411 discusses the 
concept of materiality regarding the auditor's opinion that financial 
statements are presented fairly.\375\
---------------------------------------------------------------------------

    \374\ Paragraph 31 of Auditing Standard No. 14.
    \375\ AU sec. 411.04.
---------------------------------------------------------------------------

    Another commenter questioned whether the statement that 
``Evaluation of disclosures includes consideration of the form, 
arrangement, and content of the financial statements (including the 
accompanying notes), encompassing matters such as the terminology used, 
the amount of detail given, the classification of items in the 
statements, and the bases of amounts set forth'' is a requirement. The 
statement in the reproposed standard, which is retained in Auditing 
Standard No. 14, explains that the scope of the auditor's required 
evaluation of the information disclosed in the financial statements 
includes matters such as the form, arrangement, and content of the 
financial statements.\376\
---------------------------------------------------------------------------

    \376\ Paragraph 31 of Auditing Standard No. 14.
---------------------------------------------------------------------------

o. Evaluating the Sufficiency and Appropriateness of Audit Evidence
    The reproposed standard required the auditor to conclude whether 
sufficient appropriate audit evidence has been obtained to support his 
or her opinion on the financial statements. The reproposed standard 
also presented a list of factors that are relevant to the auditor's 
conclusion on whether sufficient appropriate audit evidence has been 
obtained. Consideration of the listed factors is essential to reaching 
an informed conclusion about whether sufficient appropriate audit 
evidence has been obtained. Accordingly, both the requirement and the 
list of factors contained in the reproposed standard have been 
retained.\377\
---------------------------------------------------------------------------

    \377\ Paragraphs 33-34 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    A commenter suggested that corrected adjustments also should be 
considered in concluding whether sufficient appropriate audit evidence 
has been obtained. Auditing Standard No. 14 already requires the 
auditor to evaluate the results of audit procedures in evaluating 
whether sufficient appropriate evidence has been obtained, and this 
would include misstatements identified by the auditor, regardless of 
whether they were corrected by management.\378\
---------------------------------------------------------------------------

    \378\ Paragraph 34 of Auditing Standard No. 14.
---------------------------------------------------------------------------

    The reproposed standard expanded the requirements regarding 
situations in which the auditor has not obtained sufficient appropriate 
audit evidence to include situations in which the auditor has 
substantial doubt about a relevant assertion. This additional provision 
was adapted from AU sec. 326. A commenter suggested that the 
requirement be revised to state that the auditor should attempt to 
obtain additional evidence if the auditor has not obtained sufficient 
appropriate evidence about a relevant assertion. The requirement has 
been retained as stated in the reproposed standard because it covers 
situations in which the evidence is inadequate and situations in which 
the auditor has concerns about whether an assertion is misstated.\379\
---------------------------------------------------------------------------

    \379\ Paragraph 35 of Auditing Standard No. 14.
---------------------------------------------------------------------------

p. Evaluating the Results of the Audit of Internal Control
    The reproposed standard included a section relating to evaluating 
audit results in the audit of internal control, which references 
Auditing Standard No. 5 for the requirements on evaluating the results 
of the audit of internal control.\380\ A commenter suggested removing 
this paragraph from the reproposed standard. Auditing Standard No. 14 
retains this paragraph, although it does not impose additional 
requirements. Including this paragraph emphasizes that, in integrated 
audits, the evaluation of audit results is an integrated process that 
affects both audits.
---------------------------------------------------------------------------

    \380\ Paragraph 37 of Auditing Standard No. 14.
---------------------------------------------------------------------------

10. Auditing Standard No. 15--Audit Evidence

a. Background
    Auditing Standard No. 15 explains what constitutes audit evidence, 
establishes requirements regarding designing and performing audit 
procedures to obtain sufficient

[[Page 59393]]

appropriate audit evidence to support the opinion in the auditor's 
report, and discusses methods for selecting items for testing.
b. Nature of Audit Evidence
    The reproposed standard stated that audit evidence is all the 
information, whether obtained from audit procedures or other sources, 
that is used by the auditor in arriving at the conclusions on which the 
auditor's opinion is based. Audit evidence consists of both information 
that supports and corroborates management's assertions regarding the 
financial statements or internal control over financial reporting and 
any information that contradicts such assertions.
    One commenter indicated that the meaning of the phrase ``and any 
information that contradicts such assertions'' was unclear. The 
commenter suggested that the Board clarify whether the requirement 
meant the auditor should look for such contradictory information, or if 
the requirement should apply only when such information comes to the 
auditor's attention.
    PCAOB standards require the auditor to plan and perform the audit 
to obtain sufficient appropriate evidence to support an opinion about 
whether the financial statements are free of material misstatement and, 
in the audit of internal control, whether material weaknesses 
exist.\381\ Thus, the auditor is required to perform the audit 
procedures necessary to test the accounts and controls, regardless of 
whether the results of those procedures support or contradict the 
assertions. The requirement in Auditing Standard No. 15 means that when 
contradictory evidence is obtained, the auditor should evaluate it when 
forming a conclusion on the financial statements and, in integrated 
audits, on internal control over financial reporting. To clarify the 
requirement, Auditing Standard No. 15 omits the word ``any.'' \382\
---------------------------------------------------------------------------

    \381\ Paragraph 3 of Auditing Standard No. 8 and paragraph 3 of 
Auditing Standard No. 5, respectively.
    \382\ Paragraph 2 of Auditing Standard No. 15.
---------------------------------------------------------------------------

c. Objective
    The objective in the reproposed standard acknowledged the auditor's 
responsibility to plan and perform the audit to obtain sufficient 
appropriate audit evidence to support the opinion expressed in the 
auditor's report. Commenters suggested revising the wording in 
paragraph 4 of the reproposed standard to be consistent with the 
objective in paragraph 3 of the reproposed standard. The requirement in 
paragraph 4 of Auditing Standard No. 15 has been revised to be 
consistent with the objective of the standard.
d. Sufficient Appropriate Audit Evidence
    The reproposed standard explained the meaning of the words 
``sufficient'' and ``appropriate'' as used in the phrase ``sufficient 
appropriate audit evidence.'' Commenters suggested that the Board 
provide formal definitions for terms like ``sufficiency'' and 
``appropriate'' so the terms can be easily located within the 
standards. Adding definitions is unnecessary because Auditing Standard 
No. 15 already describes the terms ``sufficiency'' and 
``appropriateness'' and explains the relevant characteristics of 
each.\383\
---------------------------------------------------------------------------

    \383\ Paragraphs 5-6 of Auditing Standard No. 15.
---------------------------------------------------------------------------

    Commenters stated that the term ``persuasive'' was used in the 
reproposed standard, The Auditor's Responses to the Risks of Material 
Misstatement, and recommended that the Board clarify in the reproposed 
audit evidence standard the manner in which the persuasiveness of 
evidence affects the evaluation of audit evidence. The concept of 
``persuasiveness of evidence'' is discussed in Auditing Standard No. 
13.\384\
---------------------------------------------------------------------------

    \384\ Paragraph 39 of Auditing Standard No. 13.
---------------------------------------------------------------------------

e. Relevance and Reliability
    The reproposed standard contained a discussion about the relevance 
and reliability of audit evidence. The reproposed standard stated that 
the audit evidence must be both relevant and reliable to support the 
auditor's conclusions about the subject of the audit procedure. The 
reproposed standard stated that ``[e]vidence provided by original 
documents is more reliable than evidence provided by photocopies or 
facsimiles, or documents that have been filmed, digitized, or otherwise 
converted into electronic form, the reliability of which depends on the 
controls over the conversion and maintenance of those documents.''
    One commenter suggested that the standard be revised to indicate 
that electronic information, subject to proper controls, is in many 
ways more reliable than physical documentation. The language from the 
reproposed standard was retained in Auditing Standard No. 15.\385\ 
Although evidence sometimes is available only in electronic form and 
the reliability of electronic evidence depends on the controls over 
that information, an authentic original document generally is more 
reliable than an electronic form of that document.
---------------------------------------------------------------------------

    \385\ Paragraph 8 of Auditing Standard No. 15.
---------------------------------------------------------------------------

    The reproposed standard stated that the relevance of audit evidence 
refers to its relationship to the assertion or to the objective of the 
control being tested. The relevance of audit evidence depends on (a) 
the design of the audit procedure used to test the assertion or 
control, and (b) the timing of the audit procedure used to test the 
assertion or control. One commenter recommended the description of the 
term ``relevance'' should be expanded to include the following 
statements:

    Relevance deals with the logical connection with, or bearing 
upon, the purpose of the audit procedure and, when appropriate, the 
assertion under consideration. The relevance of information to be 
used as audit evidence may be affected by the direction of testing.

    Auditing Standard No. 15 retains the description included in the 
reproposed standard because it is clearer than the suggested 
revision.\386\
---------------------------------------------------------------------------

    \386\ Paragraph 7 of Auditing Standard No. 15.
---------------------------------------------------------------------------

    The reproposed standard indicated that ``[t]he auditor is not 
expected to be an expert in document authentication. However, if 
conditions indicate that a document may not be authentic or that the 
terms in a document have been modified but that the modifications have 
not been disclosed to the auditor, the auditor should modify the 
planned audit procedures or perform additional audit procedures to 
respond to those conditions and should evaluate the effect, if any, on 
the other aspects of the audit.''
    One commenter suggested that the requirement for the auditor to 
modify the planned audit procedures or perform additional audit 
procedures in response to concerns about the authenticity of documents 
should be linked to professional skepticism. The commenter also stated 
that many modifications are routine. The requirement was not meant to 
require the auditor to perform unlimited procedures but, rather, to 
perform the procedures necessary to address the issue in the 
circumstances. Auditing Standard No. 15 retains this requirement as 
reproposed.\387\Although professional skepticism is important in these 
situations, it is not the only factor that determines the procedures 
necessary to address the matter.
---------------------------------------------------------------------------

    \387\ Paragraph 9 of Auditing Standard No. 15.
---------------------------------------------------------------------------

f. Financial Statement Assertions
    In representing that the financial statements are presented fairly 
in conformity with the applicable financial reporting framework, 
management

[[Page 59394]]

implicitly or explicitly makes assertions regarding the recognition, 
measurement, presentation, and disclosure of the various elements of 
financial statements and related disclosures. Financial statement 
assertions are an important consideration for audits performed in 
accordance with PCAOB standards. For example, AU sec. 319 required 
auditors to perform substantive procedures for relevant assertions in 
audits of financial statements. Auditing Standard No. 5 requires 
auditors to obtain evidence about the design and operating 
effectiveness of controls over relevant assertions in audits of 
internal control.
    The reproposed standard retained the five categories of financial 
statement assertions in AU sec. 326 and Auditing Standard No. 5. Two 
commenters suggested that the Board use different descriptions for 
financial statement assertions. One commenter suggested using other 
standard-setters' descriptions of financial statement assertions. The 
other commenter suggested using a different description of assertions. 
Auditing Standard No. 15 retains the categories of assertions as 
reproposed.\388\ Like Auditing Standard No. 5,\389\Auditing Standard 
No. 15 allows auditors the flexibility to use categories of assertions 
that differ from the assertions listed in the standard under specified 
conditions.\390\
---------------------------------------------------------------------------

    \388\ Paragraph 11 of Auditing Standard No. 15.
    \389\ See the note to paragraph 28 of Auditing Standard No. 5.
    \390\ Paragraph 12 of Auditing Standard No. 15.
---------------------------------------------------------------------------

g. Inquiry
    The reproposed standard stated that inquiry of company personnel, 
by itself, does not provide sufficient audit evidence to reduce audit 
risk to an appropriately low level for a relevant assertion or to 
support a conclusion about the effectiveness of a control. One 
commenter suggested that the note to paragraph 17 of the reproposed 
standard be revised to include ``design and operating effectiveness of 
a control'' and that the auditor should perform audit procedures in 
addition to the use of inquiry to obtain sufficient appropriate audit 
evidence. Auditing Standard No. 15 retains the language from the 
reproposed standard. The phrase ``effectiveness of a control'' 
encompasses both design and operating effectiveness. It is not 
considered necessary to add that the auditor should perform additional 
procedures, since Auditing Standard No. 15 states that inquiry, by 
itself, does not provide sufficient audit evidence.\391\
---------------------------------------------------------------------------

    \391\ Paragraph 17 of Auditing Standard No. 15.
---------------------------------------------------------------------------

h. Confirmation
    The reproposed standard stated that a confirmation represents audit 
evidence obtained by the auditor as a direct response to the auditor 
from a third party. Some commenters suggested that the reproposed 
standard clarify that a confirmation be written. Auditing Standard No. 
15 has been revised to state that a confirmation response represents a 
particular form of audit evidence obtained by the auditor from a third 
party in accordance with PCAOB standards.\392\ The Board has a separate 
standards-setting project on confirmations that, among other things, 
will address the use of written confirmation or other alternative forms 
of confirmation.\393\
---------------------------------------------------------------------------

    \392\ Paragraph 18 of Auditing Standard No. 15.
    \393\ PCAOB Release No. 2010-003, Proposed Auditing Standard 
Related to Confirmation and Related Amendments to PCAOB Standards 
(July 13, 2010).
---------------------------------------------------------------------------

i. Analytical Procedures
    The reproposed standard described analytical procedures as an audit 
procedure for obtaining evidence. One commenter suggested adding 
``scanning'' as part of analytical procedures. Scanning is a means for 
selecting items for testing, not a separate audit procedure. The 
description of analytical procedures in Auditing Standard No. 15 is 
retained as reproposed.\394\
---------------------------------------------------------------------------

    \394\ Paragraph 21 of Auditing Standard No. 15.
---------------------------------------------------------------------------

j. Selecting Items for Testing To Obtain Audit Evidence
    Auditing Standard No. 15 contains a section on selecting items for 
testing that is adapted from an auditing interpretation of AU sec. 
350.\395\ The standard also states that the auditor should determine 
the means of selecting items for testing to obtain evidence that, in 
combination with other relevant evidence, is sufficient to meet the 
objective of the audit procedure.\396\
---------------------------------------------------------------------------

    \395\ AU sec. 9350, Audit Sampling: Auditing Interpretations of 
AU sec. 350.
    \396\ Paragraph 22 of Auditing Standard No. 15.
---------------------------------------------------------------------------

    The reproposed standard defined audit sampling as the application 
of an audit procedure to less than 100 percent of the occurrences of a 
control or items comprising an account for the purpose of evaluating 
some characteristic of the control or account. One commenter stated 
that the definition in the standard should be conformed to AU sec. 350. 
Auditing Standard No. 15 reflects revisions that align the standard 
with AU sec. 350.
k. Other Changes
    As noted in the reproposing release, certain topics that were 
included in AU sec. 326 were not carried forward to the reproposed 
standard and Auditing Standard No. 15. AU sec. 326 discussed the use of 
audit objectives, and an appendix to that standard illustrated how 
auditors might use assertions to develop audit objectives and 
substantive tests of inventory. Such a discussion is not necessary 
because the auditing standards do not require auditors to establish 
audit objectives to link assertions to substantive procedures. However, 
omission of this discussion would not preclude auditors from using 
audit objectives in designing their audit procedures.

11. Amendments to PCAOB Standards

a. Amendments to Auditing Standard No. 3
    In the release accompanying the original proposed standards, the 
Board sought comment on the need for specific documentation 
requirements regarding the risk assessment procedures. Responses from 
commenters were mixed. Some commenters supported adding specific 
documentation requirements, other commenters stated that the 
requirements in Auditing Standard No. 3, Audit Documentation, were 
adequate, and one commenter was ambivalent.
    After consideration of these comments and additional analysis, the 
amendments accompanying the reproposed standards included certain 
amendments to Auditing Standard No. 3 to (a) specify certain required 
documentation regarding the auditor's risk assessments and related 
responses, (b) align certain terms and provisions of Auditing Standard 
No. 3 with the risk assessment standards, and (c) incorporate the 
principles for documentation of disagreements among engagement team 
members. For example, the amendments indicated that the auditor's 
documentation should include the following:
     A summary of the identified risks of misstatement and the 
auditor's assessment of risks of material misstatement at the financial 
statement and assertion levels; and
     The auditor's responses to the risks of material 
misstatement, including linkage of the responses to those risks.
    Also, the requirements regarding documentation of significant 
findings or issues and related matters were expanded to require 
documentation regarding the significant risks identified and the 
results of the auditing procedures performed in response to those 
risks.
    A commenter indicated that the additional documentation requirement

[[Page 59395]]

will result in ``unnecessary linkage'' and ``a matrix-like mentality'' 
to the audit documentation. The documentation requirements are intended 
to enhance the auditor's ability to link identified and assessed risks 
to appropriate responses and could help reviewers understand the areas 
of greatest risk and the auditor's responses to those risks. In 
addition to these documentation requirements, the auditor would 
continue to be responsible for preparing documentation as required by 
other provisions of Auditing Standard No. 3, e.g., to demonstrate that 
the engagement complied with the standards of the PCAOB.\397\
---------------------------------------------------------------------------

    \397\ Paragraph 5.a. of Auditing Standard No. 3.
---------------------------------------------------------------------------

    Some commenters suggested placing the documentation requirements in 
the respective risk assessment standards rather than amending Auditing 
Standard No. 3. The risk assessment standards are foundational 
standards; therefore, the required documentation related to the risk 
assessment standards is included in Auditing Standard No. 3.\398\ 
Future decisions about the placement of new documentation requirements 
will be made during the course of the respective standards-setting 
projects.
---------------------------------------------------------------------------

    \398\ Paragraphs 9, 12, and 19 of Auditing Standard No. 3, as 
amended.
---------------------------------------------------------------------------

b. Amendments to Auditing Standard No. 4
    The amendment to Auditing Standard No. 4, Reporting on Whether a 
Previously Reported Material Weakness Continues To Exist, is limited to 
changing the word ``competent'' to ``appropriate'' when that word is 
used in reference to audit evidence.
c. Amendments to Auditing Standard No. 5
    The amendments to Auditing Standard No. 5 that accompanied the 
reproposed standards were limited to changing the phrase ``any 
assistants'' to ``the members of the engagement team,'' changing the 
word ``competent'' to ``appropriate'' when that word is used in 
reference to audit evidence, and updating references to auditing 
standards that are being superseded or amended. These amendments are 
retained as reproposed.
    One commenter suggested a series of additional amendments to 
Auditing Standard No. 5, which primarily involved removing certain 
paragraphs from Auditing Standard No. 5 that relate to risk assessment 
procedures or other requirements that are included in the risk 
assessment standards. The Board is not removing the requirements 
regarding risk assessment procedures from Auditing Standard No. 5 
because those requirements are important to understanding the other 
provisions of Auditing Standard No. 5 for performing an audit of 
internal control.
d. Amendments to Auditing Standard No. 6
    The amendments to Auditing Standard No. 6, Evaluating Consistency 
of Financial Statements, are limited to removing a footnote stating 
that the term ``error'' as used in Statement of Financial Accounting 
Standards No. 154, Accounting Changes and Error Corrections (``SFAS No. 
154''), is equivalent to ``misstatement'' as used in the auditing 
standards and updating a reference to a standard that is being 
superseded. This technical change is made because the footnote 
regarding misstatements in Auditing Standard No. 6 refers to SFAS No. 
154, whereas the definition of ``misstatement'' in Auditing Standard 
No. 14 on evaluating audit results is neutral regarding the financial 
reporting framework. However, this technical change does not alter the 
fact that an error under accounting standards generally accepted in the 
United States is a misstatement under Auditing Standard No. 14.
e. Amendments to Auditing Standard No. 7
    The amendments to Auditing Standard No. 7, Engagement Quality 
Review, update footnote 3 and the note to paragraph 10 to replace a 
reference to an interim standard that is superseded and to update the 
definitions of the terms ``engagement partner'' and ``significant 
risk'' to conform to the definitions in the risk assessment standards.
f. Amendments to Interim Auditing Standards
(i). Superseded Sections
    The risk assessment standards supersede the following sections of 
PCAOB interim auditing standards:

     AU sec. 311, Planning and Supervision
     AU sec. 312, Audit Risk and Materiality in Conducting an 
Audit
     AU sec. 313, Substantive Tests Prior to the Balance Sheet 
Date
     AU sec. 319, Consideration of Internal Control in a 
Financial Statement Audit
     AU sec. 326, Evidential Matter
     AU sec. 431, Adequacy of Disclosure in Financial 
Statements

    Similarly, the auditing interpretations of AU secs. 311, 312, and 
350 have been incorporated into the risk assessment standards and thus 
are superseded. The auditing interpretations of AU sec. 326, except for 
Interpretation No. 2 (AU secs. 9326.06-.23), also are superseded.\399\
---------------------------------------------------------------------------

    \399\ Interpretation No. 2 relates in part to AU sec. 336 and AU 
sec. 337, Inquiry of a Client's Lawyer Concerning Litigation, 
Claims, and Assessments, and it will be evaluated in connection with 
standards-setting projects related to those standards.
---------------------------------------------------------------------------

(ii). AU sec. 316, Consideration of Fraud in a Financial Statement 
Audit
    The relevant requirements regarding identifying and assessing fraud 
risks, principally AU secs. 316.14-.45; responding to fraud risks, 
principally AU secs. 316.46-.50; and evaluating audit results, 
principally AU secs. 316.68-.78, have been incorporated into Auditing 
Standard Nos. 12, 13, and 14, respectively. The remaining portions of 
AU sec. 316 describe important principles regarding the auditor's 
responsibility with respect to fraud and more detailed requirements 
regarding the auditor's responses to fraud risks. Topics covered in the 
remaining portions of AU sec. 316, as amended, include the following:
     A description of fraud and its characteristics,
     The importance of exercising professional skepticism,
     Examples of fraud risk factors,
     Examples of audit procedures performed to respond to fraud 
risks involving fraudulent financial reporting and misappropriation of 
assets, and
     Requirements regarding procedures to further address the 
risk of material misstatement due to fraud involving management 
override of controls, including examining journal entries and other 
adjustments for evidence of possible material misstatement due to 
fraud; reviewing accounting estimates for biases that could result in 
material misstatement due to fraud; and evaluating the business 
rationale for significant unusual transactions.
(iii). AU sec. 329, Analytical Procedures
    The discussion in AU sec. 329 regarding analytical procedures 
performed during audit planning, principally AU secs. 329.03 and 
329.06-.08, is incorporated into Auditing Standard No. 12. Similarly, 
the requirements regarding analytical procedures in the overall review, 
principally AU secs. 329.23-.24, are incorporated into Auditing 
Standard No. 14. The remaining portion of AU sec. 329 relates to 
analytical procedures performed as substantive procedures. Therefore, 
AU sec. 329 is retitled, Substantive Analytical Procedures,

[[Page 59396]]

which more accurately reflects the content of the amended standard.
    A standard that focuses solely on substantive analytical procedures 
highlights more clearly the requirements that apply to analytical 
procedures performed for that purpose, including the higher degree of 
precision in substantive analytical procedures needed to provide the 
necessary level of assurance. The Board has observed instances in which 
auditors performed substantive procedures to test accounts without 
meeting the requirements in AU sec. 329 for substantive analytical 
procedures.\400\
---------------------------------------------------------------------------

    \400\ See, e.g., PCAOB Release 2007-010, Report on the PCAOB's 
2004, 2005, and 2006 Inspections of Domestic Triennially Inspected 
Firms (October 22, 2007).
---------------------------------------------------------------------------

(iv). AU sec. 336, Using the Work of a Specialist
    The text of footnote 1 to paragraph .01 and of paragraph .05 were 
amended to clarify that AU sec. 336 does not apply to situations in 
which persons who participate in the audit have specialized skills or 
knowledge in accounting or auditing (e.g., IT specialists and income 
tax specialists) and to specialists employed by the firm. Auditing 
Standard No. 10 applies to those situations. Those clarifications were 
previously included in the reproposed standard on audit planning and 
supervision.
(v). AU sec. 350, Audit Sampling
    The discussion in AU sec. 350 regarding audit risk and tolerable 
misstatement has been amended to align more closely with the 
terminology used in the risk assessment standards.
    The reproposed standards included amendments to AU secs. 350.23 and 
350.38, which explained more specifically the principles in the 
standard for determining sample sizes when nonstatistical sampling 
approaches are used. Some commenters expressed concern that the 
reproposed amendments would have required auditors who use 
nonstatistical sampling methods to compute sample sizes under both 
statistical and nonstatistical methods to demonstrate that the sample 
size under the nonstatistical method equaled or exceeded the sample 
size determined using a statistical method.
    Commenters suggested that the standard should state that it is not 
necessary to compute sample sizes using statistical methods. Including 
such a sentence in the standard might be misunderstood by auditors and 
weaken the requirement of the amended standard. The reproposed 
amendments do not require auditors to compute sample sizes using 
statistical methods in all instances to demonstrate compliance with the 
requirements. For example, the use of a nonstatistical sampling 
methodology that is adapted appropriately from a statistical sampling 
method also could demonstrate compliance. However, calculating a sample 
size that is not based on the relevant factors in AU sec. 350 is not in 
compliance with the standard. Accordingly, the amendments are retained 
as reproposed.
(vi). AU sec. 543, Part of Audit Performed by Other Independent 
Auditors, and Interpretations
    A note was added to paragraph .01 to clarify that Auditing Standard 
No. 10 applies to situations not covered by AU sec. 543 in which the 
auditor engages other accounting firms or other accountants to 
participate in the audit. Paragraph .12 was amended to align AU sec. 
543 with related amendments to Auditing Standard No. 3. Footnote 4 to 
paragraph .16 of AU sec. 9543, Part of Audit Performed by Other 
Independent Auditors: Auditing Interpretations of Section 543, is 
deleted because it refers to an interim standard that is being 
superseded.
(vii). Other Amendments to the Interim Auditing Standards
    For the following interim auditing standards, the amendments are 
limited to conforming terminology to the risk assessment standards and 
updating references to auditing standards that are being superseded or 
amended:

     AU sec. 110, Responsibilities and Functions of the 
Independent Auditor
     AU sec. 150, Generally Accepted Auditing Standards
     AU sec. 210, Training and Proficiency of the Independent 
Auditor
     AU sec. 230, Due Professional Care in the Performance of 
Work
     AU sec. 310, Appointment of the Independent Auditor
     AU sec. 315, Communications Between Predecessor and 
Successor Auditors
     AU sec. 317, Illegal Acts by Clients
     AU sec. 322, The Auditor's Consideration of the Internal 
Audit Function in an Audit of Financial Statements.
     AU sec. 324, Service Organizations
     AU sec. 328, Auditing Fair Value Measurements and 
Disclosures
     AU sec. 330, The Confirmation Process
     AU sec. 332, Auditing Derivative Instruments, Hedging 
Activities, and Investments in Securities
     AU sec. 333, Management Representations
     AU sec. 334, Related Parties, and AU sec. 9334, Related 
Parties: Auditing Interpretations of Section 334
     AU sec. 9336, Using the Work of a Specialist: Auditing 
Interpretations of Section 336
     AU sec. 341, The Auditor's Consideration of an Entity's 
Ability to Continue as a Going Concern
     AU sec. 342, Auditing Accounting Estimates, and AU sec. 
9342, Auditing Accounting Estimates: Auditing Interpretations of 
Section 342
     AU sec. 380, Communication With Audit Committees
     AU sec. 411, The Meaning of Present Fairly in Conformity 
With Generally Accepted Accounting Principles
     AU sec. 508, Reports on Audited Financial Statements, and 
AU sec. 9508, Reports on Audited Financial Statements: Auditing 
Interpretations of Section 508
     AU sec. 530, Dating of the Independent Auditor's Report
     AU sec. 722, Interim Financial Information
g. Amendments to Interim Ethics Standards
    In the interim ethics standards, ET sec. 102, Integrity and 
Objectivity, the amendments are limited to updating references to 
auditing standards that are being superseded or amended.

12. Effective Date

    In its reproposal of the proposed rules, the Board stated that it 
expects the standards would be effective for audits of fiscal years 
beginning on or after December 15, 2010, subject to approval by the 
Commission, and the Board requested comment on the proposed effective 
date. Several commenters stated that the Board should establish 
sufficient time for auditing firms to make changes to their 
methodologies and train their staff on the new risk assessment 
standards.
    After considering the comments received and the timing of the 
adoption of the standards, the Board has determined that the 
accompanying standards and related amendments will be effective, 
subject to Commission approval, for audits of fiscal periods beginning 
on or after December 15, 2010. In its determination, the Board 
considered that many auditors already employ risk-based audit 
methodologies, which should facilitate the methodology changes and 
training necessary to implement the standards by the effective date.

[[Page 59397]]

13. Other Topics Not Related to the Reproposed Standards

    The comment letters on the reproposed standards included certain 
comments that relate to standards-setting matters other than the 
reproposed standards. The following paragraphs discuss those comments.
a. Standards-setting Process
    Some commenters suggested changes to the Board's standards-setting 
process. These comments primarily relate to the extent to which the 
Board uses the standards of the IAASB and ASB in its standards-setting 
and the use of external task forces in drafting standards.
    In previous releases on its proposed risk assessment standards, the 
Board has stated that it has sought to eliminate unnecessary 
differences with the risk assessment standards and those of other 
standards-setters. However, because the Board's standards must be 
consistent with the Board's statutory mandate,\401\ differences will 
continue to exist between the Board's standards and the standards of 
the IAASB and ASB e.g., when the Board decides to retain an existing 
requirement in PCAOB standards that is not included in IAASB or ASB 
standards. Also, certain differences are often necessary for the 
Board's standards to be consistent with relevant provisions of the 
federal securities laws or other existing standards or rules of the 
Board. Also, the Board's standards-setting activities are informed by 
and developed to some degree, in response to observations from its 
oversight activities.
---------------------------------------------------------------------------

    \401\ E.g., Section 101 of the Sarbanes-Oxley Act of 2002 (the 
``Act''), 15 U.S.C. 7211.
---------------------------------------------------------------------------

    The Board has a number of means available to seek additional 
comments from external parties regarding its standards-setting 
activities, including meetings with its Standing Advisory Group 
(``SAG''), issuing concept releases or reproposing standards or rules, 
and conducting public roundtables. Although these are not the only 
means available to the Board, they have been used because they offer 
the Board the ability to obtain comments from a diverse group of 
interested parties through a public process.
    The Board continually endeavors to improve its processes, including 
its standards-setting process, and considers comments from the public 
as it does so. For example, the Board has undertaken certain steps to 
enhance the transparency of its standards-setting process, including 
maintaining on its Web site its standards-setting agenda and discussing 
the status of projects in public meetings with the SAG. This release 
has also been expanded to provide additional discussion of and 
explanation for the Board's conclusions regarding the risk assessment 
standards. Some commenters acknowledged the Board's efforts to increase 
the transparency of its process.
b. Other Standards-Setting Projects
    Commenters on the reproposed standards also recommended a number of 
additional standards-setting or standards-related projects for the 
Board. Examples of such projects included creating a codification of 
the Board's standards; creating a glossary of terms used in the Board's 
standards, issuing a concept release for the review of the Board's 
interim standards, developing a standard describing the overall 
objectives of the audit, similar to ISA 200, Overall Objectives of the 
Independent Auditor and the Conduct of an Audit in Accordance with 
International Standards on Auditing, and developing guidance related to 
how the Board would evaluate the reasonableness of judgments based on 
PCAOB auditing standards.
    The Board continually assesses its standards-setting and related 
projects based upon the need for improvements in standards or 
additional guidance in response to current developments, observations 
from the Board's oversight activities, comments received from the 
public, and other factors. As mentioned previously, the Board's 
standards-setting agenda is maintained on the Board's Web site. The 
Board is considering these comments as it assesses its agenda.
c. Comparison With and the Standards of the International Auditing and 
Assurance Standards Board the Auditing Standards Board of the American 
Institute of Certified Public Accountants
    Some commenters on the reproposed standards stated that the Board 
should provide more information about its requirements, including how 
the requirements are expected to affect audits. Commenters requested 
information about how the Board's standards compare to the standards of 
other standards-setters. Some commenters also requested more 
explanation for certain requirements in the Board's reproposed 
standards.
    In developing its original proposed standards, the Board took into 
account, among other things, the risk assessment standards of the 
International Auditing and Assurance Standards Board (``IAASB'') and 
the Auditing Standards Board of the American Institute of Certified 
Public Accountants (``ASB''). The release accompanying the reproposed 
standards included a comparison of the objectives and requirements of 
the reproposed standards to the analogous standards of the IAASB and 
ASB.
    Some commenters requested additional details about differences 
between the reproposed standards and the IAASB or ASB standards or 
clarifications regarding specific requirements in the reproposed 
standards for which the language was not identical to IAASB or ASB 
standards.
    In analyzing comments on the appendix to the reproposed standards 
that compared the reproposed standards to the analogous standards of 
the IAASB and ASB, the Board observed that a number of the explanations 
sought by commenters, e.g., the reasons for the differences in certain 
requirements were discussed elsewhere in the release accompanying the 
reproposed standards, e.g., in Appendix 9 to that release.
    The discussion below discusses certain differences between the 
objectives and requirements of the PCAOB standards and the analogous 
standards of the IAASB and ASB. When a difference between the Board's 
standards and the analogous standards of the IAASB and ASB is noted, 
the discussion contains a reference to the discussion of the Board's 
requirements in this release. This analysis may not represent the views 
of the IAASB or ASB regarding their standards.

Auditing Standard No. 8--Audit Risk

    Analogous discussions of the components of audit risk are included 
in the IAASB's International Standard on Auditing (``ISA'') 200, 
Overall Objectives of the Independent Auditor and the Conduct of an 
Audit in Accordance with International Standards on Auditing and the 
ASB's clarified Statement on Auditing Standards (``SAS''), Overall 
Objectives of the Independent Auditor and the Conduct of an Audit in 
Accordance with Generally Accepted Auditing Standards, respectively.
(i) Audit Risk and Reasonable Assurance
PCAOB
    Auditing Standard No. 8 states that to form an appropriate basis 
for expressing an opinion on the financial statements, the auditor must 
plan and perform the audit to obtain reasonable assurance about whether 
the financial statements are free of material misstatement due to error 
or fraud. Reasonable assurance is

[[Page 59398]]

obtained by reducing audit risk to an appropriately low level through 
applying due professional care, including obtaining sufficient 
appropriate audit evidence.\402\
---------------------------------------------------------------------------

    \402\ AU sec. 110, Responsibilities and Functions of the 
Independent Auditor, and AU sec. 230, Due Professional Care in the 
Performance of Work, provide further discussion of reasonable 
assurance.
---------------------------------------------------------------------------

    Auditing Standard No. 8 uses the phrase ``appropriately low level'' 
because the term ``appropriately'' is aligned more closely with the 
concept of reasonable assurance whereas ``acceptable level'' might be 
misunderstood as allowing auditors to vary the audit efforts based upon 
their personal tolerance for risk. This release contains additional 
discussion regarding the use of the phrase ``appropriately low level.'' 
\403\
---------------------------------------------------------------------------

    \403\ Section II.C.3.b.
---------------------------------------------------------------------------

    Auditing Standard No. 8 also clarifies that obtaining sufficient 
appropriate audit evidence is part of applying due professional care. 
This release provides additional discussion regarding due professional 
care and sufficient appropriate audit evidence.\404\
---------------------------------------------------------------------------

    \404\ Section II.C.3.c.
---------------------------------------------------------------------------

IAASB and ASB
    The ISA states:

    To obtain reasonable assurance, the auditor shall obtain 
sufficient appropriate audit evidence to reduce audit risk to an 
acceptably low level and thereby enable the auditor to draw 
reasonable conclusions on which to base the auditor's opinion.

    The SAS includes a requirement similar to the ISA's requirement.
(ii) Detection Risk and Substantive Procedures
PCAOB
    Auditing Standard No. 8 states that as the appropriate level of 
detection risk decreases, the evidence from substantive procedures that 
the auditor should obtain increases. This requirement was adapted from 
AU sec. 319, Consideration of Internal Control in a Financial Statement 
Audit,\405\ and it parallels a requirement in Auditing Standard No. 13, 
The Auditor's Responses to the Risks of Material Misstatement.\406\ 
This release contains additional discussion regarding detection 
risk.\407\
---------------------------------------------------------------------------

    \405\ AU sec. 319 is superseded by the risk assessment 
standards.
    \406\ Paragraph 37 of Auditing Standard No. 13.
    \407\ Section II.C.3.e.
---------------------------------------------------------------------------

IAASB and ASB
    The ISA and the SAS do not include an analogous requirement.

Auditing Standard No. 9--Audit Planning

    In this section, the analogous IAASB and ASB standards are, unless 
indicated otherwise, ISA 300, Planning an Audit of Financial 
Statements, and the clarified SAS, Planning an Audit, respectively.
(i). Planning an Audit
PCAOB
    Auditing Standard No. 9 contains a requirement to properly plan the 
audit. This requirement is consistent with the first standard of 
fieldwork in AU sec. 150, Generally Accepted Auditing Standards.
IAASB and ASB
    The ISA and the SAS do not include an analogous requirement, 
although planning the audit is referenced in the objectives of the 
standards.
(ii). Audit Strategy and Audit Plan
PCAOB
    Auditing Standard No. 9 requires the auditor to establish an 
overall audit strategy that sets the scope, timing, and direction of 
the audit and guides the development of the audit plan. When developing 
the audit strategy and audit plan, the standard requires the auditor to 
evaluate whether certain matters specified in the standard are 
important to the company's financial statements and internal control 
over financial reporting and, if so, how they will affect the auditor's 
procedures. As discussed in this release, these matters are adapted 
from Auditing Standard No. 5, An Audit of Internal Control Over 
Financial Reporting That Is Integrated with An Audit of Financial 
Statements, and are important for both the audit of financial 
statements and an audit of internal control over financial reporting 
(``audit of internal control'').\408\
---------------------------------------------------------------------------

    \408\ Section II.C.4.e.
---------------------------------------------------------------------------

    In establishing the overall audit strategy, Auditing Standard No. 9 
also requires the auditor to take into account certain matters, such as 
the reporting objectives and the factors that are significant in 
directing the activities of the engagement team, results of preliminary 
engagement activities and the auditor's evaluation of the important 
matters in accordance with paragraph 7, and the nature, timing, and 
extent of resources necessary to perform the engagement. This release 
discusses this requirement with more detail.\409\
---------------------------------------------------------------------------

    \409\ Section II.C.4.f.
---------------------------------------------------------------------------

    Auditing Standard No. 9 requires the auditor to develop and 
document an audit plan that includes a description of the planned 
nature, timing, and extent of risk assessment procedures; tests of 
controls, substantive procedures, and other audit procedures. The audit 
plan required by Auditing Standard No. 9 encompasses all of the audit 
procedures to be performed, i.e., it is not limited to procedures at 
the assertion level. This release contains additional discussion 
regarding developing the audit strategy and audit plan.\410\
---------------------------------------------------------------------------

    \410\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISA and the SAS require the auditor to establish an overall 
audit strategy that sets the scope, timing, and direction of the audit 
and guides the development of the audit plan. Those standards do not 
have a requirement analogous to the Auditing Standard No. 9 requirement 
to evaluate specific matters in developing the audit strategy and audit 
plan.
    The ISA states:

    In establishing the overall audit strategy, the auditor shall:
    (a) Identify the characteristics of the engagement that define 
its scope;
    (b) Ascertain the reporting objectives of the engagement to plan 
the timing of the audit and the nature of the communications 
required;
    (c) Consider the factors that, in the auditor's professional 
judgment, are significant in directing the engagement team's 
efforts;
    (d) Consider the results of preliminary engagement activities 
and, where applicable, whether knowledge gained on other engagements 
performed by the engagement partner for the entity is relevant; and
    (e) Ascertain the nature, timing and extent of resources 
necessary to perform the engagement.

    The SAS includes a requirement similar to the ISA's requirement.
    Both the ISA and the SAS require the auditor to develop an audit 
plan that shall include a description of the nature, timing, and extent 
of planned further auditor procedures at the assertion level.
(iii). Multi-Location Engagements
PCAOB
    Auditing Standard No. 9 states that the auditor should determine 
the extent to which auditing procedures should be performed at selected 
locations or business units to obtain sufficient appropriate evidence 
to obtain reasonable assurance about whether the consolidated financial 
statements are free of material misstatement. This includes determining 
the locations or business units at which to perform audit procedures, 
as well as the nature, timing, and extent of the audit

[[Page 59399]]

procedures to be performed at those individual locations or business 
units. The auditor should assess the risks of material misstatement to 
the consolidated financial statements associated with the location or 
business unit and correlate the amount of audit attention devoted to 
the location or business unit with the degree of risk of material 
misstatement associated with that location or business unit. Auditing 
Standard No. 9 also provides a list of factors that are relevant to the 
assessment of the risks of material misstatement associated with a 
particular location or business unit and the determination of the 
necessary audit procedures.
    The provisions in Auditing Standard No. 9 are applicable to all 
multi-location audits. This release discusses the basis for the 
requirements and explains how the requirements should be applied in 
audits in which part of the work is performed by other auditors of 
financial statements of individual locations or business units that are 
included in the consolidated financial statements.\411\
---------------------------------------------------------------------------

    \411\ Section II.C.4.g.
---------------------------------------------------------------------------

IAASB and ASB
    ISA 600, Special Considerations--Audits of Group Financial 
Statements (Including the Work of Component Auditors), and the proposed 
SAS, Audits of Group Financial Statements (Including the Work of 
Component Auditors), apply to group audits. Under ISA 600, group audits 
are defined as the audit of group financial statements, which are 
financial statements that include the financial information of more 
than one component, and the component auditor is an auditor who, at the 
request of the group engagement team, performs work on financial 
information related to a component for the group audit.
    ISA 600 and the proposed SAS describe the scope of audit procedures 
to be performed at individual components, depending upon, among other 
things, whether the components are significant components as described 
in the respective standards.

Auditing Standard No. 10--Supervision of the Audit Engagement

    In this section, unless indicated otherwise, the analogous IAASB 
standards are ISA 300, Planning an Audit of Financial Statements, and 
ISA 220, Quality Control for an Audit of Financial Statements 
(collectively referred to in this section as ``the ISAs''); and the 
analogous ASB standards are the clarified SAS, Planning an Audit, and 
the proposed SAS, Quality Control for an Audit of Financial Statements 
(collectively referred to in this section as ``the SASs'').
(i). Supervision
PCAOB
    Auditing Standard No. 10 states that the engagement partner is 
responsible for supervising other engagement team members and may seek 
assistance from appropriate engagement team members. Auditing Standard 
No. 10 also requires the engagement partner, and engagement team 
members who assist the engagement partner in supervision, to properly 
supervise the members of the engagement team, describes the necessary 
elements of proper supervision, and describes the factors that affect 
the necessary extent of supervision. These requirements are adapted 
from AU sec. 311, Planning and Supervision.\412\ This release provides 
additional discussion regarding these requirements.\413\
---------------------------------------------------------------------------

    \412\ AU sec. 311 is superseded by Auditing Standard No. 9 and 
Auditing Standard No. 10.
    \413\ Section II.C.5.d.
---------------------------------------------------------------------------

    The requirements in the ISAs and the SASs do not describe the 
elements of supervision or factors that affect supervision.
IAASB and ASB
    The ISAs and the SASs require the auditor to plan the nature, 
timing, and extent of direction and supervision of engagement team 
members and review their work. The ISAs and SASs require the engagement 
partner to ``take responsibility for the direction, supervision and 
performance of the audit engagement in compliance with professional 
standards and applicable legal and regulatory requirements and for the 
auditor's report being appropriate in the circumstances.''
(ii). Supervision of Engagement Team Members
PCAOB
    Auditing Standard No. 10 requires the engagement partner and other 
engagement team members performing supervisory activities to: (a) 
Inform engagement team members of their responsibilities, including the 
objectives of the procedures that they are to perform; the nature, 
timing and extent of procedures they are to perform; and matters that 
could affect the procedures to be performed or the evaluation of the 
results of those procedures, (b) direct engagement team members to 
bring significant accounting and auditing issues arising during the 
audit to the attention of the engagement partner or other engagement 
team members performing supervising activities, and (c) review the work 
of engagement team members to evaluate whether the work was performed, 
the objectives of the procedures were achieved, and the results of the 
work support the conclusions. This release contains additional 
discussion regarding this requirement.\414\
---------------------------------------------------------------------------

    \414\ Section II.C.5.e.
---------------------------------------------------------------------------

IAASB
    The ISAs state:

    The engagement partner shall take responsibility for:
    (a) The direction, supervision and performance of the audit 
engagement in compliance with professional standards and applicable 
legal and regulatory and legal requirements; and
    (b) The auditor's report being appropriate in the circumstances.
    The engagement partner shall take responsibility for reviews 
being performed in accordance with the firm's review policies and 
procedures.
    On or before the date of the auditor's report, the engagement 
partner shall, through a review of the audit documentation and 
discussion with the engagement team, be satisfied that sufficient 
appropriate audit evidence has been obtained to support the 
conclusions reached and for the auditor's report to be issued.
    The auditor shall plan the nature, timing and extent of 
direction and supervision of engagement team members and the review 
of their work.
ASB
    The SAS includes requirements similar to the ISAs' requirements.
(iii). Extent of Supervision
PCAOB
    To determine the extent of supervision necessary for engagement 
team members to perform their work as directed and form appropriate 
conclusions, Auditing Standard No. 10 requires the engagement partner 
and other engagement team members performing supervisory activities to 
take into account the nature of company, the nature of the assigned 
work for each team member, the risks of material misstatement, and the 
knowledge, skill, and ability of each engagement team member. This 
release contains additional discussion regarding this requirement.\415\
---------------------------------------------------------------------------

    \415\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do not have an analogous requirement for the 
auditor to determine the extent of supervision necessary for engagement 
team members.

[[Page 59400]]

Auditing Standard No. 11--Consideration of Materiality in Planning and 
Performing an Audit

    In this section, the analogous IAASB and ASB standards are ISA 320, 
Materiality in Planning and Performing an Audit, and the clarified SAS, 
Materiality in Planning and Performing an Audit, and the proposed SAS, 
Audits of Group Financial Statements (Including the Work of Component 
Auditors), respectively.
 Definition of Materiality
PCAOB
    Auditing Standard No. 11 requires the auditor to establish a 
materiality level for the financial statements as a whole that is 
appropriate in light of the particular circumstances, including 
consideration of the company's earnings and other relevant factors. The 
requirement in Auditing Standard No. 11 is based on the concept of 
materiality that is articulated by the courts in interpreting the 
federal securities laws. This release discusses the concept of 
materiality used in Auditing Standard No. 11.\416\
---------------------------------------------------------------------------

    \416\ Section II.C.6.b.
---------------------------------------------------------------------------

IAASB and ASB
    The ISA states, ``When establishing the overall audit strategy, the 
auditor shall determine materiality for the financial statements as a 
whole.''
    The SAS has a requirement similar to the ISA's requirement.
 Materiality in the Context of an Audit
PCAOB
    Auditing Standard No. 11 requires the auditor to plan and perform 
audit procedures to detect misstatements that, individually or in 
combination with other misstatements, would result in material 
misstatement of the financial statements in order to obtain reasonable 
assurance about whether the financial statements are free of material 
misstatement. This release discusses the concept of materiality in the 
context of an audit.\417\
---------------------------------------------------------------------------

    \417\ Ibid.
---------------------------------------------------------------------------

IAASB
    ISA 200 states:
    In conducting an audit of financial statements, the overall 
objectives of the auditor are:
    a. To obtain reasonable assurance about whether the financial 
statements as a whole are free from material misstatement, whether due 
to fraud or error, thereby enabling the auditor to express an opinion 
on whether the financial statements are prepared, in all material 
respects, in accordance with an applicable financial reporting 
framework; and
    b. To report on the financial statements, and communicate as 
required by the ISAs, in accordance with the auditor's findings.
ASB
    The SAS includes an objective similar to the ISA's objective.
 Tolerable Misstatement and Performance Materiality
PCAOB
    Auditing Standard No. 11 requires the auditor to determine 
tolerable misstatement for purposes of assessing risks of material 
misstatement and planning and performing audit procedures at the 
account or disclosure level. Auditing Standard No. 11 uses the term 
``tolerable misstatement,'' which is also used in other PCAOB 
standards.\418\ This release discusses the use of the term ``tolerable 
misstatement'' in more detail.\419\
---------------------------------------------------------------------------

    \418\ Paragraph .18 of AU sec. 350, Audit Sampling.
    \419\ Section II.C.6.e.
---------------------------------------------------------------------------

IAASB and ASB
    The ISA and SAS require the auditor to determine ``performance 
materiality'' for purposes of assessing the risks of material 
misstatement and determining the nature, timing, and extent of further 
audit procedures.
 Determining Tolerable Misstatement
PCAOB
    Auditing Standard No. 11 contains a requirement to take into 
account the nature, cause (if known), and amount of misstatements that 
were accumulated in audits of the financial statements of prior periods 
when determining tolerable misstatement and planning and performing 
audit procedures. This requirement is adapted from AU sec. 312, Audit 
Risk and Materiality in Conducting an Audit. This release contains 
further discussion regarding this requirement.\420\
---------------------------------------------------------------------------

    \420\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISA and SAS do not have an analogous requirement.
 Multi-Location Determination of Tolerable Misstatement
PCAOB
    In multi-location engagements, Auditing Standard No. 11 requires 
the auditor to determine tolerable misstatement for the individual 
locations or business units at an amount that reduces to an 
appropriately low level the probability that the total of uncorrected 
and undetected misstatements would result in material misstatement of 
the consolidated financial statements. The standard also requires the 
tolerable misstatement at an individual location to be less than the 
established materiality level for the financial statements as a whole. 
This release provides further discussion regarding consideration of 
materiality for multi-location engagements.\421\
---------------------------------------------------------------------------

    \421\ Section II.C.6.f.
---------------------------------------------------------------------------

IAASB
    ISA 600 requires the group engagement team to determine, among 
other things, component materiality. The ISA states:

    Component materiality for those components where component 
auditors will perform an audit or a review for purposes of the group 
audit. To reduce to an appropriately low level the probability that 
the aggregate of uncorrected and undetected misstatements in the 
group financial statements exceeds materiality for the group 
financial statements as a whole, component materiality shall be 
lower than materiality for the group financial statements as a 
whole.
ASB
    Proposed SAS, Audits of Group Financial Statements (Including the 
Work of Component Auditors), requires the group engagement team to 
determine among other things, component materiality. The proposed SAS 
states:

    Component materiality for those components on which an audit or 
other specified audit procedures will be performed. To reduce the 
risk that the aggregate of detected and undetected misstatements in 
the group financial statements exceeds the materiality for the group 
financial statements as a whole, component materiality should be 
lower than the materiality for the group financial statements as a 
whole.
 Reevaluating Materiality and Tolerable Misstatement
PCAOB
    Auditing Standard No. 11 requires the auditor to reevaluate the 
established materiality level or levels and tolerable misstatement when 
there is a substantial likelihood that misstatements of amounts that 
differ significantly from the materiality level or levels that were 
established initially would influence the judgment of a reasonable 
investor. The requirement reflects the perspective of a reasonable 
investor, whereas the analogous requirements in the ISA and SAS reflect 
an auditor's perspective. This release contains additional discussion 
regarding materiality from

[[Page 59401]]

the perspective of a reasonable investor \422\ and the reevaluation of 
materiality.\423\
---------------------------------------------------------------------------

    \422\ Section II.C.6.b.
    \423\ Section II.C.6.g.
---------------------------------------------------------------------------

IAASB and ASB
    The ISA and the SAS require the auditor to ``revise materiality for 
the financial statements as a whole (and, if applicable, the 
materiality level or levels for particular classes of transactions, 
account balances, or disclosures) in the event of becoming aware of 
information during the audit that would have caused the auditor to have 
determined a different amount (or amounts) initially.''

Auditing Standard No. 12--Identifying and Assessing Risks of Material 
Misstatement

    In this section, the analogous IAASB standards are ISA 315, 
Identifying and Assessing the Risks of Material Misstatement Through 
Understanding the Entity and Its Environment, and ISA 240, The 
Auditor's Responsibilities Relating to Fraud In An Audit of Financial 
Statements (collectively referred to in this section as ``the ISAs''). 
The analogous ASB standards are the clarified SAS, Understanding the 
Entity and its Environment and Assessing the Risks of Material 
Misstatements (Redrafted) and proposed SAS, Consideration of Fraud in a 
Financial Statement Audit (Redrafted) (collectively referred to in this 
section as ``the SASs'').\424\
---------------------------------------------------------------------------

    \424\ In June 2010, the ASB adopted as a final standard the SAS, 
Consideration of Fraud in a Financial Statement Audit (Redrafted). 
However, the ASB has not yet published this standard.
---------------------------------------------------------------------------

(i). Objective
PCAOB
    The objective of Auditing Standard No. 12 is to identify and 
appropriately assess the risks of material misstatement, thereby 
providing a basis for designing and implementing responses to the risks 
of material misstatement. Auditing Standard No. 12 requires the auditor 
to perform other risk assessment procedures in addition to obtaining an 
understanding of the company and its environment. This release contains 
additional discussion regarding the objective of the standard.\425\
---------------------------------------------------------------------------

    \425\ Section II.C.7.b.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs state:

    The objective of the auditor is to identify and assess the risks 
of material misstatement, whether due to fraud or error, at the 
financial statement and assertion levels, through understanding the 
entity and its environment, including the entity's internal control, 
thereby providing a basis for designing and implementing responses 
to the assessed risks of material misstatement.

    The SASs include an objective similar to the ISAs' objective.
(ii). Performing Risk Assessment Procedures
PCAOB
    Auditing Standard No. 12 states that the auditor should perform 
risk assessment procedures that are sufficient to provide a reasonable 
basis for identifying and assessing the risks of material misstatement, 
whether due to error or fraud, and designing further audit procedures. 
The requirement establishes a principle for determining the sufficiency 
of the necessary risk assessment procedures, and it also links the risk 
assessment procedures to the design of the tests of controls and 
substantive procedures to be performed to respond to the risks. This 
release includes additional discussion regarding performing risk 
assessment procedures.\426\
---------------------------------------------------------------------------

    \426\ Section II.C.7.c.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs state:

    The auditor shall perform risk assessment procedures to provide 
a basis for the identification and assessment of risks of material 
misstatement at the financial statement and assertion levels.

    The SASs include a requirement similar to the ISAs' requirement.
(iii). Obtaining an Understanding of the Company and Its Environment
PCAOB
    Auditing Standard No. 12 includes a requirement to evaluate, while 
obtaining an understanding of the company, whether significant changes 
in the company from prior periods, including changes in its internal 
control over financial reporting, affect the risks of material 
misstatement. This release includes additional discussion regarding 
obtaining an understanding of the company and its environment.\427\
---------------------------------------------------------------------------

    \427\ Section II.C.7.d.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do not include an analogous requirement.
(iv). Additional Procedures To Understand the Company
PCAOB
    Auditing Standard No. 12 requires the auditor to consider 
performing certain procedures as part of obtaining an understanding of 
the company as required by paragraph 7 of the standard. These 
procedures include reading public information about the company, 
observing or reading transcripts of earnings calls, obtaining an 
understanding of compensation arrangements with senior management, and 
obtaining information about trading activity in the company's 
securities and holdings in the company's securities by significant 
holders. This release includes additional discussion regarding this 
requirement.\428\
---------------------------------------------------------------------------

    \428\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do not include an analogous requirement.
(v). Selection and Application of Accounting Principles, Including 
Related Disclosures
PCAOB
    Auditing Standard No. 12 requires the auditor to develop 
expectations about the disclosures that are necessary for the company's 
financial statements to be presented fairly in conformity with the 
applicable financial reporting framework to identify and assess the 
risks of material misstatement related to omitted, incomplete, or 
inaccurate disclosures.\429\ The standard also requires engagement team 
members to discuss how fraud might be perpetrated or concealed by 
omitting or presenting incomplete or inaccurate disclosures.\430\ 
Additionally Auditing Standard No. 12 requires the auditor's evaluation 
of fraud risk factors to include how fraud could be perpetrated or 
concealed by presenting incomplete or inaccurate disclosures or by 
omitting disclosures that are necessary for the financial statements to 
be presented fairly in conformity with the applicable financial 
reporting framework.\431\ This release includes additional discussion 
regarding these requirements.\432\
---------------------------------------------------------------------------

    \429\ Paragraph 12 of Auditing Standard No. 12.
    \430\ Paragraph 52 of Auditing Standard No. 12.
    \431\ Paragraph 67 of Auditing Standard No. 12.
    \432\ Section II.C.7.d., h. and j. respectively.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do include analogous requirements regarding the 
disclosures that are necessary for the company's financial statements 
to be presented fairly in conformity with the applicable financial 
reporting framework.

[[Page 59402]]

(vi). Obtaining an Understanding of Internal Control Over Financial 
Reporting
PCAOB
    Auditing Standard No. 12 requires the auditor to obtain a 
sufficient understanding of each component of internal control over 
financial reporting to (a) identify the types of potential 
misstatements; (b) assess the factors that affect the risks of material 
misstatement; and (c) design further auditor procedures. This 
requirement relates to the sufficiency of the required understanding of 
internal control over financial reporting. This release contains 
additional discussion of this requirement.\433\
---------------------------------------------------------------------------

    \433\ Section II.C.7.e.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs state:

    The auditor shall obtain an understanding of internal control 
relevant to the audit. Although most controls relevant to the audit 
are likely to relate to financial reporting, not all controls that 
relate to financial reporting are relevant to the audit. It is a 
matter of the auditor's professional judgment whether a control, 
individually or in combination with others, is relevant to the 
audit.

    The SASs include requirements similar to the ISAs' requirements.
(vii). Control Environment
PCAOB
    Auditing Standard No. 12 requires the auditor to assess the 
following matters as part of obtaining an understanding of the control 
environment:
     Whether management's philosophy and operating style 
promote effective internal control over financial reporting;
     Whether sound integrity and ethical values, particularly 
of top management, are developed and understood; and
     Whether the board or audit committee understands and 
exercises oversight responsibility over financial reporting and 
internal control.
    This requirement is aligned with a similar requirement in Auditing 
Standard No. 5. This release includes additional discussion regarding 
this requirement.\434\
---------------------------------------------------------------------------

    \434\ Section II.C.7.e.(ii).
---------------------------------------------------------------------------

    Paragraph 25 of Auditing Standard No. 12 states that ``[i]f the 
auditor identifies a control deficiency in the company's control 
environment, the auditor should evaluate the extent to which this 
control deficiency is indicative of a fraud risk factor.'' This release 
includes additional discussion regarding the auditor's evaluation of an 
identified control deficiency in the control environment.\435\
---------------------------------------------------------------------------

    \435\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs state:

    The auditor shall obtain an understanding of the control 
environment. As part of obtaining this understanding, the auditor 
shall evaluate whether:
    (a) Management, with the oversight of those charged with 
governance, has created and maintained a culture of honesty and 
ethical behavior; and
    (b) The strengths in the control environment elements 
collectively provide an appropriate foundation for the other 
components of internal control, and whether those other components 
are not undermined by deficiencies in the control environment.

    The SASs include requirements similar to the ISAs' requirements.
    The ISAs and SASs do not have a requirement analogous to paragraph 
25 of Auditing Standard No. 12.
(viii). The Company's Risk Assessment Process
PCAOB
    Auditing Standard No. 12 states that:

    The auditor should obtain an understanding of management's 
process for:
    (a) Identifying risks relevant to financial reporting 
objectives, including risks of material misstatement due to fraud 
(``fraud risks''),
    (b) Assessing the likelihood and significance of misstatements 
resulting from those risks, and
    (c) Deciding about actions to address those risks.

    The standard also states that obtaining an understanding of the 
company's risk assessment process includes obtaining an understanding 
of the risks of material misstatement identified and assessed by 
management and the actions taken to address those risks.
    Those requirements focus on the matters that are important to the 
auditor's understanding of the company's internal control and on the 
auditor's risk assessments. Although the auditor can be informed by the 
company's risk assessment process, the auditor is still required to 
perform risk assessment procedures that are sufficient for identifying 
and assessing the risks of material misstatement rather than relying on 
the company's process.
    This release includes additional discussion regarding the company's 
risk assessment process.\436\
---------------------------------------------------------------------------

    \436\ Section II.C.7.e.(iii).
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs state:

    The auditor shall obtain an understanding of whether the entity 
has a process for (a) Identifying business risks relevant to 
financial reporting objectives; (b) Estimating the significance of 
the risks; (c) Assessing the likelihood of their occurrence; and (d) 
Deciding about actions to address those risks.
    If the entity has established such a process (referred to 
hereafter as the ``entity's risk assessment process''), the auditor 
shall obtain an understanding of it, and the results thereof. If the 
auditor identifies risks of material misstatement that management 
failed to identify, the auditor shall evaluate whether there was an 
underlying risk of a kind that the auditor expects would have been 
identified by the entity's risk assessment process. If there is such 
a risk, the auditor shall obtain an understanding of why that 
process failed to identify it, and evaluate whether the process is 
appropriate to its circumstances or determine if there is a 
significant deficiency in internal control with regard to the 
entity's risk assessment process.
    If the entity has not established such a process or has an ad 
hoc process, the auditor shall discuss with management whether 
business risks relevant to financial reporting objectives have been 
identified and how they have been addressed. The auditor shall 
evaluate whether the absence of a documented risk assessment process 
is appropriate in the circumstances, or determine whether it 
represents a significant deficiency in internal control.

    The SASs include requirements similar to the ISAs' requirements.
(ix). Information and Communication
PCAOB
    Auditing Standard No. 12 requires the auditor to obtain an 
understanding of how IT affects the company's flow of transactions. The 
standard also states that the identification of risks and controls 
within IT is not a separate evaluation. Instead, it is an integral part 
of the approach used to identify significant accounts and disclosures 
and their relevant assertions and, when applicable, to select the 
controls to test, as well as to assess risk and allocate audit effort. 
This release contains additional discussion of this requirement.\437\
---------------------------------------------------------------------------

    \437\ Section II.C.7.e.(iv).
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do not include analogous requirements.
(x). Control Activities
PCAOB
    Auditing Standard No. 12 requires the auditor to obtain an 
understanding of control activities that is sufficient to assess the 
factors that affect the risks of material misstatement and to design 
further audit procedures. Auditing Standard No. 12 requires the auditor 
to use his or her knowledge about the presence or absence of control 
activities obtained from the understanding of the other components of 
internal control over financial reporting in determining

[[Page 59403]]

the extent to which it is necessary to devote additional attention to 
obtaining an understanding of control activities to assess the factors 
that affect the risks of material misstatement and to design further 
audit procedures. This release includes additional discussion of this 
requirement.\438\
---------------------------------------------------------------------------

    \438\ Section II.C.7.e.(v).
---------------------------------------------------------------------------

IAASB
    The ISAs state:

    The auditor shall obtain an understanding of control activities 
relevant to the audit, being those the auditor judges it necessary 
to understand in order to assess the risks of material misstatement 
at the assertion level and design further audit procedures 
responsive to assessed risks. An audit does not require an 
understanding of all the control activities related to each 
significant class of transactions, account balance, and disclosure 
in the financial statements or to every assertion relevant to them.
ASB
    The SASs state:

    The auditor should obtain an understanding of control activities 
relevant to the audit, which are those control activities the 
auditor judges it necessary to understand in order to assess the 
risks of material misstatement at the assertion level and design 
further audit procedures responsive to assessed risks. An audit does 
not require an understanding of all the control activities related 
to each significant class of transactions, account balance, and 
disclosure in the financial statements or to every assertion 
relevant to them. However, the auditor should obtain an 
understanding of the process of reconciling detailed records to the 
general ledger for material account balances.
(xi). Relationship of Understanding of Internal Control to Tests of 
Controls
PCAOB
    Auditing Standard No. 12 requires the auditor to take into account 
the evidence obtained from understanding internal control when 
assessing control risk and, in the audit of internal control, forming 
conclusions about the effectiveness of controls. Auditing Standard No. 
12 also requires the auditor to take into account the evidence obtained 
from understanding internal control when determining the nature, 
timing, and extent of procedures necessary to support the auditor's 
conclusions about the effectiveness of entity-level controls in the 
audit of internal control. This release includes additional discussion 
of these requirements.\439\
---------------------------------------------------------------------------

    \439\ Section II.C.7.e.(vii).
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do not include analogous requirements.
(xii). Considering Information From the Client Acceptance and Retention 
Evaluation, Audit Planning Activities, Past Audits, and Other 
Engagements
PCAOB
    Auditing Standard No. 12 requires the auditor to evaluate whether 
information obtained during a review of interim financial information 
in accordance with AU sec. 722, Interim Financial Information, is 
relevant to identifying risks of material misstatement in the year-end 
audit. The ISAs and SASs do not include an analogous requirement.
    Auditing Standard No. 12 also states that the auditor should obtain 
an understanding of the nature of the services that have been performed 
for the company by the auditor or affiliates of the firm \440\ and 
should take into account relevant information obtained from those 
engagements in identifying risks of material misstatement. The 
requirement in Auditing Standard No. 12 applies to services performed 
by the firm and affiliates of the firm and is not limited to services 
performed by the engagement partner. This release contains additional 
discussion regarding these requirements.\441\
---------------------------------------------------------------------------

    \440\ See PCAOB Rule 3501(a)(i), which defines ``affiliate of 
the accounting firm.''
    \441\ Section II.C.7.f.(ii).
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs state, ``[i]f the engagement partner has performed other 
engagements for the entity, the engagement partner shall consider 
whether information obtained is relevant to identifying risks of 
material misstatement.''
    The SASs include a requirement similar to the ISAs' requirement.
(xiii). Performing Analytical Procedures
PCAOB
    Auditing Standard No. 12 contains a series of requirements 
regarding performing analytical procedures as risk assessment 
procedures. These requirements were adapted from AU sec. 329, 
Analytical Procedures. Auditing Standard No. 12 requires the auditor 
to:
     Perform analytical procedures that are designed to (a) 
enhance the auditor's understanding of the client's business and the 
significant transactions and events that have occurred since the prior 
year end; and (b) identify areas that might represent specific risks 
relevant to the audit, including the existence of unusual transactions 
and events, and amounts, ratios, and trends that warrant investigation.
     Perform analytical procedures regarding revenue as risk 
assessment procedures with the objective of identifying unusual or 
unexpected relationships involving revenue accounts that might indicate 
a material misstatement, including material misstatement due to fraud.
     Take into account analytical procedures performed in 
accordance with AU sec. 722 when designing and applying analytical 
procedures as risk assessment procedures. This requirement is unique to 
PCAOB standards.
     Use his or her understanding of the company to develop 
expectations about plausible relationships among the data to be used in 
the procedure.\442\
---------------------------------------------------------------------------

    \442\ Analytical procedures consist of evaluations of financial 
information made by a study of plausible relationships among both 
financial and nonfinancial data.
---------------------------------------------------------------------------

     Take into account unusual or unexpected differences from 
the auditor's expectations that are identified while performing 
analytical procedures as risk assessment procedures.
    This release contains additional discussion of these 
requirements.\443\
---------------------------------------------------------------------------

    \443\ Section II.C.7.g.
---------------------------------------------------------------------------

IAASB
    The ISAs state:

    The risk assessment procedures shall include * * * [a]nalytical 
procedures * * *
    The auditor shall evaluate whether unusual or unexpected 
relationships that have been identified in performing analytical 
procedures, including those related to revenue accounts, may 
indicate risks of material misstatement due to fraud.
ASB
    The SASs state:

    The risk assessment procedures should include * * * [a]nalytical 
procedures * * *
    Based on analytical procedures performed as part of risk 
assessment procedures and as part of substantive procedures, the 
auditor should evaluate whether unusual or unexpected relationships 
that have been identified indicate risks of material misstatements 
due to fraud. To the extent not already included, the analytical 
procedures and evaluation thereof should include procedures relating 
to revenue accounts.
(xiv). Communication Among Engagement Team Members
PCAOB
    Auditing Standard No. 12 requires that the communication among the 
engagement team members about significant matters affecting the risks 
of material misstatement should continue throughout the audit, 
including when

[[Page 59404]]

conditions change. This release contains additional discussion of this 
requirement.\444\
---------------------------------------------------------------------------

    \444\ Section II.C.7.h.(ii).
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do not include analogous requirements.
(xv). Discussion of the Potential for Material Misstatement Due to 
Fraud
PCAOB
    Auditing Standard No. 12 requires a discussion among the key 
engagement team members of specified matters regarding fraud, including 
how and where the company's financial statements might be susceptible 
to material misstatement due to fraud, known fraud risk factors, the 
risk of management override of controls, and possible responses to 
fraud risks.
    Auditing Standard No. 12 requires all key engagement team members 
to participate in the discussion. Auditing Standard No. 12 also states 
that key engagement team members include the engagement partner and 
other engagement team members with significant engagement 
responsibilities.
    Auditing Standard No. 12 also includes a requirement to emphasize 
certain matters to all engagement team members, including the need to 
maintain a questioning mind throughout the audit and to exercise 
professional skepticism in gathering and evaluating evidence, to be 
alert for information or other conditions that might affect the 
assessment of fraud risks, and actions to be taken if information or 
other conditions indicate that a material misstatement due to fraud 
might have occurred.
    This release includes additional discussion of these 
requirements.\445\
---------------------------------------------------------------------------

    \445\ Section II.C.7.h.
---------------------------------------------------------------------------

IAASB
    The ISAs state:

    The engagement partner and other key engagement team members 
shall discuss the susceptibility of the entity's financial 
statements to material misstatement, and the application of the 
applicable financial reporting framework to the entity's facts and 
circumstances. The engagement partner shall determine which matters 
are to be communicated to engagement team members not involved in 
the discussion.
    * * * This discussion shall place particular emphasis on how and 
where the entity's financial statements may be susceptible to 
material misstatement due to fraud, including how fraud might occur.
ASB
    The SASs have requirements similar to the ISAs' requirements. 
However, the SASs also include a requirement that the discussion 
regarding fraud include an exchange among engagement team members about 
how and where the entity's financial statements might be susceptible to 
material misstatement due to fraud, how management could perpetrate and 
conceal fraudulent financial reporting, and how assets of the entity 
could be misappropriated. The SASs also include a requirement to 
emphasize certain matters to all engagement team members, but those 
matters identified are less extensive than those required by PCAOB 
standards.
(xvi). Inquiring of the Audit Committee, Management, and Others Within 
the Company About the Risks of Material Misstatement
PCAOB
    Auditing Standard No. 12 requires the auditor to make specified 
inquiries of management and the audit committee regarding tips or 
complaints about the company's financial reporting. This release 
includes additional discussion of this requirement.\446\
---------------------------------------------------------------------------

    \446\ Section II.C.7.i.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs do not specify the nature of the required 
inquiries, except for certain inquiries regarding fraud, which are less 
extensive than those required by PCAOB standards.
(xvii). Nature of Inquiries
PCAOB
    Auditing Standard No. 12 requires the auditor to use his or her 
knowledge of the company and its environment, as well as information 
from other risk assessment procedures, to determine the nature of 
inquiries about risks of material misstatement. This release includes 
additional discussion of this requirement.\447\
---------------------------------------------------------------------------

    \447\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do not include analogous requirements.
(xviii). Evaluating Management Responses to Inquiries
PCAOB
    Auditing Standard No. 12 requires the auditor to take into account 
the fact that management is often in the best position to commit fraud 
when evaluating management's responses to inquiries about fraud risks. 
Auditing Standard No. 12 also requires the auditor to obtain evidence 
to address inconsistencies in response to the inquiries. This release 
includes additional discussion of these requirements.\448\
---------------------------------------------------------------------------

    \448\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do not include analogous requirements.
(xix). Identifying and Assessing the Risks of Material Misstatement
PCAOB
    Auditing Standard No. 12 requires the auditor to evaluate how risks 
at the financial statement level could affect risks of material 
misstatement at the assertion level. This release includes additional 
discussion of this requirement.\449\
---------------------------------------------------------------------------

    \449\ Section II.C.7.j.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the proposed SAS do not include an analogous 
requirement.
(xx). Identifying Significant Accounts and Disclosures and Their 
Relevant Assertions
PCAOB
    Auditing Standard No. 12 requires the auditor to identify 
significant accounts and disclosures and their relevant assertions in 
identifying and assessing risks of material misstatement. PCAOB 
standards require auditors to perform substantive procedures for 
relevant assertions of significant accounts and disclosures in the 
audit of financial statements and tests of controls over relevant 
assertions of significant accounts and disclosures in the audit of 
internal control. This release includes additional discussion regarding 
identifying significant accounts and disclosures and relevant 
assertions.\450\
---------------------------------------------------------------------------

    \450\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do not have an analogous requirement.
(xxi). Significant Risks
PCAOB
    Auditing Standard No. 12 defines significant risk as a ``risk of 
material misstatement that requires special audit consideration.'' This 
definition is different from the ISAs' definition because it omits two 
qualifying phrases, ``an identified and assessed'' and ``in the 
auditor's judgment.'' This release includes additional discussion 
regarding the definition of significant risks.\451\
---------------------------------------------------------------------------

    \451\ Section II.C.7.k.

---------------------------------------------------------------------------

[[Page 59405]]

IAASB and ASB
    The ISAs and SASs define significant risk as ``an identified and 
assessed risk of material misstatement that, in the auditor's judgment, 
requires special audit consideration.''

Auditing Standard No. 13--The Auditor's Responses to the Risks of 
Material Misstatement

    In this section, the analogous IAASB standards are ISA 330, The 
Auditor's Responses to Assessed Risks, and ISA 240, The Auditor's 
Responsibilities Relating to Fraud in an Audit of Financial Statements 
(collectively referred to in this section as ``the ISAs''). The 
analogous ASB standards are the clarified SAS, Performing Audit 
Procedures in Response to Assessed Risks and Evaluating the Audit 
Evidence Obtained (Redrafted), and the proposed SAS, Consideration of 
Fraud in a Financial Statement Audit (Redrafted) (collectively referred 
to in this section as ``the SASs'').
(i). Objective
PCAOB
    The objective of the auditor in Auditing Standard No. 13 is ``to 
address the risks of material misstatement through appropriate overall 
audit responses and audit procedures.'' The objective in the proposed 
standard emphasizes the auditor's responsibility for responding to the 
risks of material misstatements. This release contains additional 
discussion regarding the objective of the standard.\452\
---------------------------------------------------------------------------

    \452\ Section II.C.8.b.
---------------------------------------------------------------------------

IAASB and ASB
    The objective in the ISAs and the SASs is to obtain sufficient 
appropriate audit evidence regarding the assessed risks of material 
misstatement, through designing and implementing appropriate responses 
to those risks.
(ii). Overall Responses to Risks
PCAOB
    Auditing Standard No. 13 requires the auditor to design and 
implement certain overall responses (e.g., making appropriate 
assignments of specific engagement responsibilities, providing an 
appropriate extent of supervision, incorporating elements of 
unpredictability in selecting auditing procedures, and evaluating the 
company's selection and application of significant accounting 
principles) to address risks of material misstatement. These responses 
are not limited to addressing risks at the financial statement level. 
They are also intended to address risks at the significant account or 
disclosure level due to the nature of these specific overall responses. 
This release contains additional discussion of this requirement.\453\
---------------------------------------------------------------------------

    \453\ Section II.C.8.c.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs include requirements to design and implement 
overall responses to address the assessed risks of material 
misstatement at the financial statement level and requirements for 
particular types of responses to the risks of material misstatement due 
to fraud at the financial statement level.
(iii). Determination of the Need for Pervasive Changes
PCAOB
    Auditing Standard No. 13 requires the auditor to determine whether 
it is necessary to make pervasive changes to the nature, timing, or 
extent of audit procedures to adequately address the assessed risk of 
material misstatement. Examples of such pervasive changes include 
modifying the audit strategy to increase the substantive testing of the 
valuation of numerous significant accounts at year end because of 
significantly deteriorating market conditions and to obtain more 
pervasive audit evidence from substantive procedures due to the 
identification of pervasive weaknesses in the company's control 
environment. This release includes detailed discussions regarding 
making pervasive changes as an overall response to risks of material 
misstatement.\454\
---------------------------------------------------------------------------

    \454\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do not include analogous requirements.
(iv). Application of Professional Skepticism
PCAOB
    Auditing Standard No. 13 states that due professional care requires 
the auditor to exercise professional skepticism, requires that the 
auditor apply professional skepticism in gathering and evaluating audit 
evidence in response to risks of material misstatement, and provides 
examples of the appropriate application of professional skepticism. 
This release includes additional discussion regarding application of 
professional skepticism.\455\
---------------------------------------------------------------------------

    \455\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs state

    * * * the auditor shall maintain an attitude of professional 
skepticism throughout the audit, recognizing the possibility that a 
material misstatement due to fraud could exist, notwithstanding the 
auditor's past experience of the honesty and integrity of the 
entity's management and those charged with governance.
    The SASs include a requirement similar to the ISAs' requirement.
(v). Evidence About the Effectiveness of Controls
PCAOB
    In discussing testing controls in an audit of financial statements, 
Auditing Standard No. 13 establishes the principle that the evidence 
necessary to support the auditor's control risk assessment depends on 
the degree of reliance the auditor plans to place on the effectiveness 
of a control. The greater the reliance on a control, the more 
persuasive evidence the auditor is required to obtain from the tests of 
controls.
    In addition, the standard requires the auditor to obtain more 
persuasive evidence about the effectiveness of controls for each 
relevant assertion for which the audit approach consists primarily of 
tests of controls. This release includes additional discussions of 
these requirements.\456\
---------------------------------------------------------------------------

    \456\ Section II.C.8.f.(iii).
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs include a requirement for the auditor to 
obtain more persuasive audit evidence the greater the reliance he or 
she plans to place on the effectiveness of a control, but they do not 
have an analogous requirement regarding situations in which the audit 
approach consists primarily of tests of controls.
(vi). Testing the Operating Effectiveness of a Control
PCAOB
    Auditing Standard No. 13 requires the auditor to determine whether 
the control selected for testing is operating as designed and whether 
the person performing the control possesses the necessary authority and 
competence to perform the control effectively. The standard also 
discusses the procedures the auditor performs in testing operating 
effectiveness. To help facilitate the tests of controls in an 
integrated audit, the standard continues to use language similar to 
that of Auditing Standard No. 5 when describing analogous terms and 
concepts relating to the testing of

[[Page 59406]]

controls. This release includes additional discussion regarding this 
requirement.\457\
---------------------------------------------------------------------------

    \457\ Section II.C.8.f.(iv).
---------------------------------------------------------------------------

IAASB
    The ISAs do not include an analogous requirement to determine 
whether the person performing the control possesses the necessary 
authority and competence to perform the control effectively.
ASB
    The SASs state:

    In designing and performing tests of controls, the auditor 
should: a. perform other audit procedures in combination with 
inquiry to obtain audit evidence about the operating effectiveness 
of the controls, including * * * by whom or by what means they were 
applied, including, when applicable, whether the person performing 
the control possesses the necessary authority and competence to 
perform the control effectively.

(vii). Tests of Controls in an Integrated Audit
PCAOB
    Auditing Standard No. 13 requires the auditor to perform tests of 
controls in integrated audits to meet the objectives of both the audit 
of financial statements and the audit of internal control. This release 
includes additional discussion of this requirement.\458\
---------------------------------------------------------------------------

    \458\ Section II.C.8.d.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs do not include an analogous requirement.
(viii). Rotational Testing of Controls
PCAOB
    Auditing Standard No. 13 requires the auditor to obtain evidence 
during the current year audit about the design and operating 
effectiveness of controls upon which the auditor relies. This release 
includes additional discussion of this requirement.\459\
---------------------------------------------------------------------------

    \459\ Section II.C.8.f.(vi).
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs include requirements that apply to the use of 
evidence about controls obtained in prior audits and allow rotational 
testing of controls under certain conditions set forth in those 
standards.
(ix). Assessing Control Risk
PCAOB
    Auditing Standard No. 13 requires the auditor to assess control 
risk for relevant assertions by evaluating the evidence from all 
sources, including the auditor's testing of controls for the audit of 
internal control and the audit of financial statements, misstatements 
detected during the financial statement audit, and any identified 
control deficiencies. The standard also requires that control risk be 
assessed at the maximum level for relevant assertions (1) for which 
controls necessary to sufficiently address the assessed risk of 
material misstatement in those assertions are missing or ineffective or 
(2) when the auditor has not obtained sufficient appropriate audit 
evidence to support a control risk assessment below the maximum level. 
This release includes additional discussion of these requirements.\460\
---------------------------------------------------------------------------

    \460\ Section II.C.8.f.(vii).
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs include requirements regarding evaluating the 
operating effectiveness of controls and identified control deviations, 
but those standards do not require a specific assessment of control 
risk.
(x). Substantive Procedures
PCAOB
    Auditing Standard No. 13 requires the auditor to perform 
substantive procedures for each relevant assertion of each significant 
account and disclosure, regardless of the assessed level of control 
risk. This requirement reflects the principle that the auditor needs to 
implement appropriate responses to address assessed risks of material 
misstatement. This release contains additional discussion of this 
requirement.\461\
---------------------------------------------------------------------------

    \461\ Section II.C.8.g.
---------------------------------------------------------------------------

IAASB
    The ISAs state, ``Irrespective of the assessed risks of material 
misstatement, the auditor shall design and perform substantive 
procedures for each material class of transactions, account balance, 
and disclosure.''
ASB
    The SASs state, ``Irrespective of the assessed risks of material 
misstatement, the auditor should design and perform substantive 
procedures for all relevant assertions related to each material class 
of transactions, account balance, and disclosure.''
    The requirements in the ISAs and the SASs focus on the accounts and 
disclosures that are material, regardless of whether they are 
associated with identified risks of material misstatement.
(xi). Consideration of Confirmations
PCAOB
    Auditing Standard No. 13 requires the auditor to perform 
substantive procedures for each relevant assertion of each significant 
account and disclosure. The standard also discusses how to determine 
the types and combination of substantive audit procedures necessary to 
detect material misstatements in relevant assertions.
    AU sec. 330, The Confirmation Process, establishes requirements 
regarding the use of confirmation procedures.\462\ The risk assessment 
standards discuss the auditor's responsibilities for designing and 
performing the substantive procedures necessary to address the risks of 
material misstatement.
---------------------------------------------------------------------------

    \462\ The Board has a separate standards-setting project on 
confirmations.
---------------------------------------------------------------------------

IAASB and ASB
    ISA 330 specifically requires the auditor to consider whether 
external confirmation procedures are to be performed as substantive 
audit procedures. The ASB has proposed to amend the SASs to require the 
auditor to consider whether external confirmation procedures are to be 
performed as substantive audit procedures and to require the use of 
external confirmation procedures for material accounts receivable.
(xii). Determining Whether To Perform Interim Substantive Procedures
PCAOB
    Auditing Standard No. 13 requires the auditor to take into account 
a series of factors when determining whether it is appropriate to 
perform substantive procedures at an interim date. This release 
includes provides additional discussion regarding timing of substantive 
procedures.\463\
---------------------------------------------------------------------------

    \463\ Section II.C.8.h.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs do not include an analogous requirement for 
the auditor to take into account the factors listed in Auditing 
Standard No. 13 when determining whether it is appropriate to perform 
substantive procedures at an interim date.
(xiii). Substantive Procedures Covering the Remaining Period
PCAOB
    Auditing Standard No. 13 states, ``When substantive procedures are 
performed at an interim date, the auditor should cover the remaining 
period by performing substantive

[[Page 59407]]

procedures, or substantive procedures combined with tests of controls, 
that provide a reasonable basis for extending the audit conclusions 
from the interim date to the period end.'' The standard contains a 
specific requirement to compare relevant information about the account 
balance at the interim date with comparable information at the end of 
the period to identify amounts that appear unusual. This release 
includes additional discussion of this requirement.\464\
---------------------------------------------------------------------------

    \464\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs include requirements to cover the period 
between the interim testing date and year end by performing substantive 
procedures, combined with tests of controls for the intervening period, 
or by performing further substantive procedures only if the auditor 
determines that doing so would be sufficient. The ISAs and SASs do not 
include an analogous requirement regarding the specific procedures to 
be performed.
(xiv). Response to Significant Risks
PCAOB
    Auditing Standard No. 13 requires the auditor to perform 
substantive procedures, including tests of details, that are 
specifically responsive to significant risks. This release contains 
additional discussion of this requirement.\465\
---------------------------------------------------------------------------

    \465\ Section II.C.8.i.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs state:

    If the auditor has determined that an assessed risk of material 
misstatement at the assertion level is a significant risk, the 
auditor shall perform substantive procedures that are specifically 
responsive to that risk. When the approach to a significant risk 
consists only of substantive procedures, those procedures shall 
include tests of details.

    The SASs include requirements similar the ISAs' requirements.
(xv). Dual-purpose Tests
PCAOB
    Auditing Standard No. 13 states that, when dual-purpose tests are 
performed, the auditor should design the dual-purpose test to achieve 
the objectives of both the test of the control and the substantive 
test. Also, when performing a dual-purpose test, the auditor should 
evaluate the results of the test in forming conclusions about both the 
assertion and the effectiveness of the control being tested. This 
release contains additional discussion of this requirement.\466\
---------------------------------------------------------------------------

    \466\ Section II.C.8.j.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs do not include analogous requirements.

Auditing Standard No. 14--Evaluating Audit Results

    In this section, the analogous IAASB standards are ISA 450, 
Evaluation of Misstatements Identified During the Audit, ISA 330, The 
Auditor's Responses to Assessed Risks, ISA 520, Analytical Procedures, 
ISA 240, The Auditor's Responsibilities Relating to Fraud in an Audit 
of Financial Statements, ISA 540, Auditing Accounting Estimates 
Including Fair Value Accounting Estimates, and Related Disclosures, and 
ISA 700, Forming an Opinion and Reporting on Financial Statements 
(collectively referred to in this section as ``the ISAs''). The 
analogous ASB standards are clarified SAS Evaluation of Misstatements 
Identified During the Audit, Performing Audit Procedures in Response to 
Assessed Risks and Evaluating the Audit Evidence Obtained (Redrafted), 
Understanding the Entity and its Environment and Assessing the Risks of 
Material Misstatement (Redrafted), and proposed SAS Consideration of 
Fraud in a Financial Statement Audit (Redrafted), Analytical Procedures 
(Redrafted), and Forming an Opinion and Reporting on Financial 
Statements (collectively referred to in this section as ``the SASs'').
(i). Performing Analytical Procedures in the Overall Review
PCAOB
    In the overall review, Auditing Standard No. 14 contains specific 
requirements for the auditor to read the financial statements and 
disclosures and perform analytical procedures to (a) evaluate the 
auditor's conclusions formed regarding significant accounts and 
disclosures and (b) assist in forming an opinion on whether the 
financial statements as a whole are free of material misstatement. 
These requirements were adapted from existing requirements in PCAOB 
standards.\467\ The conclusions formed from the results of the overall 
review of the audit are intended to inform the auditor's conclusions 
regarding significant accounts and disclosures and the opinion on the 
financial statements. This release includes additional discussion of 
these requirements.\468\
---------------------------------------------------------------------------

    \467\ AU sec. 329.23.
    \468\ Section II.C.9.c.
---------------------------------------------------------------------------

IAASB
    The ISAs state:

    The auditor shall design and perform analytical procedures near 
the end of the audit that assist the auditor when forming an overall 
conclusion as to whether the financial statements are consistent 
with the auditor's understanding of the entity.
ASB
    The SASs state:

    The auditor should design and perform analytical procedures near 
the end of the audit that are intended to corroborate audit evidence 
obtained during the audit of financial statements to assist the 
auditor in drawing reasonable conclusions on which to base the 
auditor's opinion.
(ii). Evaluating Evidence From Analytical Procedures
PCAOB
    Auditing Standard No. 14 contains a requirement, which was adapted 
from an existing requirement in PCAOB standards,\469\ for the auditor, 
as part of the overall review to evaluate whether (a) the evidence 
gathered in response to unusual or unexpected transactions, events, 
amounts or relationships previously identified during the audit is 
sufficient and (b) unusual or unexpected transactions, events, amounts, 
or relationships indicate risks of material misstatement that were not 
identified previously, including, in particular, fraud risks. Auditing 
Standard No. 14 also specifically requires the auditor to evaluate 
whether the evidence gathered during the audit is sufficient as part of 
the overall review.
---------------------------------------------------------------------------

    \469\ AU sec. 329.23.
---------------------------------------------------------------------------

    Also, the requirements in Auditing Standard No. 14 relate to risks 
of material misstatement due to error or fraud, whereas the 
requirements in the ISAs and SASs are limited to fraud risks. This 
release includes additional discussion of these requirements in 
Auditing Standard No. 14.\470\
---------------------------------------------------------------------------

    \470\ Section II.C.9.c.
---------------------------------------------------------------------------

IAASB
    The ISAs state:

    The auditor shall evaluate whether analytical procedures that 
are performed near the end of the audit, when forming an overall 
conclusion as to whether the financial statements as a whole are 
consistent with the auditor's understanding of the entity and its 
environment, indicate a previously unrecognized risk of material 
misstatement due to fraud.
ASB
    The SASs state:

    The auditor should evaluate whether the accumulated results of 
auditing procedures,

[[Page 59408]]

including analytical procedures, that are performed during the 
audit, in the overall review stage, or in both stages, when forming 
an overall conclusion concerning whether the financial statements as 
a whole are consistent with the auditor's understanding of the 
entity and its environment, indicate a previously unrecognized risk 
of material misstatement due to fraud.
(iii). Analytical Procedures Regarding Revenue
PCAOB
    Auditing Standard No. 14 includes a requirement, adapted from an 
existing requirement in AU sec. 316, for the auditor to perform 
analytical procedures relating to revenue through the end of the 
period. These procedures are intended to identify unusual or unexpected 
relationships involving revenue accounts that might indicate a material 
misstatement, including material misstatement due to fraud. This 
release includes additional discussion of this requirement.\471\
---------------------------------------------------------------------------

    \471\ Ibid.
---------------------------------------------------------------------------

IAASB
    The ISAs state:

    The auditor shall evaluate whether unusual or unexpected 
relationships that have been identified in performing analytical 
procedures, including those related to revenue accounts, may 
indicate risks of material misstatement due to fraud.

    The ISAs do not specifically require the auditor to perform 
analytical procedures related to revenue through the end of the period.
ASB
    The SASs require the auditor to perform analytical procedures 
related to revenue.
(iv). Corroborating Management Explanations
PCAOB
    Auditing Standard No. 14 requires the auditor to corroborate 
management's explanations regarding significant unusual or unexpected 
transactions, events, amounts, or relationships. Auditing Standard No. 
14 also states that if management's responses to the auditor's 
inquiries appear to be implausible, inconsistent with other audit 
evidence, imprecise, or not at a sufficient level of detail to be 
useful, the auditor should perform procedures to address the matter. 
Unlike the ISAs, Auditing Standard No. 14 specifically requires the 
auditor to corroborate management's explanations regarding significant 
matters. This release includes additional discussion regarding 
corroborating management's explanations.\472\
---------------------------------------------------------------------------

    \472\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs require the auditor to investigate the 
identified fluctuations or relationships that are inconsistent with 
other relevant information or that differ from expected values by a 
significant amount by (a) inquiring of management and obtaining 
appropriate audit evidence relevant to management's responses and (b) 
performing other audit procedures as necessary in the circumstances. 
The ISAs and the SASs also include a requirement to investigate 
inconsistent responses to inquiries from management and those charged 
with governance.
(v). Communication of Accumulated Misstatements
PCAOB
    Auditing Standard No. 14 requires the auditor to communicate 
accumulated misstatements to management on a timely basis to provide 
management with an opportunity to correct them. Unlike the ISAs and the 
SASs, Auditing Standard No. 14 does not require the auditor to request 
management to correct the misstatements. Instead, PCAOB standards focus 
on communicating the misstatements to management, performing procedures 
to determine whether management corrected them, understanding the 
reasons why management might not have corrected the misstatements, and 
evaluating the effect of uncorrected misstatements on the financial 
statements and the audit. This release includes additional discussion 
of this requirement.\473\
---------------------------------------------------------------------------

    \473\ Section II.C.9.j.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs include requirements to communicate on a 
timely basis all misstatements accumulated during the audit to an 
appropriate level of management and to request that management correct 
those misstatements.
(vi). Correction of Misstatements
PCAOB
    Auditing Standard No. 14 requires that if management has made 
corrections to accounts or disclosures in response to misstatements 
detected by the auditor, the auditor should evaluate management's work 
to determine whether the corrections have been appropriately recorded 
and determine whether uncorrected misstatements remain. This release 
includes additional discussion of this requirement.\474\
---------------------------------------------------------------------------

    \474\ Section II.C.9.f.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs contain a requirement to perform additional 
audit procedures to determine whether misstatements remain, if at the 
auditor's request management has examined a class of transactions, 
account balance or disclosure and corrected misstatements that were 
detected.
    The ISAs do not require the auditor to evaluate whether the 
misstatements that were communicated by the auditor to management have 
been appropriately corrected by management.
(vii). Evaluating Misstatements--Effect on Risk Assessments
PCAOB
    Auditing Standard No. 14 contains a requirement to evaluate the 
nature and the effects of individual misstatements accumulated during 
the audit on the assessed risks of material misstatement in determining 
whether the risk assessments remain appropriate. This release includes 
additional discussion of this requirement.\475\
---------------------------------------------------------------------------

    \475\ Section II.C.9.i.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs do not include an analogous requirement.
(viii). Evaluating Whether Misstatements Might Be Indicative of Fraud
PCAOB
    Auditing Standard No. 14 requires the auditor to perform procedures 
to obtain additional audit evidence to determine whether fraud has 
occurred or is likely to have occurred, and, if so, its effect on the 
financial statements and the auditor's report if the auditor believes 
that a misstatement is or might be intentional, and if the effect on 
the financial statement cannot be readily determined. This release 
includes additional discussions of this requirement.\476\
---------------------------------------------------------------------------

    \476\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs require the auditor to evaluate the implications for the 
audit if the auditor confirms that or is unable to conclude whether 
financial statements are materially misstated as a result of fraud. The 
ISA does not explicitly require the auditor to perform audit procedures 
to obtain additional audit evidence to determine the effect of the 
misstatement on the financial statements.

[[Page 59409]]

    The SASs include a requirement similar to the ISAs' requirement.
(ix). Communications Regarding Fraud
PCAOB
    Auditing Standard No. 14 requires the auditor to determine his or 
her responsibility under AU secs. 316.79-.82A, AU sec. 317, Illegal 
Acts by Clients, and Section 10A of the Securities and Exchange Act of 
1934, 15 U.S.C. 78j-1, if the auditor becomes aware of information 
indicating that fraud or another illegal act has occurred or might have 
occurred. AU sec. 316 requires that whenever the auditor has determined 
that there is evidence that fraud may exist, the auditor should bring 
that matter to the attention of an appropriate level of 
management.\477\ This release includes additional discussion of this 
requirement.\478\
---------------------------------------------------------------------------

    \477\ AU sec. 316.79.
    \478\ Section II.C.9.k.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs state that if the auditor has identified a fraud or has 
obtained information that indicates that a fraud may exist, the auditor 
shall communicate these matters on a timely basis to the appropriate 
level of management.
    The SASs include a requirement similar to the ISAs' requirement.
(x). Evaluating the Qualitative Aspects of the Company's Accounting 
Practices
PCAOB
    Auditing Standard No. 14 states that if the auditor identifies bias 
in management's judgments about the amounts and disclosures in the 
financial statements, the auditor should evaluate whether the effect of 
that bias, together with the effect of uncorrected misstatements, 
results in material misstatement of the financial statements. The 
standard also contains a requirement for the auditor to evaluate 
whether the auditor's risk assessments, including the assessment of 
fraud risks, and the related responses remain appropriate. This release 
includes additional discussion of these requirements.\479\
---------------------------------------------------------------------------

    \479\ Section II.C.9.l.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and the SASs contain a requirement for the auditor to 
evaluate whether the financial statements are prepared, in all material 
respects, in accordance with the requirements of the applicable 
financial reporting framework. This evaluation shall include 
consideration of the qualitative aspects of the entity's accounting 
practices, including indicators of possible bias in management's 
judgments.
(xi). Management's Identification of Offsetting Adjusting Entries
PCAOB
    If management identifies adjusting entries that offset 
misstatements accumulated by the auditor, Auditing Standard No. 14 
requires the auditor to perform procedures to determine why the 
misstatements were not identified previously and to evaluate the 
implications on the integrity of management and the auditor's risk 
assessments, including fraud risk assessments. Auditing Standard No. 14 
also requires the auditor to perform additional procedures as necessary 
to address the risk of further undetected misstatements. This release 
includes additional discussion of these requirements.\480\
---------------------------------------------------------------------------

    \480\ Ibid.
---------------------------------------------------------------------------

IAASB and ASB
    The ISAs and SASs do not include analogous requirements.
(xii). Evaluating Conditions Relating to Assessment of Fraud Risks
PCAOB
    Auditing Standard No. 14 requires the engagement partner to 
determine whether there has been appropriate communication with other 
engagement team members throughout the audit regarding information or 
conditions that are indicative of fraud risks. This release includes 
additional discussion of this requirement.\481\
---------------------------------------------------------------------------

    \481\ Section II.C.9.m.
---------------------------------------------------------------------------

IAASB
    The ISAs require a discussion among the engagement team members and 
a determination by the engagement partner of matters to be communicated 
to those team members not involved in the discussion.
ASB
    The SASs contain a requirement for the engagement partner to 
ascertain that appropriate communication exists about the need for the 
discussion of fraud risks among team members throughout the audit.

Auditing Standard No. 15--Audit Evidence

    In this section, the analogous IAASB and ASB standards are ISA 500, 
Audit Evidence, and the clarified SAS, Audit Evidence (Redrafted), 
respectively.
(i). Objective and Overarching Requirement
PCAOB
    The objective of the auditor in Auditing Standard No. 15 is to plan 
and perform the audit to obtain appropriate audit evidence that is 
sufficient to support the opinion expressed in the auditor's report. 
The objective of the standard, together with the related requirement 
regarding audit evidence, articulates the linkage between the auditor's 
responsibility to obtain sufficient appropriate audit evidence and to 
support his or her opinion. This release includes additional discussion 
regarding the objective of the standard.\482\
---------------------------------------------------------------------------

    \482\ Section II.C.10.c.
---------------------------------------------------------------------------

IAASB and ASB
    The ISA states:

    The objective of the auditor is to design and perform audit 
procedures in such a way as to enable the auditor to obtain 
sufficient appropriate audit evidence to be able to draw reasonable 
conclusions on which to base the auditor's opinion.

    The ISA also states:

    The auditor shall design and perform audit procedures that are 
appropriate in the circumstances for the purpose of obtaining 
sufficient appropriate audit evidence.

    The SAS includes an objective and a requirement similar to the 
ISA's objective and requirement.
(ii). Document Authentication
PCAOB
    Auditing Standard No. 15 states that the auditor is not expected to 
be an expert in document authentication. However, if conditions 
indicate that a document may not be authentic or that the terms in a 
document have been modified but that the modifications have not been 
disclosed to the auditor, the auditor is required to modify the planned 
audit procedures or perform additional audit procedures to respond to 
those conditions and to evaluate the effect, if any, on the other 
aspects of the audit. Auditing Standard No. 15 omits protective 
language, such as ``[u]nless the auditor has reason to believe the 
contrary, the auditor may accept records and document as genuine'' that 
would weaken the requirement. This release includes additional 
discussion regarding this requirement.\483\
---------------------------------------------------------------------------

    \483\ Section II.C.10.e.
---------------------------------------------------------------------------

IAASB and ASB
    The ISA states:

    Unless the auditor has reason to believe the contrary, the 
auditor may accept records and

[[Page 59410]]

documents as genuine. If conditions identified during the audit 
cause the auditor to believe that a document may not be authentic or 
that terms in a document have been modified but not disclosed to the 
auditor, the auditor shall investigate further.

    The SAS includes a requirement similar to the ISA's requirement.
(iii). Selecting Items for Testing To Obtain Audit Evidence
PCAOB
    Auditing Standard No. 15 states that the auditor should determine 
the means of selecting items for testing to obtain evidence that, in 
combination with other relevant evidence, is sufficient to meet the 
objective of the audit procedure. This requirement links the selection 
of items for testing to the sufficiency of the audit evidence. This 
release includes additional discussion of this requirement.\484\
---------------------------------------------------------------------------

    \484\ Section II.C.10.j.
---------------------------------------------------------------------------

IAASB and ASB
    The ISA states:

    When designing tests of controls and tests of details, the 
auditor shall determine means of selecting items for testing that 
are effective in meeting the purpose of the audit procedure.

    The SAS includes a requirement similar to the ISA's requirement.

III. Date of Effectiveness of the Proposed Rules and Timing for 
Commission Action

    Pursuant to Section 19(b)(2)(A)(ii) of the Securities Exchange Act 
of 1934 (``Exchange Act''), and based on its determination that an 
extension of the period set forth in Section 19(b)(2)(A)(i) of the 
Exchange Act is appropriate in light of the number and complexity of 
the standards to allow additional time sufficient for notice and 
comment, and consideration of comments, the Commission has determined 
to extend to December 27, 2010 as the date by which the Commission 
should take action on the proposed rule.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed rule 
is consistent with the requirements of Title I of the Act. Comments may 
be submitted by any of the following methods:

Electronic Comments

     Use the Commission's Internet comment form (http://
www.sec.gov/rules/pcaob.shtml); or
     Send an e-mail to rule-comments@sec.gov. Please include 
File Number PCAOB-2010-01 on the subject line.

Paper Comments

     Send paper comments in triplicate to Elizabeth M. Murphy, 
Secretary, Securities and Exchange Commission, 100 F Street, NE., 
Washington, DC 20549-1090.

All submissions should refer to File Number PCAOB-2010-01. This file 
number should be included on the subject line if e-mail is used. To 
help the Commission process and review your comments more efficiently, 
please use only one method. The Commission will post all comments on 
the Commission's Internet Web site (http://www.sec.gov/rules/pcaob/
shtml). Copies of the submission, all subsequent amendments, all 
written statements with respect to the proposed rule that are filed 
with the Commission, and all written communications relating to the 
proposed rule between the Commission and any person, other than those 
that may be withheld from the public in accordance with the provisions 
of 5 U.S.C. 552, will be available for Web site viewing and printing in 
the Commission's Public Reference Room, on official business days 
between the hours of 10 a.m. and 3 p.m. Copies of such filing will also 
be available for inspection and copying at the principal office of the 
PCAOB. All comments received will be posted without change; we do not 
edit personal identifying information from submissions. You should 
submit only information that you wish to make available publicly. All 
submissions should refer to File No. PCAOB-2010-01 and should be 
submitted on or before October 18, 2010.

    By the Commission.
Elizabeth M. Murphy,
Secretary.
[FR Doc. 2010-23456 Filed 9-24-10; 8:45 am]
BILLING CODE 8010-01-P

