The auditor should also recognize that, even when other specific risks of material misstatement are not identified, there is a risk that management can override controls. (AU-C 240.31) The auditor should address this risk as discussed in the later section on “Addressing the Risk of Management Override.”
Assessing Identified Risks
As part of the understanding of internal control required by Section 319, the auditor should:
1. Evaluate whether the entity's programs and controls that address identified risks have been appropriately designed and placed in operation. Programs and controls may involve specific controls, such as those designed to prevent theft, or broad programs, such as one that promotes ethical behavior.
2. Consider whether programs and controls mitigate identified risks of material misstatement due to fraud or whether control deficiencies exacerbate risks.
3. Assess identified risks, taking into account the evaluation of programs and controls.
4. Consider this assessment when responding to the identified risks of material misstatement due to fraud.
Responding to the Results of the Assessment
The auditor responds to assessment of risk of material misstatement due to fraud by:
● Exercising professional skepticism
● Evaluating audit evidence
● Considering programs and controls to address those risks
Examples of the use of professional skepticism would include:
● Designing additional or different audit procedures to obtain more reliable evidence
● Obtaining additional corroboration of management's responses or representations
The auditor should respond to the risk of material misstatement in the following ways:
1. Evaluate the overall conduct of the audit.
2. Adjust the nature, timing, and extent of audit procedures performed in response to identified risks.
3. Perform certain procedures to address the risk that management will override controls.
NOTE: The auditor should document a description of the auditor's response to identified fraud risks.
If the auditor concludes that it is not practical to design audit procedures to sufficiently address the risks of material misstatement due to fraud, the auditor should consider withdrawing from the engagement and communicating the reason to the audit committee.
Overall Response to Risk
Judgments about the risk of material misstatements due to fraud may affect the audit in the following ways:
1. Assignment of personnel and supervision.The personnel assigned to the engagement should have the knowledge, skill, and experience necessary to address the auditor's assessment of the level of risk of the engagement. The extent of supervision should also reflect the level of risk.
2. Accounting principles.The auditor should evaluate management's selection and application of significant accounting principles, particularly those relating to subjective measurements and complex transactions. The auditor should also consider whether the collective application of the principles indicates a bias that may create a material misstatement.
3. Predictability of audit procedures.The auditor should vary procedures from year to year to create an element of unpredictability. For example, the auditor may perform unannounced procedures or use a different sampling method.
(AU-C 240.29)
Adjusting the Nature, Timing, and Extent of Audit Procedures to Address Risk
The auditor may respond to identified risks by adjusting the nature, timing, and extent of audit procedures performed. Specifically:
● The nature of procedures may need to be modified to provide more reliable and persuasive evidence, or to corroborate management's representations. For example, the auditor may need to rely more on independent sources, physical observation of assets, or computer-assisted audit techniques (CAATs).
● The timing of procedures may need to be changed. For example, the auditor may decide to perform more procedures at year-end, rather than relying on tests from an interim date.
● The extent of procedures applied should reflect the assessment of fraud risk and may need to be adjusted. For example, the auditor may increase sample sizes, perform more detailed analytical procedures, or perform more computer-assisted audit techniques.
Appendix B of AU-C 240 contains the following examples of ways to modify the nature, timing, and extent of tests in response to identified risks of material misstatement due to fraud:
● Perform unannounced or surprise procedures at locations.
● Ask that inventories be counted as closely as possible to the end of the reporting period.
● Orally confirm with major customers and suppliers in addition to sending written confirmations.
● Send confirm requests to a specific party in an organization.
● Perform substantive analytical procedures using disaggregated data, such as comparing gross profit or operating margins by location, line of business, or month to auditor-developed expectations.
● Interview personnel involved in areas where a fraud risk has been identified to get their views about the risk and how controls address the risk.
● Discuss with other independent auditors auditing other subsidiaries, divisions, or branches the extent of work that should be performed to address the risk of fraud resulting from transactions and activities among those components.
● If the work of an expert becomes particularly significant with respect to a financial statement item for which the assessed risk of misstatement due to fraud is high, perform additional procedures relating to some or all of the expert's assumptions, methods, or findings to determine that the findings are not unreasonable, or engage another expert for that purpose.
● Perform audit procedures to analyze selected opening balance sheet accounts of previously audited financial statements to assess how certain issues involving accounting estimates and judgments (for example, an allowance for sales returns) were resolved with the benefit of hindsight.
Examples of Responses to Identified Risks of Misstatements from Fraudulent Financial Reporting
The following examples are from AU-C 240 Appendix B:
Revenue recognition. The auditor may consider:
● Performing substantive analytical procedures relating to revenue using disaggregated data, such as comparing revenue reported by month or by product line or business segment during the current reporting period with comparable prior periods.
● Confirming with customers certain relevant contract terms and the absence of side agreements, because the appropriate accounting often is influenced by such terms or agreements (for example, acceptance criteria, delivery and payment terms, the absence of future or continuing vendor obligations, the right to return the product, guaranteed resale amounts, and cancellation or refund provisions often are relevant in such circumstances).
● Inquiring of the entity's sales and marketing personnel or in-house legal counsel regarding sales or shipments near the end of the period and their knowledge of any unusual terms or conditions associated with these transactions.
● Being physically present at one or more locations at period-end to observe goods being shipped or being readied for shipment (or returns processing) and performing other appropriate cutoff procedures.
● For those situations for which revenue transactions are electronically initiated, processed, and recorded, testing controls to determine whether they provide assurance that recorded revenue transactions occurred and are properly recorded.
Inventory