5Audit Considerations and Certain Financial Reporting Matters – Audit and Accounting Guide Depository and Lending Institutions, 2nd Edition

Chapter 5
Audit Considerations and Certain Financial Reporting Matters1

Overview

5.01 AU-C section 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards (AICPA, Professional Standards), addresses the independent auditor’s overall responsibilities when conducting an audit of financial statements in accordance with generally accepted auditing standards (GAAS). Specifically, it sets out the overall objectives of the independent auditor (the auditor) and explains the nature and scope of an audit designed to enable the auditor to meet those objectives. It also explains the scope, authority, and structure of GAAS and includes requirements establishing the general responsibilities of the auditor applicable in all audits, including the obligation to comply with GAAS.

5.02 Paragraph .12 of AU-C section 200 states that the overall objectives of the auditor, in conducting an audit of financial statements, are to

  1. a. obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework; and
  2. b. report on the financial statements, and communicate as required by GAAS, in accordance with the auditor’s findings.

5.03 Depository and lending institutions are subject to certain risks as a result of the regulatory environment and the current economic climate in which these entities operate as well as the complex nature of these entities and the transactions in which these entities are engaged. This chapter provides guidance on the application of the auditor’s overall objectives, including the risk assessment process and general auditing considerations for depository and lending institutions.

An Audit of Financial Statements

5.04 Consistent with the guidance presented in paragraph .04 of AU-C section 200, the purpose of an audit of a deposit and lending institution’s financial statements is to provide financial statement users with an opinion by the auditor on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework, which enhances the degree of confidence that intended users can place in the financial statements. An audit conducted in accordance with GAAS and relevant ethical requirements enables the auditor to form that opinion. As the basis for the auditor’s opinion, paragraph .06 of AU-C section 200 states that GAAS require the auditor to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance is a high, but not absolute, level of assurance. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (for purposes of GAAS, that is, the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated) to an acceptably low level.

5.05 Paragraphs .08 and .10 of AU-C section 200 state that GAAS contain objectives, requirements, and application and other explanatory material that are designed to support the auditor in obtaining reasonable assurance. GAAS require that the auditor exercise professional judgment and maintain professional skepticism throughout the planning and performance of the audit and, among other things,

  • identify and assess risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, including the entity’s internal control.
  • obtain sufficient appropriate audit evidence about whether material misstatements exist, through designing and implementing appropriate responses to the assessed risks.
  • form an opinion on the financial statements, or determine that an opinion cannot be formed, based on an evaluation of the audit evidence obtained.

The auditor also may have certain other communication and reporting responsibilities to users, management, those charged with governance, or parties outside the entity, regarding matters arising from the audit. These responsibilities may be established by GAAS or by applicable law or regulation.

Considerations for Audits Performed in Accordance With PCAOB Standards2

PCAOB Staff Audit Practice Alert No. 10, Maintaining and Applying Professional Skepticism in Audits (AICPA, PCAOB Standards and Related Rules, PCAOB Staff Guidance, sec. 400.10), reminds auditors of the requirement to appropriately apply professional skepticism throughout their audits, which includes an attitude of a questioning mind and a critical assessment of audit evidence. This practice alert highlights: (1) professional skepticism and due professional care; (2) impediments to the application of professional skepticism; (3) promoting professional skepticism via an appropriate system of quality control; (4) the importance of supervision to the application of professional skepticism; and (5) the appropriate application of professional skepticism.

Audit Risk

5.06 Paragraph .A36 of AU-C section 200 explains that audit risk is a function of the risks of material misstatement and detection risk. The assessment of risks is based on audit procedures to obtain information necessary for that purpose and evidence obtained throughout the audit. The assessment of risks is a matter of professional judgment, rather than a matter capable of precise measurement.

5.07 Paragraphs .A38–.A40 of AU-C section 200 provide further explanation on the two levels of the risks of material misstatement. The risks of material misstatement exist at the overall financial statement level and the assertion level for classes of transactions, account balances, and disclosures. Risks of material misstatement at the overall financial statement level refer to risks of material misstatement that relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of material misstatement at the assertion level are assessed in order to determine the nature, timing, and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. This evidence enables the auditor to express an opinion on the financial statements at an acceptably low level of audit risk.

5.08 Paragraph .A44 of AU-C section 200 states that GAAS do not ordinarily refer to inherent risk and control risk separately but rather to a combined assessment of the risks of material misstatement. However, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations. The assessment of the risks of material misstatement may be expressed in quantitative terms, such as in percentages or in nonquantitative terms. In any case, the need for the auditor to make appropriate risk assessments is more important than the different approaches by which they may be made.

5.09 Paragraphs .A41–.A44 and .A46–.A47 of AU-C section 200 provide further guidance on the two components of the risk of material misstatement (inherent risk and control risk) and characteristics of detection risk.

Terms of Engagement

5.10 The scope of services rendered by auditors generally depends on the types of reports to be issued as a result of the engagement. Paragraphs .09–.10 of AU-C section 210, Terms of Engagement (AICPA, Professional Standards), states that the auditor should agree upon the terms of the audit engagement with management or those charged with governance, as appropriate. The agreed-upon terms of the audit engagement should be documented in an audit engagement letter or other suitable form of written agreement (see paragraph .10 of AU-C section 210 for a listing of agreed-upon terms that should be included). Both management and the auditor have an interest in documenting the agreed-upon terms of the audit engagement before the commencement of the audit to help avoid misunderstandings with respect to the audit as stated in paragraph .A22 of AU-C section 210.

5.11 In accordance with paragraphs .A23–.A24 of AU-C section 210, the form and content of the audit engagement letter may vary for each entity. When relevant, additional services to be provided, such as those relating to regulatory requirements (see further discussion on these engagements in the section “Annual Independent Audits and Reporting Requirements” beginning in paragraph 1.86 of this guide), could be included in the audit engagement letter. In addition, the engagement letter may also include any additional legal or contractual requirements, such as the following:

  • Auditing the financial statements of common trust funds and applying agreed-upon procedures related to trust activities. (Chapter 21, "Trust and Asset Management Activities," of this guide includes a description of trust services and activities.)
  • Reporting on management’s assertions about compliance with the requirements of the Consolidated Audit Guide for Audits of HUD Programs, compliance with the minimum servicing standards set forth in the Uniform Single Attestation Program for Mortgage Bankers, and compliance with servicing criteria for asset-backed securities as required by Regulation AB. (See chapter 4, "Industry Overview—Mortgage Companies," of this guide)
  • Applying minimum agreed-upon procedures to assist the supervisory committee in fulfilling its responsibilities. (The scope of services is expanded beyond the minimum procedures. See chapter 2, "Industry Overview—Credit Unions," and chapter 23, "Reporting Considerations," of this guide)
  • Reporting on management’s assertions about compliance with certain Department of Education requirements relative to student loan activities.3 (See chapter 1, “Industry Overview—Banks and Savings Institutions,” of this guide.)
  • Reporting on the controls at banks and savings institutions or credit unions functioning as service organizations in accordance with Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization.4 (See chapter 10, "Transfers and Servicing and Variable Interest Entities," chapter 13, "Deposits," and chapter 20, "Fair Value," of this guide as they relate to loan servicing, deposits, and trust activities, respectively.)

5.12 In February 2006, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Federal Reserve), the FDIC, the Office of Thrift Supervision (prior to its transfer of powers to the OCC, the Federal Reserve, and the FDIC),5 and the National Credit Union Administration (NCUA) published the Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters. The advisory was issued because the federal agencies had observed an increase in the types and frequency of provisions in financial institutions’ external audit engagement letters limiting the auditor’s liability. Examples of these provisions included, but were not limited to, indemnifying the external auditor against claims made by third parties, releasing the external auditor from liability for claims or potential claims that might be asserted by the client financial institution, or limiting the remedies available to the client financial institution. The federal agencies believe that when financial institutions agree to limit their external auditors’ liability, either in provisions in engagement letters or in provisions that accompany alternative dispute resolution agreements, such provisions may weaken the external auditor’s objectivity, impartiality, and performance. In this regard, the Professional Ethics Executive Committee issued Interpretation No. 501-8, “Failure to Follow Requirements of Governmental Bodies, Commissions, or Other Regulatory Agencies on Indemnification of Liability Provisions in Connection With Audit and Other Attest Services” (AICPA, Professional Standards, ET sec. 501 par. .09). This interpretation provides that including prohibited limitation of liability provisions in engagement letters is an act discreditable to the profession.

5.13 The advisory informs financial institutions’ boards of directors, audit committees, and management that they should not enter into agreements that incorporate unsafe and unsound external auditor limitation of liability provisions with respect to engagements for financial statement audits, audits of internal control over financial reporting, and attestations on management’s assessment of internal control over financial reporting. It applies to all audits of financial institutions, regardless of whether an institution is public or a nonpublic company. However, the advisory does not apply to non-audit services; audits of financial institutions’ 401K plans, pension plans, and other similar audits; services performed by accountants who are not engaged to perform financial institutions’ audits; and other service providers. Readers may access the full text of this advisory from any of the federal agencies’ websites.

Audit Planning

5.14 AU-C section 300, Planning an Audit (AICPA, Professional Standards), addresses the auditor’s responsibilities to plan an audit of financial statements. AU-C section 300 is written in the context of recurring audits. Matters related to planning audits of group financial statements are addressed in AU-C section 600, Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors) (AICPA, Professional Standards). Planning activities involve performing preliminary engagement activities; establishing an overall audit strategy and communicating with those charged with governance an overview of the planned scope and timing of the audit; developing a detailed, written audit plan; determining direction and supervision of engagement team members and review of their work; and determining the extent of involvement of professionals with specialized skills. Adequate planning benefits the audit of financial statements in several ways, including the following:

  • Helping the auditor identify and devote appropriate attention to important areas of the audit
  • Helping the auditor identify and resolve potential problems on a timely basis
  • Helping the auditor properly organize and manage the audit engagement so that it is performed in an effective and efficient manner
  • Assisting in the selection of engagement team members with appropriate levels of capabilities and competence to respond to anticipated risks and allocating team member responsibilities
  • Facilitating the direction and supervision of engagement team members and the review of their work
  • Assisting, when applicable, in coordination of work done by auditors of components and specialists

Paragraph .A1 of AU-C section 300 further explains that the nature, timing, and extent of planning activities will vary according to the size and complexity of the entity, the key engagement team members’ previous experience with the entity, and changes in circumstances that occur during the audit.

5.15 In accordance with paragraph .09 of AU-C section 300, the auditor should develop an audit plan that includes a description of the nature and extent of planned risk assessment procedures, as determined under AU-C section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (AICPA, Professional Standards) (see discussion of risk assessment procedures in paragraphs 5.23–.75); the nature, timing, and extent of planned further audit procedures at the relevant assertion level, as determined under AU-C section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (AICPA, Professional Standards) (see discussion of planned further audit procedures in paragraphs 5.82–.98); and, other planned audit procedures that are required to be carried out so that the engagement complies with GAAS. Paragraph .A2 of AU-C section 300 explains that planning is not a discrete phase of an audit, but rather a continual and iterative process that often begins shortly after (or in connection with) the completion of the previous audit and continues until the completion of the current audit engagement.

Materiality

5.16 AU-C section 320, Materiality in Planning and Performing an Audit (AICPA, Professional Standards), addresses the auditor’s responsibility to apply the concept of materiality in planning and performing an audit of financial statements. AU-C section 450, Evaluation of Misstatements Identified During the Audit (AICPA, Professional Standards), explains how materiality is applied in evaluating the effect of identified misstatements on the audit and the effect of uncorrected misstatements, if any, on the financial statements (see paragraphs 5.99–.101 for a discussion of evaluation of misstatements).

5.17 Paragraphs .04 and .06 of AU-C section 320 state that the auditor's determination of materiality is a matter of professional judgment and is influenced by the auditor’s perception of the financial information needs of users of financial statements. In planning the audit, the auditor makes judgments about the size of misstatements that will be considered material. Although it is not practicable to design audit procedures to detect misstatements that could be material solely because of their nature (that is, qualitative considerations), the auditor considers not only the size but also the nature of uncorrected misstatements, and the particular circumstances of their occurrence, when evaluating their effect on the financial statements.

5.18 In accordance with paragraphs .10 and .A5 of AU-C section 320, the auditor should determine materiality for the financial statements as a whole when establishing the overall audit strategy. Determining materiality involves the exercise of professional judgment. A percentage is often applied to a chosen benchmark as a starting point in determining materiality for the financial statements as a whole. If, in the specific circumstances of the entity, one or more particular classes of transactions, account balance, or disclosures exist for which misstatements of lesser amounts than materiality for the financial statements as a whole could reasonably be expected to influence the economic decisions of users, then, taken on the basis of the financial statements, the auditor also should determine the materiality level or levels to be applied to those particular classes of transactions, account balances, or disclosures. See paragraphs .A12–.A13 of AU-C section 320 for further application guidance on materiality level or levels for particular classes of transactions, account balances, or disclosures.

Performance Materiality

5.19 Paragraph .A14 of AU-C section 320 explains that planning the audit solely to detect individual material misstatements overlooks the fact that the aggregate of individually immaterial misstatements may cause the financial statements to be materially misstated and leaves no margin for possible undetected misstatements. Therefore, in accordance with paragraph .11 of AU-C section 320, the auditor should determine performance materiality for purposes of assessing the risks of material misstatement and determining the nature, timing, and extent of further audit procedures. Performance materiality, for purposes of GAAS, is defined in AU-C section 320 as the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. If applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances, or disclosures. Performance materiality is to be distinguished from tolerable misstatement, which is the application of performance materiality to a particular sampling procedure.6

5.20 Paragraph .A14 of AU-C section 320 goes on to explain that the determination of performance materiality is not a simple mechanical calculation and involves the exercise of professional judgment. It is affected by the auditor’s understanding of the entity, updated during the performance of the risk assessment procedures, and the nature and extent of misstatements identified in previous audits and, thereby, the auditor’s expectations regarding misstatements in the current period.

Use of Assertions in Assessment of Risks of Material Misstatement

5.21 Paragraphs .A113–.A118 of AU-C section 315 discuss the use of assertions in assessment of risks of material misstatement. In representing that the financial statements are in accordance with the applicable financial reporting framework, management implicitly or explicitly makes assertions regarding the recognition, measurement, presentation, and disclosure of the various elements of financial statements and related disclosures. Assertions used by the auditor to consider the different types of potential misstatements that may occur fall into the following categories and may take the following forms.

Categories of Assertions

Description of Assertions
Classes of Transactions and Events During the Period Account Balances at the End of the Period Presentation and Disclosure
Occurrence/Existence Transactions and events that have been recorded have occurred and pertain to the entity. Assets, liabilities, and equity interests exist. Disclosed events and transactions have occurred.
Rights and Obligations The entity holds or controls the rights to assets, and liabilities are the obligations of the entity. Disclosed events and transactions pertain to the entity.
Completeness All transactions and events that should have been recorded have been recorded. All assets, liabilities, and equity interests that should have been recorded have been recorded. All disclosures that should have been included in the financial statements have been included.
Accuracy/Valuation and Allocation Amounts and other data relating to recorded transactions and events have been recorded appropriately. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are recorded appropriately. Financial and other information is disclosed fairly and at appropriate amounts.
Cut-off Transactions and events have been recorded in the correct accounting period.
Classification and Understandability Transactions and events have been recorded in the proper accounts. Financial information is appropriately presented and described and information in disclosures is expressed clearly.

5.22 According to paragraph .A116 of AU-C section 315, the auditor should use relevant assertions for classes of transactions, account balances, and disclosures in sufficient detail to form a basis for the assessment of risks of material misstatement and the design and performance of further audit procedures. The auditor should use relevant assertions in assessing risks by relating the identified risks to what can go wrong at the relevant assertion, taking account of relevant controls that the auditor intends to test, and designing further audit procedures that are responsive to the assessed risks.

Risk Assessment Procedures

5.23 AU-C section 315 addresses the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements through understanding the entity and its environment, including the entity’s internal control.

5.24 Obtaining an understanding of the entity and its environment, including the entity’s internal control (referred to hereafter as an understanding of the entity), is a continuous, dynamic process of gathering, updating, and analyzing information throughout the audit. As stated in paragraph .A1 of AU-C section 315, the understanding of the entity establishes a frame of reference within which the auditor plans the audit and exercises professional judgment throughout the audit when, for example

  • assessing risks of material misstatement of the financial statements;
  • determining materiality in accordance with AU-C section 320;
  • considering the appropriateness of the selection and application of accounting policies and the adequacy of financial statement disclosures;
  • identifying areas for which special audit consideration may be necessary (for example, related party transactions, the appropriateness of management’s use of the going concern assumption, considering the business purpose of transactions, or the existence of complex and unusual transactions);
  • developing expectations for use when performing analytical procedures;
  • responding to the assessed risks of material misstatement, including designing and performing further audit procedures to obtain sufficient appropriate audit evidence; and
  • evaluating the sufficiency and appropriateness of audit evidence obtained, such as the appropriateness of assumptions and management’s oral and written representations.

Risk Assessment Procedures and Related Activities

5.25 In accordance with paragraph .05 of AU-C section 315, the auditor should perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and relevant assertion levels. Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion. For purposes of GAAS, risk assessment procedures are defined in AU-C section 315 as audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels.

5.26 The auditor is required to exercise professional judgment7 to determine the extent of the required understanding of the entity. Paragraph .A3 of AU-C section 315 states that the auditor’s primary consideration is whether the understanding of the entity that has been obtained is sufficient to meet the objectives of AU-C section 315. The depth of the overall understanding that is required by the auditor is less than that possessed by management in managing the entity.

5.27 Paragraph .06 of AU-C section 315 states that the risk assessment procedures should include the following:

  • Inquiries of management, appropriate individuals within the internal audit function (if such function exists), and others within the entity who, in the auditor’s professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
  • Analytical procedures
  • Observation and inspection

Analytical Procedures

5.28 Paragraphs .A7–.A10 of AU-C section 315 provide additional explanation for analytical procedures performed during the risk assessment process. Analytical procedures performed as risk assessment procedures may identify aspects of the entity of which the auditor was unaware and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks. Analytical procedures may enhance the auditor's understanding of the institution's business and the significant transactions and events that have occurred since the prior audit and help to identify the existence of unusual transactions or events and amounts, ratios, and trends that might indicate matters that have audit implications.

5.29 Ratios, operating statistics, and other analytical information that may be useful in assessing an institution's position relative to other similar institutions and to industry norms, as well as in identifying unusual relationships between data about the institution itself, are generally readily available. Ratios and statistics developed for use by management or regulators often can be effectively used by the auditor in performing analytical procedures for risk assessment purposes. Many institutions disclose analytical information in their annual and quarterly reports. Other sources of information that may be useful for risk assessment purposes are the institution's Call Reports and the disclosures made by publicly held institutions in accordance with the SEC’s Industry Guide No. 3, Statistical Disclosures by Bank Holding Companies. The Uniform Bank Performance Reports, published by the Federal Financial Institutions Examination Council (FFIEC), and various reports published by the FDIC contain industry data and statistics. There are also several sources of industry data published by private companies. Many of these reports use a peer group format. It is important to understand the relevance of any peer group data to the client institution before making any judgments.

5.30 A number of the ratios that may be useful to the auditor in an audit of the financial statements of an institution are listed here with a brief description of the information they provide:

  • Investments to total assets. Measures the mix of earning assets
  • Loans to total assets. Measures the mix of earning assets
  • Investments by type divided by total investments. Measures the composition of investment portfolio
  • Loans to deposits. Indicates the funding sources for the loan base
  • Loans by type to total loans. Measures the composition of loan portfolio and of lending strategy and risk
  • Allowance for loan losses to total loans. Measures loan portfolio credit risk coverage
  • Loan loss recoveries to prior-year write-offs. Indicates write-off policy and measure recovery experience
  • Classified loans to total loans. Indicates asset quality
  • Investment income to average total securities. Measures investment portfolio yield
  • Allowance for loan losses to classified loans. Measures management's estimate of losses
  • Loan income to average net loans. Measures loan portfolio yield
  • Total deposit interest expense to average total deposits. Measures costs of deposit funds
  • Overhead to total revenue (net interest income plus noninterest income). Measures operating efficiency
  • Net income to average total assets. Measures return on assets
  • Net income to average capital. Measures return on equity
  • Capital ratios. Measures financial strength and regulatory compliance
  • Noninterest income to total revenue (net interest income plus noninterest income). Measures the extent of noninterest income
  • Liabilities to shareholders' equity. Measures the extent equity can cover creditors' claims in the event of liquidation

Discussion Among the Engagement Team

5.31 In accordance with paragraph .11 of AU-C section 315, the engagement partner and other key engagement team members should discuss the susceptibility of the entity’s financial statements to material misstatement and the application of the applicable financial reporting framework to the entity’s facts and circumstances. The engagement partner should determine which matters are to be communicated to engagement team members not involved in the discussion. Paragraph .A14 of AU-C section 315 states this discussion may be held concurrently with the discussion among the engagement team that is required by AU-C section 240, Consideration of Fraud in a Financial Statement Audit (AICPA, Professional Standards), to discuss the susceptibility of the entity’s financial statements to fraud. Paragraphs 5.129–.132 further address the discussion among the engagement team about the risks of fraud.

Additional Guidance

5.32 In addition to the requirements discussed previously, paragraphs .07–.10 of AU-C section 315 address additional requirements on risk assessment procedures and related activities. Additional application and explanatory material regarding risk assessment requirements can be found in paragraphs .A1–.A16 of AU-C section 315.

Understanding the Entity and Its Environment, Including the Entity’s Internal Control

5.33 Paragraph .12 of AU-C section 315 states that the auditor should obtain an understanding of the following:

  1. a. Relevant industry, regulatory, and other external factors, including the applicable financial reporting framework.
  2. b. The nature of the entity, including

i.  its operations;

ii.  its ownership and governance structures;

iii.  the types of investments that the entity is making and plans to make, including investments in entities formed to accomplish specific objectives; and

iv.  the way that the entity is structured and how it is financed,

to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements.

  1. c. The entity’s selection and application of accounting policies, including the reasons for changes thereto. The auditor should evaluate whether the entity’s accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry.
  2. d. The entity’s objectives and strategies and those related business risks that may result in risks of material misstatement.
  3. e. The measurement and review of the entity’s financial performance.

Appendix A, "Understanding the Entity and Its Environment," of AU-C section 315 contains examples of matters that the auditor may consider in obtaining an understanding of the entity and its environment. Appendix B, "Internal Control Components," of AU-C section 315 contains a detailed explanation of the internal control components.

Understanding of the Client's Business

5.34 As previously discussed in paragraph 5.33, in addition to an understanding of the industry, including matters such as those described in chapter 1, chapter 2, chapter 3, "Industry Overview—Finance Companies," and chapter 4 of this guide, the auditor should obtain an understanding of the nature of an entity and the entity’s objectives and strategies and those related business risks that may result in risks of material misstatement. With regard to financial institutions, such matters include risk management strategies, organizational structure, product lines and services, capital structure, locations, and other operating characteristics. Paragraph .A32 of AU-C section 315 identifies examples of matters that the auditor may consider when obtaining an understanding of the entity’s objectives, strategies, and related business risks that may result in a risk of material misstatement of the financial statements. For entities subject to the oversight authority of the PCAOB, the auditor should also obtain an understanding of the operating segments of the business, as defined by FASB Accounting Standards Codification (ASC) 280-10-50.

5.35 An understanding of the entity may also be obtained or supplemented by reading documents such as the following:

  • The charter and bylaws of the institution
  • Minutes of meetings of the board of directors, audit committee, credit committee or loan officers, or both, and other appropriate committees
  • Prior-year and interim financial statements and other relevant reports, such as recently issued registration statements
  • Risk management strategies and reports, such as interest rate, asset quality, and liquidity reports
  • Organizational charts
  • Operating policies, including strategies for lending and investing
  • Regulatory examination reports
  • Correspondence with regulators
  • Periodic regulatory financial reports: FFIEC Consolidated Reports of Condition and Income or NCUA Call Reports (collectively, Call Reports)
  • Sales brochures and other marketing materials
  • Capital or business plans
  • Internal reports and financial information utilized by management to make segment-related decisions
  • Significant or unusual contracts entered into by the entity

5.36 Related parties. Obtaining an understanding of a client's business should also include performing the procedures set forth in AU-C section 550, Related Parties (AICPA, Professional Standards), to determine the existence of related-party relationships and transactions with such parties. The FASB ASC glossary defines related parties as

  1. a. affiliates of the institution (according to the FASB ASC glossary, an affiliated entity is an entity that directly or indirectly controls, is controlled by, or is under common control with another entity; also, a party with which the entity may deal if one party has the ability to exercise significant influence over the other's operating and financial policies as discussed in FASB ASC 323-10-15);
  2. b. entities for which investments would be required, absent the election of the fair value option under the "Fair Value Option" subsections of FASB ASC 825-10-15, to be accounted for by the equity method by the institution;
  3. c. trusts for the benefit of employees, such as pension and profit-sharing trusts, that are managed by or are under the trusteeship of management of the institution;
  4. d. principal owners of the institution and members of their immediate families;
  5. e. management of the institution and members of their immediate families;
  6. f. other parties with which the institution may deal if one party controls or can significantly influence the management or operating policies of the other to an extent that one of the transacting parties might be prevented from fully pursuing its own separate interests; and
  7. g. other parties that can significantly influence the management or operating policies of the transacting parties or that have an ownership interest in one of the transacting parties and can significantly influence the other to an extent that one or more of the transacting parties might be prevented from fully pursuing its own separate interests.

5.37 Paragraph .A2 of AU-C section 550 states that the substance of a particular transaction may be significantly different from its form. Accordingly, financial statements prepared in accordance with U.S. generally accepted accounting principles (GAAP) generally recognize the substance of particular transactions rather than merely their legal form. Paragraph .A45 of AU-C section 550 explains that it will generally not be possible to determine whether a particular transaction would have taken place if the parties had not been related, or assuming it would have taken place, what the terms and manner of settlement would have been. Accordingly, it is difficult to substantiate representations that a transaction was consummated on terms equivalent to those that prevail in arm's length transactions.8 Paragraphs .A47 and .A49 of AU-C section 550 further state that the preparation and fair presentation of the financial statements requires management to substantiate an assertion included in financial statements that a related party transaction was conducted on terms equivalent to those prevailing in an arm’s length transaction. If the auditor believes that management’s assertions are unsubstantiated or the auditor cannot obtain sufficient appropriate audit evidence to support the assertions, the auditor, in accordance with AU-C section 705, Modifications to the Opinion in the Independent Auditor’s Report (AICPA, Professional Standards), considers the implications for the audit, including the opinion in the auditor’s report. AU-C section 705 addresses the auditor’s responsibility to issue an appropriate report in circumstances when, in forming an opinion in accordance with AU-C section 700, Forming an Opinion and Reporting on Financial Statements (AICPA, Professional Standards), the auditor concludes that a modification to the auditor’s opinion on the financial statements is necessary. Chapter 23 of this guide provides additional discussion on auditor reports.

5.38 Regulation O loans. Part 215, "Loans to Executive Officers, Directors, and Principal Shareholders of Member Banks," of the U.S. Code of Federal Regulations (CFR), commonly referred to as Regulation O, governs any extension of credit made by a member bank to an executive officer, director, or principal shareholder of the member bank, of any company of which the member bank is a subsidiary, and of any other subsidiary of that company. It also applies to any extension of credit made by a member bank to a company controlled by such a person, or to a political or campaign committee that benefits or is controlled by such a person. In general, Part 215.4 states that no member bank may extend credit to any insider of the bank or insider of its affiliates unless the extension of credit

  • is made on substantially the same terms (including interest rates and collateral) as, and following credit underwriting procedures that are not less stringent than, those prevailing at the time for comparable transactions by the bank with other persons that are not covered by this part and who are not employed by the bank and
  • does not involve more than the normal risk of repayment or present other unfavorable features.

5.39 Management of a financial institution would generally be expected to be able to support that their related party loans were conducted on terms equivalent to those prevailing in an arm’s length transaction. In instances where a bank has made such a related party loan, the auditor should perform procedures to verify this assertion, including reviewing management’s documentation as well as the regulatory examination report, which would identify instances where there are possible Regulation O violations.

Industry Risk Factors

5.40 As previously discussed in paragraph 5.33a, auditors should obtain an understanding of the relevant industry risk factors as a part of the evaluation of the entity and its environment. No list of risk factors covers all of the complex characteristics that affect transactions in the industry.9 However, some of those risk factors are competition for business, innovations in financial instruments, and the role of regulatory policy. Emerging regulatory and accounting guidance is discussed throughout this guide. Other primary risk factors (discussion to follow) involve the sensitivity of an institution’s earnings to changes in interest rates, liquidity, asset quality, fiduciary, and processing risk. Auditors should obtain an understanding of such risk factors when planning the audit of an institution's financial statements. Practical considerations of these risk factors for certain transactions are provided in each chapter where appropriate.

5.41 Interest rate risk (IRR).10,11 In general, financial institutions derive their income primarily from the excess of interest collected over interest paid. The rates of interest an institution earns on its assets and owes on its liabilities generally are established contractually for a period of time. Market interest rates change over time. Accordingly, an institution is exposed to lower profit margins (or losses) if it cannot adapt to interest rate changes.

5.42 For example, assume an institution's assets carry intermediate or long term fixed rates. Assume those assets were funded with short term liabilities. Also assume that interest rates rise by the time the short term liabilities are refinanced. The increase in the institution's interest expense on the new liabilities—which carry new, higher rates—will not be offset if assets continue to earn at the long term fixed rates. Accordingly, the institution's profits would decrease on the transaction because the institution will either have lower net interest income or, possibly, net interest expense. Similar risks exist if assets are subject to contractual interest rate ceilings, or rate sensitive assets are funded by longer term, fixed rate liabilities in a decreasing rate environment.

5.43 Several techniques might be used by an institution to minimize interest-rate risk. One approach is for the institution to continually analyze and manage assets and liabilities based on their payment streams and interest rates, the timing of their maturities, and their sensitivity to actual or potential changes in market interest rates. Such activities fall under the broad definition of asset/liability management.

5.44 One technique used in asset/liability management is measurement of an institution's asset/liability gap—that is, the difference between the cash flow amounts of interest-sensitive assets and liabilities that will be refinanced (or repriced) during a given period. For example, if the asset amount to be repriced exceeds the corresponding liability amount for a certain day, month, year, or longer period, the institution is in an asset-sensitive gap position. In this situation, net interest income would increase if market interest rates rose and decrease if market interest rates fell. If, alternatively, more liabilities than assets will reprice, the institution is in a liability-sensitive position. Accordingly, net interest income would decline when rates rose and increase when rates fell. Such gap analysis assumes that assets and liabilities will be repriced only when they mature—it does not consider opportunities to reprice principal or interest cash flows before maturity. Also, these examples assume that interest rate changes for assets and liabilities are of the same magnitude, whereas actual interest rate changes generally differ in magnitude for assets and liabilities.

5.45 Duration analysis is a technique that builds on gap analysis by adding consideration of the average life of a stream of cash flows. The duration of an asset or liability is measured by weighting cash flow amounts based on their timing. Accordingly, duration analysis adds a measure of the effect of the timing of interest rate changes on earnings.

5.46 Another technique used to analyze IRR involves simulation models. These models measure the effect of changes in interest rates on either net interest income or on the economic value of equity. Net interest income models measure the sensitivity of changes in net interest income as a result of different interest rate scenarios. The economic value of equity measures the difference in the market value of an institution’s financial assets, liabilities, and off-balance-sheet instruments as a result of change in the interest rate environment. Simulation analysis involves the projection of various interest rate scenarios over future periods. To determine market value, the estimated cash flows for each rate scenario are discounted to arrive at a present value calculation for each rate scenario. The resulting range of probable risk exposures reflects both current and expected IRR. The rate scenarios often reflect variations of factors such as the mix of assets and liabilities and related pricing strategies. As with gap and duration analyses, if the assumptions are not valid, the results may not provide an accurate reflection of the institution's IRR.

5.47 Several ways an institution can affect IRR includes the following:

  • Selling existing assets or repaying certain liabilities
  • Matching repricing periods for new assets and liabilities—for example, by shortening terms of new loans or investments
  • Hedging existing assets, liabilities, firm commitments, or forecasted transactions

5.48 An institution might also invest in more complex financial instruments intended to hedge or otherwise change IRR. Interest rate swaps, futures contracts, options on futures, and other such derivative instruments often are used for this purpose. Because these instruments are sensitive to interest rate changes, they generally require management expertise to be effective. Accounting and regulatory guidance for these instruments continue to evolve. Chapter 18, "Derivative Instruments: Futures, Forwards, Options, Swaps, and Other Derivative Instruments," of this guide discusses specific accounting and regulatory guidance in this area, as well as related audit considerations.

5.49 Financial institutions are subject to a related risk—prepayment risk—in falling rate environments. For example, mortgage loans and other receivables may be prepaid by a debtor so that the debtor may refund its obligations at new, lower rates. Prepayments of assets carrying the old, higher rates reduce the institution's interest income and overall asset yields. Prepayment risk is discussed further in chapter 7, "Investments in Debt and Equity Securities," of this guide.

5.50 Liquidity risk.12, 13, 14 A large portion of an institution's liabilities may be short term or due on demand, although most of its assets may be invested in long term loans or investments. Accordingly, the institution needs to have in place sources of cash to meet short term demands. These funds can be obtained in cash markets, by borrowing, or by selling assets. Also, the secondary mortgage, repurchase agreement, and Euro-markets have become increasingly important sources of liquidity for banks and savings institutions. However, if an institution resorts to sales of assets or loans to obtain liquidity, immediate losses will be incurred when the effective rates those assets carry are below market rates at the time of sale. Related audit considerations are addressed in chapter 7 of this guide.

5.51 The composition of an institution's deposits also affects liquidity and IRR because large volumes of deposits can be withdrawn over a short period of time. For example, institutions are also subject to reputation risk. If an institution receives adverse publicity, it may have difficulty retaining deposits and, therefore, become dependent on other forms of borrowing at a higher cost of funds. (Chapter 13 of this guide addresses audit considerations for deposits.)

5.52 Asset-quality risk. Financial institutions have generally suffered their most severe losses as a result of the loss of expected cash flows due to loan defaults and inadequate collateral. For example, significant credit losses on real estate loans have occurred, due largely to downturns in regional and national real estate markets, but also because of other general economic conditions and higher-risk lending activities. Chapter 9, "Credit Losses," of this guide addresses credit losses.

5.53 Other financial assets are subject to other impairment issues—similar to credit quality—that involve subjective determinations. For example, increased prepayments of principal during periods of falling interest rates have a significant impact on the economic value of assets such as mortgage servicing rights.

5.54 Auditors who audit financial statements of financial institutions should give particular attention to the assessment of impairment of financial assets. The auditor should focus on the methods used, assumptions made, and conclusions reached by management (and outside specialists relied on by management, such as appraisers) in assessing impairment of financial assets. Practical guidance is provided in subsequent chapters.

5.55 Fiduciary risk. Many financial institutions activities involve custody of financial assets, management of such assets, or both. Fiduciary responsibilities are the focus of activities such as servicing the collateral behind asset-backed securities, managing mutual funds, and administering trusts. These activities expose the institution to the risk of loss arising from failure to properly process transactions or handle the related assets on behalf of third parties. Related audit considerations are addressed in subsequent chapters.

5.56 Processing risk. Large volumes of transactions must be processed by most financial institutions, generally over short periods of time. Demands placed on both computerized and manual systems can be great. These demands increase the risk that the accuracy and timeliness of related information could be impaired.

5.57 Financial institutions utilize information systems to process large volumes of transactions (for example, arising from banks’ electronic funds transfer and check processing operations) on an accurate and timely basis. Related considerations are discussed in subsequent chapters.

The Entity’s Internal Control15, 16

5.58 As explained in paragraph .A44 of AU-C section 315, the way in which internal control is designed, implemented, and maintained varies with an entity’s size and complexity. The assets of financial institutions generally are more negotiable and more liquid than those of other entities. As a result, they may be subject to greater risk of loss. In addition, the operations of financial institutions are characterized by a high volume of transactions; as a result, the effectiveness of internal control is a significant audit consideration.

5.59 Paragraphs .13–.14 of AU-C section 315 states that the auditor should obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit. When obtaining an understanding of controls that are relevant to the audit, the auditor should evaluate the design of those controls and determine whether they have been implemented by performing procedures in addition to inquiry of the entity’s personnel. Paragraph .A42 of AU-C section 315 further explains that an understanding of internal control assists the auditor in identifying types of potential misstatements and factors that affect the risks of material misstatement and in designing the nature, timing, and extent of further audit procedures.

5.60 Purpose of internal control. Paragraph .A44 of AU-C section 315 explains that internal control is designed, implemented, and maintained to address identified business risks that threaten the achievement of any of the entity's objectives that concern (a) the reliability of the entity’s financial reporting, (b) the effectiveness and efficiency of its operations, and (c) its compliance with applicable laws and regulations.

5.61 Division of internal control. For purposes of GAAS, internal control is divided into the following five components:

  1. a. Control environment sets the tone of an institution, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
  2. b. Risk assessment is the institution's identification, analysis, and management of risks relevant to the preparation and fair presentation of financial statements.
  3. c. Information system, including the related business processes relevant to financial reporting and communication consists of the procedures and records designed and established to

i.  initiate, authorize, record, process, and report entity transactions (as well as events and conditions) and maintain accountability for the related assets, liabilities, and equity;

ii.  resolve incorrect processing of transactions (for example, automated suspense files and procedures followed to clear suspense items out on a timely basis);

iii.  process and account for system overrides or bypasses to controls;

iv.  transfer information from transaction processing systems to the general ledger;

v.  capture information relevant to financial reporting for events and conditions other than transactions, such as the depreciation and amortization of assets and changes in the recoverability of accounts receivables; and

vi.  ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarized, and appropriately reported in the financial statements.

  1. d. Control activities are the policies and procedures that help ensure management directives are carried out.
  2. e. Monitoring is a process that assesses the quality of internal control performance over time.

Audit requirements and application guidance related to the preceding components can be found in paragraphs .15–.25 and .A71–.A107, respectively, of AU-C section 315.

5.62 Controls relevant to the audit. Paragraphs .A61–.A62 of AU-C section 315 state a direct relationship exists between an entity’s objectives and the controls it implements to provide reasonable assurance about their achievement. The entity’s objectives and, therefore, controls relate to financial reporting, operations, and compliance; however, not all of these objectives and controls are relevant to the auditor’s risk assessment. Factors relevant to the auditor’s professional judgment about whether a control, individually or in combination with others, is relevant to the audit may include such matters as the following:

  • Materiality
  • The significance of the related risk
  • The institution's size
  • The nature of the institution's business, including its organization and ownership characteristics
  • The diversity and complexity of the institution's operations
  • Applicable legal and regulatory requirements
  • The circumstances and the applicable component of internal control
  • The nature and complexity of the systems that are part of the institution’s internal control, including the use of service organizations
  • Whether and how a specific control, individually or in combination with other controls, prevents, or detects and corrects, material misstatements

5.63 Paragraph .A64 of AU-C section 315 states that the controls relating to operations and compliance objectives also may be relevant to an audit if they relate to data the auditor evaluates or uses in applying audit procedures. For example, controls pertaining to nonfinancial data that the auditor may use in analytical procedures, such as production statistics, or controls pertaining to detecting noncompliance with laws and regulations that may have a direct effect on the determination of material amounts and disclosures in the financial statements, such as compliance with income tax laws and regulations used to determine the income tax provision, may be relevant to an audit.

5.64 IT considerations. Financial institutions’ operations are characterized by large volumes of transactions and, therefore, generally rely heavily on computers. AU-C section 315 establish standards and provide guidance for auditors who have been engaged to audit an entity's financial statements when significant information is transmitted, processed, maintained, or accessed electronically.

Considerations for Audits Performed in Accordance With PCAOB Standards17

PCAOB Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control Over Financial Reporting (AICPA, PCAOB Standards and Related Rules, PCAOB Staff Guidance, sec. 400.11), highlights certain requirements of the auditing standards of the PCAOB in aspects of audits of internal control over financial reporting in which significant auditing deficiencies have been cited frequently in PCAOB inspection reports. Among other topics, the alert specifically addresses PCAOB standards regarding the consideration of IT in audits of internal control, including when testing controls that use system-generated data and reports and evaluating deficiencies in IT general controls.

5.65 Paragraph .A54 of AU-C section 315 states that an entity’s use of IT may affect any of the five components of internal control relevant to the achievement of the entity’s financial reporting, operations, or compliance objectives, and its operating units or business functions. The auditor might consider matters such as

  • the extent that information technology is used for significant accounting applications;
  • the complexity of the institution's information technology, including whether outside service organizations are used;
  • the organizational structure for information technology, including the extent that online terminals and networks are used;
  • the physical security controls over computer equipment;
  • controls over information technology (for example, program changes and access to data files), operations, and systems;
  • the availability of data; and
  • the use of information technology assisted audit techniques to increase the efficiency and effectiveness of performing procedures. (Using information technology assisted audit techniques may also provide the auditor with an opportunity to apply certain procedures to an entire population of accounts or transactions. In addition, in some accounting systems, it may be difficult or impossible for the auditor to analyze certain data or test specific control procedures without information technology assistance.)

5.66 Some of the accounting data and corroborating audit evidence may be available only in electronic form. For example, entities may use electronic data interchange or image processing systems. In image processing systems, documents are scanned and converted into electronic images to facilitate storage and reference, and the source documents may not be retained after conversion. Certain electronic evidence may exist at a certain point in time. However, such evidence may not be retrievable after a specified period of time if files are changed and if backup files do not exist. Therefore, the auditor might consider the time during which information exists or is available in determining the nature, timing, and extent of his or her substantive tests and, if applicable, tests of controls.

5.67 Information technology may be performed solely by the institution, shared with others, or provided by an independent organization supplying specific data processing services for a fee. AU-C section 402, Audit Considerations Relating to an Entity Using a Service Organization (AICPA, Professional Standards), addresses the user auditor’s responsibility when auditing the financial statements of entities that obtain services that are part of its information system from another organization (see further discussion in paragraphs 5.120–.122).

5.68 The auditor should consider whether specialized skills are needed to consider the effect of information technology on the audit, to understand the internal control, or to design and perform audit procedures. If specialized skills are needed, the auditor should seek the assistance of someone possessing such skills who may be either on the audit staff or an outside professional. If the use of such a professional is planned, the auditor should have sufficient information technology related knowledge to communicate the desired objectives to the information technology professional, to evaluate whether the specific procedures will meet the auditor's objectives, and to evaluate the results of the procedures applied as they relate to the nature, timing, and extent of other planned audit procedures.18

5.69 System upgrades, conversions, and changes in technology have occurred with increasing frequency in the industry to accommodate the many changes in the nature and complexity of products and services offered, ongoing changes in accounting rules, continually evolving regulations, and mergers and acquisitions. A number of system changes may affect internal control. For example, merging institutions with incompatible computer systems can have a significant negative impact on the surviving institution's internal control. In addition to obtaining the understanding of ongoing or planned changes in processing controls that is necessary to plan the audit, the auditor may find it necessary to consider the effect of system changes on

  1. a. controls over the accurate conversion of data to new or upgraded systems;
  2. b. the effectiveness of data provided to perform analyses, such as those of the institution's performance versus its plan for asset-liability management; and
  3. c. the adequacy of the institution's disaster recovery plan and system.

5.70 Communication with those charged with governance. AU-C section 260, The Auditor’s Communication With Those Charged With Governance (AICPA, Professional Standards), addresses the auditor’s responsibility to communicate with those charged with governance in an audit of financial statements. Although this section applies regardless of an entity’s governance structure or size, particular considerations apply when all of those charged with governance are involved in managing an entity. This section does not establish requirements regarding the auditor’s communication with an entity’s management or owners unless they are also charged with a governance role.

5.71 AU-C section 265, Communicating Internal Control Related Matters Identified in an Audit (AICPA, Professional Standards), addresses the auditor’s responsibility to appropriately communicate to those charged with governance and management deficiencies in internal control that the auditor has identified in an audit of financial statements. In particular, AU-C section 265

  • defines the terms deficiency in internal control, significant deficiency, and material weakness.
  • provides guidance on evaluating the severity of deficiencies in internal control identified in an audit of financial statements.
  • requires the auditor to communicate, in writing, to management and those charged with governance significant deficiencies and material weaknesses identified in an audit.

5.72 Paragraphs .11–.13 of AU-C section 265 state that the auditor should communicate in writing to those charged with governance on a timely basis significant deficiencies and material weaknesses identified during the audit, including those that were remediated during the audit. The auditor also should communicate to management at an appropriate level of responsibility, on a timely basis

  1. a. in writing, significant deficiencies and material weaknesses that the auditor has communicated or intends to communicate to those charged with governance, unless it would be inappropriate to communicate directly to management in the circumstances.
  2. b. in writing or orally, other deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor’s professional judgment, are of sufficient importance to merit management’s attention. If other deficiencies in internal control are communicated orally, the auditor should document the communication.

The communication referred to should be made no later than 60 days following the report release date. However, paragraph .A15 of AU-C section 265 further explains that the communication is best made by the report release date because receipt of such communication may be an important factor in enabling those charged with governance to discharge their oversight responsibilities.

5.73 In accordance with paragraph .03 of AU-C section 265, nothing in AU-C section 265 precludes the auditor from communicating to those charged with governance or management other internal control matters that auditor has identified during the audit.

5.74 The appendix, "Examples of Circumstances That May Be Deficiencies, Significant Deficiencies, or Material Weaknesses," of AU-C section 265 includes examples of circumstances that may be deficiencies, significant deficiencies, or material weaknesses.

5.75 AU-C section 265 is not applicable if the auditor is engaged to perform an audit of internal control over financial reporting that is integrated with an audit of financial statements. In such circumstances, AU-C section 940, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements (AICPA, Professional Standards), applies.

Risk Assessment and the Design of Further Audit Procedures

5.76 As discussed in paragraph 5.25, risk assessment procedures allow the auditor to gather the information necessary to obtain an understanding of the entity and its environment including its internal control. This knowledge provides a basis for assessing the risks of material misstatement of the financial statements. These risk assessments are then used to design further audit procedures, such as tests of controls and substantive tests. This section provides guidance on assessing the risks of material misstatement and how to design further audit procedures that effectively respond to those risks.

Identifying and Assessing the Risks of Material Misstatement

5.77 To provide a basis for designing and performing further audit procedures, paragraphs .26–.27 of AU-C section 315 state that the auditor should identify and assess the risks of material misstatement at the financial statement level and at the relevant assertion level for classes of transactions, account balances, and disclosures. For this purpose, the auditor should

  1. a. identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, by considering the classes of transactions, account balances, and disclosures in the financial statements (see further discussion in paragraph 5.79);
  2. b. assess the identified risks and evaluate whether they relate more pervasively to the financial statements as a whole and potentially affect many assertions;
  3. c. relate the identified risks to what can go wrong at the relevant assertion level, taking account of relevant controls that the auditor intends to test; and
  4. d. consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether the potential misstatement is of a magnitude that could result in a material misstatement.

5.78 Paragraph .A108 of AU-C section 315 explains that the risks of material misstatement at the financial statement level refer to risks that relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of this nature are not necessarily risks identifiable with specific assertions at the class of transactions, account balance, or disclosure level. Rather, they represent circumstances that may increase the risks of material misstatement at the assertion level (for example, through management override of internal control). Financial statement level risks may be especially relevant to the auditor’s consideration of the risks of material misstatement arising from fraud.

5.79 Process of identifying risks of material misstatement. Paragraph .A120 of AU-C section 315 explains that information gathered by performing risk assessment procedures, including the audit evidence obtained in evaluating the design of controls and determining whether they have been implemented, is used as audit evidence to support the risk assessment. The risk assessment determines the nature, timing, and extent of further audit procedures to be performed.

Risks that Require Special Audit Consideration

5.80 Paragraphs .28–.29 of AU-C section 315 state that as part of the risk assessment described in paragraph .26 of AU-C section 315 (see paragraph 5.77), the auditor should determine whether any of the risks identified are, in the auditor’s professional judgment, a significant risk. In exercising this judgment, the auditor should exclude the effects of identified controls related to the risk. In addition, the auditor should consider at least

  1. a. whether the risk is a risk of fraud;
  2. b. whether the risk is related to recent significant economic, accounting, or other developments and, therefore, requires specific attention;
  3. c. the complexity of transactions;
  4. d. whether the risk involves significant transactions with related parties;
  5. e. the degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and
  6. f. whether the risk involves significant transactions that are outside the normal course of business for the entity or that otherwise appear to be unusual.

5.81 If the auditor has determined that a significant risk exists, paragraph .30 of AU-C section 315 states that the auditor should obtain an understanding of the entity’s controls, including control activities, relevant to that risk and, based on that understanding, evaluate whether such controls have been suitably designed and implemented to mitigate such risks. See paragraphs 5.90 and 5.93 for discussion over further audit procedures pertaining to significant risks.

Designing and Performing Further Audit Procedures

5.82 AU-C section 330 addresses the auditor’s responsibility to design and implement responses to the risks of material misstatement identified and assessed by the auditor in accordance with AU-C section 315 and to evaluate the audit evidence obtained in an audit of financial statements.

Overall Responses

5.83 Paragraph .05 of AU-C section 330 states that the auditor should design and implement overall responses to address the assessed risks of material misstatement at the financial statement level. Paragraph .A1 of AU-C section 330 states that overall responses to address the assessed risks of material misstatement at the financial statement level may include emphasizing to the audit team the need to maintain professional skepticism, assigning more experienced staff or those with specialized skills or using specialists, providing more supervision, incorporating additional elements of unpredictability in the selection of further audit procedures to be performed, or making general changes to the nature, timing, or extent of further audit procedures (for example, performing substantive procedures at period end instead of at an interim date or modifying the nature of audit procedures to obtain more persuasive audit evidence). Financial institutions are subject to certain risks that are less prevalent in commercial, industrial, and other nonfinancial businesses, and they operate in a particularly volatile and highly regulated environment. Accordingly, the auditor might design appropriate overall responses to that higher risk with personnel who have appropriate relevant experience and provide more extensive supervision. See paragraphs 5.06–.09 for more guidance regarding the auditor’s overall responses to audit risk.

5.84 Paragraphs .A2–.A3 of AU-C section 330 go on to explain that the assessment of the risks of material misstatement at the financial statement level and, thereby, the auditor’s overall responses are affected by the auditor’s understanding of the control environment. An effective control environment may allow the auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity and, thus, for example, allow the auditor to conduct some audit procedures at an interim date rather than at the period-end. Deficiencies in the control environment, however, have the opposite effect (for example, the auditor may respond to an ineffective control environment by

  • conducting more audit procedures as of the period-end rather than at an interim date,
  • obtaining more extensive audit evidence from substantive procedures, and
  • increasing the number of locations to be included in the audit scope).

Such considerations, therefore, have a significant bearing on the auditor’s general approach (for example, an emphasis on substantive procedures [substantive approach] or an approach that uses tests of controls as well as substantive procedures [combined approach]).

Further Audit Procedures

5.85 Further audit procedures provide important audit evidence to support an audit opinion. These procedures consist of tests of controls and substantive tests. Paragraph .06 of AU-C section 330 states that the auditor should design and perform further audit procedures whose nature, timing, and extent are based on, and are responsive to, the assessed risks of material misstatement at the relevant assertion level.

5.86 In designing the further audit procedures to be performed, paragraph .07 of AU-C section 330 states that the auditor should

  1. a. consider the reasons for the assessed risk of material misstatement at the relevant assertion level for each class of transactions, account balance, and disclosure, including

i.  the likelihood of material misstatement due to the particular characteristics of the relevant class of transactions, account balance, or disclosure (the inherent risk) and

ii.  whether the risk assessment takes account of relevant controls (the control risk), thereby requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing, and extent of substantive procedures), and

  1. b. obtain more persuasive audit evidence the higher the auditor’s assessment of risk.

5.87 Tests of controls. In accordance with paragraph .08 of AU-C section 330, the auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if (a) the auditor’s assessment of risks of material misstatement at the relevant assertion level includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing, and extent of substantive procedures)19 or (b) when substantive procedures alone cannot provide sufficient appropriate audit evidence at the relevant assertion level. In accordance with paragraph .A21 of AU-C section 330, tests of controls are performed only on those controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement in a relevant assertion. If substantially different controls were used at different times during the period under audit, each is considered separately.

5.88 Paragraph .A22 of AU-C section 330 states that the testing the operating effectiveness of controls is different from obtaining an understanding of and evaluating the design and implementation of controls. However, the same types of audit procedures are used. The auditor may, therefore, decide it is efficient to test the operating effectiveness of controls at the same time the auditor is evaluating their design and determining that they have been implemented.

5.89 Paragraph .A23 of AU-C section 330 states that although some risk assessment procedures may not have been specifically designed as tests of controls, they may nevertheless provide audit evidence about the operating effectiveness of the controls and, consequently, serve as tests of controls.

5.90 Timing of tests of controls over significant risks. One or more significant risks normally arise on most audits.20 Paragraph .15 of AU-C section 330 states that if the auditor plans to rely on controls over a risk the auditor has determined to be a significant risk, the auditor should test the operating effectiveness of those controls in the current period.

5.91 Substantive procedures. Irrespective of the assessed risks of material misstatement, the auditor should design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure, in accordance with paragraph .18 of AU-C section 330.

5.92 Paragraph .21 of AU-C section 330 states that the auditor’s substantive procedures should include audit procedures related to the financial statement closing process, such as

  • agreeing or reconciling the financial statements with the underlying accounting records and
  • examining material journal entries and other adjustments made during the course of preparing the financial statements.

Paragraph .A57 of AU-C section 330 states that the nature and extent of the auditor’s examination of journal entries and other adjustments depends on the nature and complexity of the entity’s financial reporting process and the related risks of material misstatement.

5.93 Substantive procedures responsive to significant risks. If the auditor has determined that an assessed risk of material misstatement at the relevant assertion level is a significant risk, paragraph .22 of AU-C section 330 states that the auditor should perform substantive procedures that are specifically responsive to that risk. When the approach to a significant risk consists only of substantive procedures, those procedures should include tests of details.

5.94 Substantive analytical procedures. AU-C section 520, Analytical Procedures (AICPA, Professional Standards), addresses the auditor’s use of analytical procedures as substantive procedures (substantive analytical procedures). It also addresses the auditor’s responsibility to perform analytical procedures near the end of the audit that assist the auditor when forming an overall conclusion on the financial statements.

5.95 As explained in paragraphs .A2–.A3 of AU-C section 520, analytical procedures include the consideration of comparisons of the entity’s financial information with, for example, comparable information for prior periods, anticipated results of the entity (such as, budgets or forecasts) or expectations of the auditor, or similar industry information. Analytical procedures also include consideration of relationships, like elements of financial information that would be expected to conform to a predictable pattern based on recent history of the entity and industry or between financial information and relevant nonfinancial information (such as, payroll costs to number of employees). When designing and performing analytical procedures, either alone or in combination with tests of details, as substantive procedures, paragraph .05 of AU-C section 520 states that the auditor should

  1. a. determine the suitability of particular substantive analytical procedures for given assertions, taking into account the assessed risks of material misstatement and tests of details, if any, for these assertions;
  2. b. evaluate the reliability of data from which the auditor’s expectation of recorded amounts or ratios is developed, taking into account the source, comparability, and nature and relevance of information available and controls over preparation;
  3. c. develop an expectation of recorded amounts or ratios and evaluate whether the expectation is sufficiently precise (taking into account whether substantive analytical procedures are to be performed alone or in combination with tests of details) to identify a misstatement that, individually or when aggregated with other misstatements, may cause the financial statements to be materially misstated; and
  4. d. determine the amount of any difference of recorded amounts from expected values that is acceptable without further investigation and compare the recorded amounts, or ratios developed from recorded amounts, with the expectations.

5.96 Paragraphs .A13–.A14 of AU-C section 520 explain that different types of analytical procedures provide different levels of assurance. The determination of the suitability of particular substantive analytical procedures is influenced by the nature of the assertion and the auditor’s assessment of the risk of material misstatement. Paragraph .A8 of AU-C section 520 states that the effectiveness and efficiency of a substantive analytical procedure in addressing risks of material misstatement depends on, among other things, (a) the nature of the assertion, (b) the plausibility and predictability of the relationship, (c) the availability and reliability of the data used to develop the expectation, and (d) the precision of the expectation. For this reason, substantive analytical procedures alone are not well suited to detecting fraud. In addition, paragraph .A19 of AU-C section 520 notes that the auditor may consider testing the operating effectiveness of controls, if any, over the entity’s preparation of information used by the auditor in performing the substantive analytical procedures in response to assessed risks. When such controls are effective, the auditor may have greater confidence in the reliability of the information and, therefore, in the results of analytical procedures. The operating effectiveness of controls over nonfinancial information may often be tested in conjunction with other tests of controls.

5.97 Paragraph .08 of AU-C section 520 states that when substantive analytical procedures have been performed, the auditor should include in the audit document the following:

  1. a. The expectation referred to in paragraph .05c of AU-C section 520 (see paragraph 5.95c) and the factors considered in its development when that expectation or those factors are not otherwise readily determinable from the audit documentation
  2. b. Results of the comparison referred to in paragraph .05d of AU-C section 520 (see paragraph 5.95d) of the recorded amounts, or ratios developed from recorded amounts, with the expectations
  3. c. Any additional auditing procedures performed in accordance with paragraph .07 of AU-C section 520 relating to the investigation of fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount and the results of such additional procedures

Evaluating the Sufficiency and Appropriateness of Audit Evidence

5.98 Paragraph .28 of AU-C section 330 states the auditor should conclude whether sufficient appropriate audit evidence has been obtained. In forming a conclusion, the auditor should consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the relevant assertions in the financial statements.

Evaluation of Misstatements Identified During the Audit

5.99 Based on the results of substantive procedures, the auditor may identify misstatements in accounts or notes to the financial statements. AU-C section 450 addresses the auditor’s responsibility to evaluate the effect of identified misstatements on the audit and the effect of uncorrected misstatements, if any, on the financial statements. Paragraphs .05–.12 of AU-C section 450 address specific requirements the auditor should perform in relation to accumulation of identified misstatements, consideration of identified misstatements as the audit progresses, communication and correction of misstatements, evaluating the effect of uncorrected misstatements,21 and documentation.

5.100 The circumstances related to some misstatements may cause the auditor to evaluate them as material, individually or when considered together with other misstatements accumulated during the audit, even if they are below the materiality threshold for the financial statements as a whole. For example, a loan made to a related party of an otherwise immaterial amount could be material if there is a reasonable possibility that it could lead to a material contingent liability or a material loss of revenue. Paragraph .A23 of AU-C section 450 provides circumstances that the auditor may consider relevant in determining whether misstatements are material.

5.101 AU-C section 700 addresses the auditor’s responsibility in forming an opinion on the financial statements based on the evaluation of the audit evidence obtained. The auditor’s conclusion, required by AU-C section 700, takes into account the auditor’s evaluation of uncorrected misstatements, if any, on the financial statements, in accordance with AU-C section 450.

Audit Documentation

5.102 AU-C section 230, Audit Documentation (AICPA, Professional Standards), addresses the auditor’s responsibility to prepare audit documentation for an audit of financial statements. The exhibit, "Audit Documentation Requirements in Other AU-C Sections," (see paragraph .A30 of AU-C section 230) lists other AU-C sections that contain specific documentation requirements and guidance. The specific documentation requirements of other AU-C sections do not limit the application of AU-C section 230. Law, regulation, or other standards may establish additional documentation requirements.

5.103 Paragraph .02 of AU-C section 230 states that audit documentation that meets the requirements of AU-C section 230 and the specific documentation requirements of other relevant AU-C sections provides

  1. a. evidence of the auditor’s basis for a conclusion about the achievement of the overall objectives of the auditor;22 and
  2. b. evidence that the audit was planned and performed in accordance with GAAS and applicable legal and regulatory requirements.

5.104 For purposes of GAAS, audit documentation, as defined in paragraph .06 of AU-C section 230, is the record of audit procedures performed, relevant audit evidence obtained, and conclusions the auditor reached (terms such as working papers or workpapers are also sometimes used).

Timely Preparation of Audit Documentation

5.105 Paragraph .07 of AU-C section 230 states that the auditor should prepare audit documentation on a timely basis. Paragraph .A3 of AU-C section 230 further explains that preparing sufficient and appropriate audit documentation on a timely basis throughout the audit helps to enhance the quality of the audit and facilitates the effective review and evaluation of the audit evidence obtained and conclusions reached before the auditor’s report is finalized. Documentation prepared at the time such work is performed or shortly thereafter is likely to be more accurate than documentation prepared at a much later time.23

Documentation of the Audit Procedures Performed and Audit Evidence Obtained

5.106 Paragraphs .08–.12 of AU-C section 230 address the auditor’s responsibilities regarding documentation of the audit procedures performed and audit evidence obtained including form, content, and extent of audit documentation. In accordance with paragraph .08 of AU-C section 230, the auditor should prepare audit documentation that is sufficient to enable an experienced auditor, having no previous connection with the audit, to understand

  1. a. the nature, timing, and extent of the audit procedures performed to comply with GAAS and applicable legal and regulatory requirements; (Readers can find additional application and explanatory material in paragraphs .A8–.A9 of AU-C section 230)
  2. b. the results of the audit procedures performed, and the audit evidence obtained; and
  3. c. significant findings or issues arising during the audit, the conclusions reached thereon, and significant professional judgments made in reaching those conclusions. (Readers can find additional application and explanatory material in paragraphs .A10–.A13 of AU-C section 230.)

As stated in paragraph .A5 of AU-C section 230, examples of audit documentation include audit plans, analyses, issues memorandums, summaries of significant findings or issues, letters of confirmation and representation, checklists, and correspondence (including e-mail) concerning significant findings or issues.

5.107 For audit procedures related to the inspection of significant contracts or agreements, paragraph .10 of AU-C section 230 states that the auditor should include abstracts or copies of those contracts or agreements in the audit documentation.

5.108 In addition to the requirements discussed previously, paragraphs .13–.14 of AU-C section 230 address further documentation requirements about departures from relevant requirements and matters arising after the date of the auditor’s report.

Assembly and Retention of the Final Audit File

5.109 Paragraphs .15–.19 of AU-C section 230 address an auditor’s responsibilities regarding assembly and retention of the final audit file. Paragraph .16 of AU-C section 230 states that the auditor should assemble the audit documentation in an audit file and complete the administrative process of assembling the final audit file on a timely basis, no later than 60 days following the report release date. After the documentation completion date, paragraph .17 of AU-C section 230 prohibits the auditor from deleting or discarding audit documentation of any nature before the end of the specified retention period. If it is necessary to modify existing audit documentation or add new audit documentation after the documentation date, paragraph .18 of AU-C section 230 requires the auditor to document the specific reasons for making the changes and when and by whom the changes were made and reviewed.

Using the Work of an Auditor’s Specialist

5.110 AU-C section 620, Using the Work of an Auditor’s Specialist (AICPA, Professional Standards), addresses the auditor’s responsibilities relating to the work of an individual or organization possessing expertise in a field other than accounting or auditing when that work is used to assist the auditor in obtaining sufficient appropriate audit evidence (defined as an auditor’s specialist for purposes of GAAS). An auditor’s specialist may be either an internal specialist (who is a partner or staff, including temporary staff, of the auditor’s firm or a network firm) or an external specialist.

5.111 AU-C section 620 does not address

  • situations in which the engagement team includes a member or consults an individual or organization with expertise in a specialized area of accounting or auditing, which are addressed in AU-C section 220, Quality Control for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards (AICPA, Professional Standards), and AU-C section 300,24, 25 or
  • auditor’s use of the work of an individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the entity to assist the entity in preparing the financial statements (a management’s specialist), which is addressed in AU-C section 500, Audit Evidence (AICPA, Professional Standards).26

5.112 In accordance with AU-C section 620, the objectives of the auditor are (a) to determine whether to use the work of an auditor’s specialist and (b) if using the work of an auditor’s specialist, to determine whether that work is adequate for the auditor’s purposes. In reaching these objectives, the auditor should

  • determine the need for an auditor’s specialist if expertise in a field other than accounting or auditing is necessary to obtain sufficient appropriate audit evidence.
  • evaluate the competence, capabilities, and objectivity of the auditor’s specialist.
  • obtain a sufficient understanding of the field of expertise of the auditor’s specialist to enable the auditor to (a) determine the nature, scope, and objectives of the work of the auditor’s specialist for the auditor’s purposes and (b) evaluate the adequacy of that work for the auditor’s purposes.

5.113 Paragraph .09 of AU-C section 620 states that the auditor should evaluate whether the auditor’s specialist has the necessary competence, capabilities, and objectivity for the auditor’s purposes.

5.114 AU-C section 620 does not preclude the auditor from using a specialist who has a relationship with the client, including situations where the client has the ability to directly or indirectly control or significantly influence the specialist. However, paragraph .09 of AU-C section 620 states that, in the case of an auditor’s external specialist, the evaluation of objectivity should include inquiry regarding interests and relationships that may create a threat to the objectivity of the auditor’s specialist. If the auditor believes that a relationship between the entity and the auditor’s specialist might impair the objectivity of the auditor’s specialist, paragraph .A22 of AU-C section 620 states that the auditor may perform additional procedures with respect to some or all of the assumptions, methods, or findings of the auditor’s specialist to determine that the findings are reasonable or may engage another specialist for that purpose.

5.115 Paragraph .10 of AU-C section 620 states that the auditor should obtain a sufficient understanding of the field of expertise of the auditor’s specialist to enable the auditor to

  • determine the nature, scope, and objectives of the work of the auditor’s specialist for the auditor’s purposes and
  • evaluate the adequacy of that work for the auditor’s purposes.

Using the Work of a Management’s Specialist

5.116 AU-C section 500 addresses the auditor’s use of the work of an individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the entity to assist the entity in preparing the financial statements (defined as a management’s specialist).

5.117 Information regarding the competence, capabilities, and objectivity of a management’s specialist may come from a variety of sources, such as knowledge of that specialist’s qualifications, membership in a professional body or industry association, license to practice, or other forms of external recognition (a listing of additional sources is addressed in paragraph .A39 of AU-C section 500). For example, if the auditor is using an appraisal of commercial real estate values in connection with the audit of financial statements, he or she should evaluate the appraiser's professional qualifications and his or her experience with commercial real estate. Further application and explanatory material regarding the reliability of information produced by a management’s specialist is addressed in paragraphs .A35–.A49 of AU-C section 500.

5.118 In a number of cases, the specialist's work may have been prepared for another purpose (such as, an appraiser's report prepared for a loan origination). If information to be used as audit evidence has been prepared using the work of a management’s specialist, paragraph .08 of AU-C section 500 states that the auditor should, to the extent necessary, taking into account the significance of that specialist’s work for the auditor’s purposes,

  1. a. evaluate the competence, capabilities, and objectivity of that specialist;
  2. b. obtain an understanding of the work of that specialist; and
  3. c. evaluate the appropriateness of that specialist’s work as audit evidence for the relevant assertion.

Furthermore, paragraph .17 of Interpretation No. 1, "The Use of Legal Interpretations As Audit Evidence to Support Management’s Assertion That a Transfer of Financial Assets Has Met the Isolation Criterion in Paragraphs 7–14 of Financial Accounting Standards Board Accounting Standards Codification 860-10-40" (AICPA, Professional Standards, AU-C sec. 9620 par. .01–.21), of AU-C section 620 states that, in some cases, the auditor may decide it necessary to contact the specialist to determine that the specialist is aware that his or her work will be used for evaluating the assertions in the financial statements.

5.119 The Audit Issues Task Force of the Auditing Standards Board issued Interpretation No. 1 of AU-C section 620.27 The guidance relates to examples of legal opinions that auditors will need to obtain and review with regard to transfers of financial assets by banks subject to receivership or conservatorship under provisions of the Federal Deposit Insurance Act (FDI Act). This interpretation is for auditing procedures related to transfers of financial assets that are accounted for under FASB ASC 860, Transfers and Servicing.

Processing of Transactions by Service Organizations

5.120 AU-C section 402 addresses the user auditor’s responsibility for obtaining sufficient appropriate audit evidence in an audit of the financial statements of a user entity that uses one or more service organizations (for example, using a mortgage banker to service mortgages). Specifically, it expands on how the user auditor applies AU-C sections 315 and 330 in obtaining an understanding of the user entity, including internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement and in designing and performing further audit procedures responsive to those risks.

5.121 Paragraphs .03–.05 of AU-C section 402 state that services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services and the controls over them affect the user entity’s information system, including related business processes, relevant to financial reporting. Although most controls at the service organization are likely to relate to financial reporting, other controls also may be relevant to the audit, such as controls over the safeguarding of assets. A service organization’s services are part of a user entity’s information system, including related business processes, relevant to financial reporting if these services affect any of the following:

  1. a. The classes of transactions in the user entity’s operations that are significant to the user entity’s financial statements;
  2. b. The procedures within both IT and manual systems by which the user entity’s transactions are initiated, authorized, recorded, processed, corrected as necessary, transferred to the general ledger, and reported in the financial statements;
  3. c. The related accounting records, supporting information, and specific accounts in the user entity’s financial statements that are used to initiate, authorize, record, process, and report the user entity’s transactions. This includes the correction of incorrect information and how information is transferred to the general ledger; the records may be in either manual or electronic form;
  4. d. How the user entity’s information system captures events and conditions, other than transactions, that are significant to the financial statements;
  5. e. The financial reporting process used to prepare the user entity’s financial statements, including significant accounting estimates and disclosures; and
  6. f. Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments.

The nature and extent of work to be performed by the user auditor regarding the services provided by a service organization depend on the nature and significance of those services to the user entity and the relevance of those services to the audit.

5.122 AU-C section 402 does not apply to services that are limited to processing an entity’s transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker (that is, when the user entity retains responsibility for authorizing the transactions and maintaining the related accountability). In addition, AU-C section 402 does not apply to the audit of transactions arising from an entity that holds a proprietary financial interest in another entity, such as a partnership, corporation, or joint venture, when the partnership, corporation, or joint venture performs no processing on behalf of the entity.

Consideration of Fraud in a Financial Statement Audit28

5.123 AU-C section 240 addresses the auditor’s responsibilities relating to fraud in an audit of financial statements. Specifically, it expands on how AU-C sections 315 and 330 are to be applied regarding risks of material misstatement due to fraud.

5.124 Although fraud is a broad legal concept, for the purposes of GAAS, the auditor is primarily concerned with fraud that causes a material misstatement in the financial statements. In accordance with paragraph .03 of AU-C section 240, two types of intentional misstatements are relevant to the auditor:

  • Misstatements resulting from fraudulent financial reporting
  • Misstatements resulting from misappropriation of assets

Although the auditor may suspect or, in rare cases, identify the occurrence of fraud, the auditor does not make legal determinations of whether fraud has actually occurred.

5.125 Paragraph .A1 of AU-C section 240 states that fraud, whether fraudulent financial reporting or misappropriation of assets, involves incentive or pressure to commit fraud, a perceived opportunity to do so, and some rationalization of the act.

Professional Skepticism

5.126 Consistent with paragraph .15 of AU-C section 200, paragraph .12 of AU-C section 240 states that the auditor should maintain professional skepticism throughout the audit, recognizing the possibility that a material misstatement due to fraud could exist, notwithstanding the auditor’s past experience of the honesty and integrity of the entity’s management and those charged with governance.

5.127 Paragraphs .A9–.A10 of AU-C section 240 states that maintaining professional skepticism requires an ongoing questioning of whether the information and evidence obtained suggests that a material misstatement due to fraud may exist. It includes considering the reliability of the information to be used as audit evidence and the controls over its preparation and maintenance when relevant. Although the auditor cannot be expected to disregard past experience of the honesty and integrity of the entity’s management and those charged with governance, the auditor’s professional skepticism is particularly important in considering the risk of material misstatement due to fraud because there may have been changes in circumstances.

5.128 When responses to inquiries of management, those charged with governance, or others are inconsistent or otherwise unsatisfactory (for example, vague or implausible), paragraph .14 of AU-C section 240 states that the auditor should further investigate the inconsistencies or unsatisfactory responses.

Discussion Among the Engagement Team

5.129 AU-C section 315 requires a discussion among the key engagement team members (see detailed discussion at paragraph 5.31). Paragraph .15 of AU-C section 240 states this discussion should include an exchange of ideas or brainstorming among the engagement team members about how and where the entity’s financial statements might be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated. The discussion should occur setting aside beliefs that the engagement team members may have that management and those charged with governance are honest and have integrity, and should, in particular, also address

  1. a. known external and internal factors affecting the entity that may create an incentive or pressure for management or others to commit fraud, provide the opportunity for fraud to be perpetrated, and indicate a culture or environment that enables management or others to rationalize committing fraud;
  2. b. the risk of management override of controls;
  3. c. consideration of circumstances that might be indicative of earnings management or manipulation of other financial measures and the practices that might be followed by management to manage earnings or other financial measures that could lead to fraudulent financial reporting;
  4. d. the importance of maintaining professional skepticism throughout the audit regarding the potential for material misstatement due to fraud; and
  5. e. how the auditor might respond to the susceptibility of the entity’s financial statements to material misstatement due to fraud.

Communication among the engagement team members about the risks of material misstatement due to fraud should continue throughout the audit, particularly upon discovery of new facts during the audit.

5.130 Paragraph .A12 of AU-C section 240 states that discussing the susceptibility of the entity’s financial statements to material misstatement due to fraud with the engagement team

  • provides an opportunity for more experienced engagement team members to share their insights about how and where the financial statements may be susceptible to material misstatement due to fraud.
  • enables the auditor to consider an appropriate response to such susceptibility and to determine which members of the engagement team will conduct certain audit procedures.
  • permits the auditor to determine how the results of audit procedures will be shared among the engagement team and how to deal with any allegations of fraud that may come to the auditor’s attention during the audit.

5.131 In addition, paragraph .A13 of AU-C section 240 states the discussion may include the following matters:

  • A consideration of management’s involvement in overseeing employees with access to cash or other assets susceptible to misappropriation
  • A consideration of any unusual or unexplained changes in behavior or lifestyle of management or employees that have come to the attention of the engagement team
  • A consideration of the types of circumstances that, if encountered, might indicate the possibility of fraud
  • A consideration of how an element of unpredictability will be incorporated into the nature, timing, and extent of the audit procedures to be performed
  • A consideration of the audit procedures that might be selected to respond to the susceptibility of the entity’s financial statements to material misstatement due to fraud and whether certain types of audit procedures are more effective than others
  • A consideration of any allegations of fraud that have come to the auditor’s attention

A number of factors may influence the extent of the discussion and how it may occur. For example, if the audit involves more than one location, there could be multiple discussions with team members in differing locations. Another factor in planning the discussions is whether to include specialists assigned to the audit team.

5.132 Exhibit 5-1, "Fraud Risk Factors," which appears at the end of this chapter, contains a list of fraud risk factors that auditors may consider as part of their planning and audit procedures. The purpose is for audit team members to communicate and share information obtained throughout the audit that may affect the assessment of the risks of material misstatement due to fraud or error or the audit procedures performed to address the risks.

Risk Assessment Procedures and Related Activities

5.133 When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, including the entity’s internal control, required by AU-C section 315, paragraph .16 of AU-C section 240 states that the auditor should perform the procedures in paragraphs .17–.24 of AU-C section 240 to obtain information for use in identifying the risk of material misstatement due to fraud. As part of this work, the auditor should perform the following procedures:

  1. a. Hold fraud discussions with management, others within the entity, and those charged with governance (unless all those charged with governance are involved in managing the entity). See specific inquiries the auditor should make in paragraphs .17–.19 and .21 of AU-C section 240.
  2. b. Obtain an understanding of how those charged with governance exercise oversight of management’s process for identifying and responding to the risks of fraud in the entity and the internal control that management has established to mitigate these risks, unless all those charged with governance are involved in managing the entity. (See paragraphs .20 and .A21–.A23 of AU-C section 240.)
  3. c. Evaluate whether unusual or unexpected relationships that have been identified (based on analytical procedures performed as part of risk assessment procedures) indicate risks of material misstatement due to fraud. (See paragraphs .22, .A24–.A26, and .A46 of AU-C section 240.)
  4. d. Consider whether other information obtained by the auditor indicates risks of material misstatement due to fraud. (See further application guidance in paragraph .A27 of AU-C section 240.)
  5. e. Evaluate whether the information obtained from the risk assessment procedures and related activities performed indicates that one or more fraud risk factors are present. (See paragraphs .24 and .A28–.A32 of AU-C section 240.)

Evaluation of Fraud Risk Factors

5.134 As indicated in paragraph 5.133e, the auditor may identify events or conditions that indicate incentives and pressures to perpetrate fraud, opportunities to carry out the fraud, or attitudes and rationalizations to justify a fraudulent action. Such events or conditions are referred to as fraud risk factors. Although fraud risk factors may not necessarily indicate the existence of fraud, paragraph .24 of AU-C section 240 states that they have often been present in circumstances in which frauds have occurred and, therefore, may indicate risks of material misstatement due to fraud.

5.135 Paragraph .A31 of AU-C section 240 states that the size, complexity, and ownership characteristics of the entity have a significant influence on the consideration of relevant fraud risk factors. Additional fraud risk factor considerations on large and smaller, less complex entities can be found in paragraphs .A31–.A32 of AU-C section 240.

5.136 Appendix A, "Examples of Fraud Risk Factors," of AU-C section 240 identifies examples of fraud risk factors that may be faced by auditors in a broad range of situations. Exhibit 5-1 at the end of this chapter contains a list of fraud risk factors specific to financial institutions. Remember that fraud risk factors are only one of several sources of information an auditor considers when identifying and assessing risks of material misstatement due to fraud.

Identification and Assessment of the Risks of Material Misstatement Due to Fraud

5.137 In accordance with AU-C section 315, paragraph .25 of AU-C section 240 states that the auditor should identify and assess the risks of material misstatement due to fraud at the financial statement level, and at the assertion level for classes of transactions, account balances, and disclosures.29 The auditor’s risk assessment should be ongoing throughout the audit, following the initial assessment.

5.138 Paragraph .26 of AU-C section 240 states that when identifying and assessing the risks of material misstatement due to fraud, the auditor should, based on a presumption that risks of fraud exist in revenue recognition, evaluate which types of revenue, revenue transactions, or assertions give rise to such risks. Paragraph .46 of AU-C section 240 specifies the documentation required when the auditor concludes that the presumption is not applicable in the circumstances of the engagement and, accordingly, has not identified revenue recognition as a risk of material misstatement due to fraud. (See paragraphs .A33–.A35 of AU-C section 240 for application guidance of fraud risks in revenue recognition.30)

Considerations for Audits Performed in Accordance With PCAOB Standards31

PCAOB Staff Audit Practice Alert No. 12, Matters Related to Auditing Revenue in an Audit of Financial Statements (AICPA, PCAOB Standards and Related Rules, PCAOB Staff Guidance, sec. 400.12), highlights certain requirements of PCAOB standards relating to aspects of auditing revenue in which significant auditing deficiencies have been frequently observed by PCAOB Inspections staff. More specifically, the alert addresses, among other topics, responding to the risks of material misstatement due to fraud associated with revenue.

5.139 Paragraph .27 of AU-C section 240 states that the auditor should treat those assessed risks of material misstatement due to fraud as significant risks and, accordingly, to the extent not already done so, the auditor should obtain an understanding of the entity’s related controls, including control activities, relevant to such risks, including the evaluation of whether such controls have been suitably designed and implemented to mitigate such fraud risks. (See paragraphs .A36–.A37 of AU-C section 240 for application guidance on identifying and assessing the risks of material misstatement due to fraud and understanding the entity’s related controls.)

Responses to the Assessed Risks of Material Misstatement Due to Fraud

Overall Responses

5.140 In accordance with AU-C section 330, paragraphs .28–.29 of AU-C section 240 state that the auditor should determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level. Accordingly, the auditor should

  1. a. assign and supervise personnel, taking into account the knowledge, skill and ability of the individuals to be given significant engagement responsibilities and the auditor’s assessment of the risks of material misstatement due to fraud for the engagement;
  2. b. evaluate whether the selection and application of accounting policies by the entity, particularly those related to subjective measurements and complex transactions, may be indicative of fraudulent financial reporting resulting from management’s effort to manage earnings, or a bias that may create a material misstatement; and
  3. c. incorporate an element of unpredictability in the selection of the nature, timing, and extent of audit procedures.

See paragraphs .A38–.A42 of AU-C section 240 for additional application guidance on overall responses to the assessed risks of material misstatement due to fraud.

Audit Procedures Responsive to Assessed Risks of Material Misstatement Due to Fraud at the Assertion Level

5.141 In accordance with AU-C section 300, paragraph .30 of AU-C section 240 states that the auditor should design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed risks of material misstatement due to fraud at the assertion level (See paragraphs .A43–.A46 for further application guidance.).

Audit Procedures Responsive to Risks Related to Management Override of Controls

5.142 Even if specific risks of material misstatement due to fraud are not identified by the auditor, paragraph .32 of AU-C section 240 states that a possibility exists that management override of controls could occur. Accordingly, the auditor should address the risk of management override of controls apart from any conclusions regarding the existence of more specifically identifiable risks by designing and performing audit procedures to

  1. a. test the appropriateness of journal entries recorded in the general ledger and other adjustments made in preparation of the financial statements, including entries posted directly to financial statement drafts,
  2. b. review accounting estimates for biases and evaluate whether the circumstances producing the bias, if any, represent a risk of material misstatement due to fraud, and
  3. c. evaluate, for significant transactions that are outside the normal course of business for the entity or that otherwise appear to be unusual given the auditor’s understanding of the entity and its environment and other information obtained during the audit, whether the business rationale (or lack thereof) of the transactions suggests that they may have been entered into to engage in fraudulent financial reporting or to conceal misappropriate of assets.

5.143 Other audit procedures. Paragraph .33 of AU-C section 240 states that the auditor should determine whether, in order to respond to the identified risks of management override of controls, the auditor needs to perform other audit procedures in addition to those specifically referred to previously (that is, when specific additional risks of management override exist that are not covered as part of the procedures performed to address the requirements in paragraph .32 of AU-C section 240.

Evaluation of Audit Evidence

5.144 Paragraphs .34–.37 and .A56–.A62 of AU-C section 240 provide requirements and application guidance for evaluating audit evidence. As stated in paragraph .34 of AU-C section 240, the auditor should evaluate, at or near the end of the audit, whether the accumulated results of auditing procedures, including analytical procedures, that were performed as substantive tests or when forming an overall conclusion, affect the assessment of the risks of material misstatement due to fraud made earlier in the audit or indicate a previously unrecognized risk of material misstatement due to fraud.

5.145 Paragraph .35 of AU-C section 240 states that, if the auditor identifies a misstatement, the auditor should evaluate whether such a misstatement is indicative of fraud. If such an indication exists, the auditor should evaluate the implications of the misstatement with regard to other aspects of the audit, particularly the auditor's evaluation of materiality, management and employee integrity, and the reliability of management representations, recognizing that an instance of fraud is unlikely to be an isolated occurrence. Furthermore, paragraph .36 of AU-C section 240 states that, if the auditor identifies a misstatement, whether material or not, and the auditor has reason to believe that it is, or may be, the result of fraud and that management (in particular, senior management) is involved, the auditor should reevaluate the assessment of the risks of material misstatement due to fraud and its resulting effect on the nature, timing, and extent of audit procedures to respond to the assessed risks. The auditor should also consider whether circumstances or conditions indicate possible collusion involving employees, management, or third parties when reconsidering the reliability of evidence previously obtained.

5.146 Paragraph .A60 of AU-C section 240 states that the implications of identified fraud depend on the circumstances. For example, an otherwise insignificant fraud may be significant if it involves senior management. In such circumstances, the reliability of evidence previously obtained may be called into question because there may be doubts about the completeness and truthfulness of representations made and genuineness of accounting records and documentation. There may also be a possibility of collusion involving employees, management, or third parties.

5.147 Paragraph .37 of AU-C section 240 states that if the auditor concludes that, or is unable to conclude whether, the financial statements are materially misstated as a result of fraud, the auditor should evaluate the implications for the audit. AU-C sections 450 and 700 address the evaluation and disposition of misstatements and the effect on the auditor’s opinion in the auditor’s report.

Auditor Unable to Continue the Engagement

5.148 Paragraph .38 of AU-C section 240 states that, if, as a result of identified fraud or suspected fraud, the auditor encounters circumstances that bring into question the auditor’s ability to continue performing the audit, the auditor should

  1. a. determine the professional and legal responsibilities applicable in the circumstances, including whether a requirement exists for the auditor to report to the person or persons who engaged the auditor or, in some cases, to regulatory authorities;
  2. b. consider whether it is appropriate to withdraw from the engagement, when withdrawal is possible under applicable law or regulation; and
  3. c. if the auditor withdraws

i.  discuss with the appropriate level of management and those charged with governance the auditor’s withdrawal from the engagement and the reasons for the withdrawal, and

ii.  determine whether a professional or legal requirement exists to report to the person or persons who engaged the auditor or, in some cases, to regulatory authorities, the auditor’s withdrawal from the engagement and the reasons for the withdrawal.

Given the nature of the circumstances and the need to consider the legal requirements, paragraph .A65 of AU-C section 240 states that the auditor may consider it appropriate to seek legal advice when deciding whether to withdraw from an engagement and in determining an appropriate course of action, including the possibility of reporting to regulators or others.32 For additional application guidance, including examples of circumstances that may arise and bring into question the auditor’s ability to continue performing the audit, see paragraphs .A63–.A65 of AU-C section 240.

Communications to Management and With Those Charged With Governance

5.149 Paragraph .39 of AU-C section 240 states that, if the auditor has identified a fraud or has obtained information that indicates that a fraud may exist, the auditor should communicate these matters on a timely basis to the appropriate level of management in order to inform those with primary responsibility for the prevention and detection of fraud of matters relevant to their responsibilities. As stated in paragraph .A67 of AU-C section 240, this is true even if the matter might be considered inconsequential (for example, a minor defalcation by an employee at a low level in the entity's organization). Unless all of those charged with governance are involved in managing the entity, paragraphs .40–.41 of AU-C section 240 state that, if the auditor has identified or suspects fraud involving (a) management, (b) employees who have significant roles in internal control, or (c) others, when the fraud results in a material misstatement in the financial statements, the auditor should communicate these matters to those charged with governance on a timely basis. If the auditor suspects fraud involving management, the auditor should communicate these suspicions to those charged with governance and discuss with them the nature, timing, and extent of audit procedures necessary to complete the audit. In addition, the auditor should communicate with those charged with governance any other matters related to fraud that are, in the auditor’s professional judgment, relevant to their responsibilities. See paragraphs .A68–.A71 of AU-C section 240 for further application guidance concerning communications with those charged with governance.

Communications to Regulatory and Enforcement Authorities

5.150 If the auditor has identified or suspects a fraud, paragraph .42 of AU-C section 240 states that the auditor should determine whether the auditor has a responsibility to report the occurrence or suspicion to a party outside the entity. Although the auditor’s professional duty to maintain the confidentiality of client information may preclude such reporting, the auditor’s legal responsibilities may override the duty of confidentiality in some circumstances.

Documentation

5.151 Paragraphs .43–.46 of AU-C section 240 address requirements on certain items and events to be documented by the auditor in relation to assessed risks of material misstatement due to fraud.

Compliance With Laws and Regulations

5.152 AU-C section 250, Consideration of Laws and Regulations in an Audit of Financial Statements (AICPA, Professional Standards), addresses the auditor’s responsibility to consider laws and regulations in an audit of financial statements. However, it does not apply to other assurance engagements in which the auditor is specifically engaged to test and report separately on compliance with specific laws and regulations.33

Responsibility for Compliance With Laws and Regulations

Responsibility of Management

5.153 In accordance with paragraph .03 of AU-C section 250, it is the responsibility of management, with the oversight of those charged with governance, to ensure that the entity’s operations are conducted in accordance with the provisions of laws and regulations, including compliance with the provisions of laws and regulations that determine the reported amounts and disclosures in an entity’s financial statements.

Responsibility of the Auditor

5.154 The requirements in AU-C section 250 are designed to assist the auditor in identifying material misstatement of the financial statements due to noncompliance with laws and regulations. However, paragraph .04 of AU-C section 250 recognizes that the auditor is not responsible for preventing noncompliance and cannot be expected to detect noncompliance with all laws and regulations. For purposes of discussion in AU-C section 250, the term noncompliance is defined as acts of omission or commission by the entity, either intentional or unintentional, which are contrary to the prevailing laws or regulations.

5.155 The auditor is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error.34 In conducting an audit of financial statements, the auditor takes into account the applicable legal and regulatory framework. Because of the inherent limitations of an audit, an unavoidable risk exists that some material misstatements in the financial statements may not be detected, even though the audit is properly planned and performed in accordance with GAAS.35 In the context of laws and regulations, the potential effects of inherent limitations on the auditor’s ability to detect material misstatements are greater for the reasons set forth in paragraph .05 of AU-C section 250. Paragraph .05 of AU-C section 250 further states that the further removed noncompliance is from the events and transactions reflected in the financial statements, the less likely the auditor is to become aware of, or recognize, the noncompliance.

5.156 Paragraph .06 of AU-C section 250 distinguishes the auditor’s responsibilities regarding compliance with the following two categories of laws and regulations:

  1. a. The provisions of those laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements, such as tax and pension laws and regulations (see paragraph 5.157)
  2. b. The provisions of other laws and regulations that do not have a direct effect on the determination of the amounts and disclosures in the financial statements but compliance with which may be

i.  fundamental to the operating aspects of the business,

ii.  fundamental to an entity’s ability to continue its business, or

iii.  necessary for the entity to avoid material penalties

(for example, compliance with the terms of an operating license, regulatory solvency requirements, or environmental regulations); therefore, noncompliance with such laws and regulations may have a material effect on the financial statements (see paragraphs 5.158–.160).

The Auditor’s Consideration of Compliance With Laws and Regulations

5.157 Paragraph .A9 of AU-C section 250 states that certain laws and regulations are well established, known to the entity and within the entity’s industry or sector, and relevant to the entity’s financial statements. These laws and regulations generally are directly relevant to the determination of material amounts and disclosures in the financial statements and readily evident to the auditor. They could include those that relate to, for example

  • tax laws affecting accruals and the amount recognized as expense in the accounting period.
  • certain laws and regulations placing limits on the nature or amount of investments that institutions are permitted to hold. Such laws and regulations may affect the classification and valuation of assets.

For such laws and regulations, paragraph .13 of AU-C section 250 states that the auditor should obtain sufficient appropriate audit evidence regarding material amounts and disclosures in the financial statements that are determined by the provisions of those laws and regulations (see paragraph 5.156a).

Procedures to Identify Instances of Noncompliance—Other Laws and Regulations

5.158 As discussed in paragraphs .A12–.A14 of AU-C section 250, certain other laws and regulations may need particular attention by the auditor because they have a fundamental effect on the operations of the entity. Noncompliance with laws and regulations that have a fundamental effect on the operations of the entity may cause the entity to cease operations or call into question the entity’s continuance as a going concern (for example, noncompliance with capital or investment requirements).

5.159 In addition, many laws and regulations relating principally to an institution's operating aspects do not directly affect the financial statements (their financial statement effect is indirect) and are not captured by the entity’s information systems relevant to financial reporting. Their indirect effect may result from the need to disclose a contingent liability because of the allegation or determination of identified or suspected noncompliance. Those other laws or regulations may include those related to securities trading, occupational safety and health, food and drug administration, environmental protection, equal employment opportunities, and price-fixing or other antitrust violations.

5.160 For these other such laws and regulations, paragraph .14 of AU-C section 250 states that the auditor should perform the following audit procedures that may identify instances of noncompliance with other laws and regulations that may have a material effect on the financial statements (see paragraph 5.156b):

  1. a. Inquiring of management and, when appropriate, those charged with governance about whether the entity is in compliance with such laws and regulations
  2. b. Inspecting correspondence, if any, with the relevant licensing or regulatory authorities (additional application and explanatory material can be found at paragraph .A16 of AU-C section 250)

However, even when those procedures are performed, the auditor may not become aware of the existence of noncompliance unless there is evidence of noncompliance in the records, documents, or other information normally inspected in an audit of financial statements.

Noncompliance Brought to the Auditor’s Attention By Other Audit Procedures

5.161 During the audit, paragraph .15 of AU-C section 250 states that the auditor should remain alert to the possibility that other audit procedures applied may bring instances of noncompliance or suspected noncompliance with laws and regulations to the auditor's attention. For example, paragraph .A17 of AU-C section 250 states that such audit procedures may include reading minutes; inquiring of the institution's management and in-house or external legal counsel concerning litigation, claims, and assessments; performing substantive tests of details of classes of transactions, account balances, or disclosures.

5.162 Further discussion regarding audit procedures when noncompliance is identified or suspected, reporting of identified or suspected noncompliance, and documentation requirements can be found in paragraphs .17–.28 of AU-C section 250.

Going-Concern Considerations36

5.163 AU-C section 570A, The Auditor's Consideration of an Entity's Ability to Continue as a Going Concern (AICPA, Professional Standards), addresses the auditor’s responsibilities in an audit of financial statements with respect to evaluating whether there is substantial doubt about the entity’s ability to continue as a going concern. This section applies to all audits of financial statements, regardless of whether the financial statements are prepared in accordance with a general purpose or a special purpose framework. This section does not apply to an audit of financial statements based on the assumption of liquidation (for example, when [a] an entity is in the process of liquidation, [b] the owners have decided to commence dissolution or liquidation, or [c] legal proceedings, including bankruptcy, have reached a point at which dissolution or liquidation is probable). The auditor's evaluation of an institution's ability to continue as a going concern may be one of the most complex and important portions of the audit. This section describes the unique issues that an auditor may encounter in evaluating an institution's ability to continue as a going concern.

Considerations for Audits Performed in Accordance With PCAOB Standards37

PCAOB Staff Audit Practice Alert No. 13, Matters Related to the Auditor’s Consideration of a Company’s Ability to Continue as a Going Concern (AICPA, PCAOB Standards and Related Rules, PCAOB Staff Guidance, sec. 400.13), addresses the professional standards applicable to the auditor’s evaluation of a company’s ability to continue as a going concern in light of recent changes to GAAP. The alert specifically highlights that in addition to adhering to the existing requirements in the PCAOB’s interim auditing standard AS 2415, Consideration of an Entity’s Ability to Continue as a Going Concern (AICPA, PCAOB Standards and Related Rules), auditors should assess management’s going concern evaluation in accordance with the requirements of the applicable financial reporting framework.

5.164 Financial institutions operate in a highly regulated environment. As a result, laws and regulations can have a significant effect on their operations. The enactment of the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 and the FDIC Improvement Act of 1991 dramatically changed the regulatory environment in the banking and thrift industries and imposed new regulatory capital requirements that are far more stringent than previous requirements. Chapter 1 of this guide includes a discussion of regulatory capital requirements for banks and savings institutions and such requirements for credit unions are discussed in chapter 2 of this guide.

Evaluating Whether Substantial Doubt Exists

5.165 In accordance with paragraph .08 of AU-C section 570A, the auditor should evaluate whether there is substantial doubt about an entity's ability to continue as a going concern for a reasonable period of time (defined in AU-C section 570A as a period of time not to exceed one year beyond the date of the financial statements being audited) based on the results of the audit procedures.

5.166 When the applicable financial reporting framework includes a definition of substantial doubt about an entity’s ability to continue as a going concern, Interpretation No. 1, “Definition of Substantial Doubt About an Entity’s Ability to Continue as a Going Concern” (AICPA, Professional Standards, AU-C sec. 9570A par. 01–.02), of AU-C section 570A states that definition would be used by the auditor when applying the requirements of AU-C section 570A. Interpretation No. 2, “Definition of Reasonable Period of Time” (AICPA, Professional Standards, AU-C sec. 9570A par. 03–.05), of AU-C section 570A provides guidance on how an auditor should apply the term reasonable period of time when the applicable financial reporting framework requires management to evaluate whether there are conditions and events that raise substantial doubt for a period of time greater than one year from the date of the financial statements. Specifically, Interpretation No. 2 states that the auditor’s assessment of management’s going concern evaluation would be for the same period of time as required by the applicable financial reporting framework.

Identifying Conditions or Events That Indicate Substantial Doubt Could Exist

5.167 As stated in paragraph .09 of AU-C section 570A, the auditor should consider whether the results of procedures performed during the course of the audit identify conditions and events that, when considered in the aggregate, indicate there could be substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time. The auditor should consider the need to obtain additional information about such conditions and events, as well as the appropriate audit evidence to support information that mitigates the auditor's doubt.

5.168 Paragraph .A1 of AU-C section 570A states that it is not necessary to design audit procedures solely to identify conditions or events that, when considered in the aggregate, indicate there could be substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time. The results of audit procedures designed and performed to identify and assess risk in accordance with AU-C section 315, gather audit evidence in response to assessed risks in accordance with AU-C section 330, and complete the audit are expected to be sufficient for that purpose. The following are examples of procedures normally performed in audits of the financial statements of financial institutions that may identify such conditions and events:

  • Analytical procedures
  • Review of subsequent events
  • Review of compliance with the terms of debt and loan agreements
  • Reading of minutes of meetings of stockholders, board of directors, and important committees of the board
  • Inquiry of an entity's legal counsel about litigation, claims, and assessments
  • Confirmation with related and third parties of the details of arrangements to provide or maintain financial support
  • Review of the financial strength and liquidity of the parent company, if applicable
  • Review of loans maturing in less than one year and entity’s ability to refinance or pay off the loan
  • Review of reports of significant examinations and related communications between examiners and the institution
  • Review of compliance with regulatory capital requirements

5.169 In performing such audit procedures as noted previously, paragraph .A2 of AU-C section 570A states that the auditor may identify information about certain conditions or events that, when considered in the aggregate, indicate there could be substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time. The significance of such conditions or events will depend on the circumstances, and some conditions or events may have significance only when viewed in conjunction with others. The following are examples of such conditions and events that may be encountered in audits of financial institutions:

  • Recurring operating losses
  • Indications of strained liquidity
  • Failure to meet minimum regulatory capital requirements or to adhere to the terms of an approved capital plan
  • Concerns expressed or actions taken by regulatory authorities regarding alleged unsafe or unsound practices
  • Indications of strained relationships between management and regulatory authorities

Considerations of Management’s Plans When the Auditor Believes There Is Substantial Doubt

5.170 If, after considering the identified conditions or events in the aggregate, the auditor believes that there is substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time, paragraph .10 of AU-C section 570A states that the auditor should obtain information about management's plans that are intended to mitigate the adverse effects of such conditions or events. The auditor should

  1. a. assess whether it is likely that the adverse effects would be mitigated by management’s plans for a reasonable period of time;
  2. b. identify those elements of management’s plans that are particularly significant to overcoming the adverse effects of the conditions or events and plan and perform procedures to obtain audit evidence about them, including, when applicable, considering the adequacy of support regarding the ability to obtain additional financing or the planned disposal of assets; and
  3. c. assess whether it is likely that such plans can be effectively implemented.

5.171 When prospective financial information is particularly significant to management’s plans, paragraph .11 of AU-C section 570A states that the auditor should request management to provide that information and should consider the adequacy of support for significant assumptions underlying that information. The auditor should give particular attention to assumptions that are

  • material to the prospective financial information.
  • especially sensitive or susceptible to change.
  • inconsistent with historical trends.

The auditor’s consideration should be based on knowledge of the entity, its business, and its management and should include (a) reading the prospective financial information and the underlying assumptions and (b) comparing prospective financial information from prior periods with actual results and comparing prospective information for the current period with results achieved to date. If the auditor becomes aware of factors, the effects of which are not reflected in such prospective financial information, the auditor should discuss those factors with management and, if necessary, request revisions of the prospective financial information.

Consideration of Financial Statement Effects

5.172 Paragraph .12 of AU-C section 570A states that when, after considering management's plans, the auditor concludes that there is substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time, the auditor should consider the possible effects on the financial statements and the adequacy of the related disclosures. In considering the adequacy of disclosure, paragraph .A4 of AU-C section 570A states that some of the information that might be disclosed includes the following:

  • Principal conditions or events giving rise to the assessment of substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time
  • The possible effects of such conditions or events
  • Management's evaluation of the significance of those conditions or events and any mitigating factors
  • Possible discontinuance of operations
  • Management's plans (including relevant prospective financial information)
  • Information about the recoverability or classification of recorded asset amounts or the amounts or classification of liabilities

5.173 When the auditor concludes, primarily because of the auditor’s consideration of management’s plans, that substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time has been alleviated, paragraph .13 of AU-C section 570A states that the auditor should consider the need for, and evaluate the adequacy of, disclosure of the principal conditions or events that initially caused the auditor to believe there was substantial doubt. The auditor’s consideration of disclosure should include the possible effects of such conditions and events, and any mitigating factors, including management's plans. The auditor may have to communicate with the regulator to assist with the auditor’s assessment. (Refer to chapter 1 of this guide for a discussion of necessary communications with regulators.) Chapter 23 of this guide includes an illustration of a report that includes such an emphasis-of-matter paragraph.

5.174 When the applicable financial reporting framework provides disclosure requirements related to management’s evaluation of substantial doubt, Interpretation No. 4, “Consideration of Financial Statement Effects” (AICPA, Professional Standards, AU-C sec. 9570A par. 09–.10), of AU-C section 570A states that the auditor’s assessment of the financial statement effects under AU-C section 570A would be based on the disclosure requirements of the applicable financial reporting framework.

Written Representations

5.175 If the auditor believes, before consideration of management’s plans pursuant to paragraph .10 of AU-C section 570A (see paragraph 5.170), there is substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time, paragraph .14 of AU-C section 570A states that the auditor should obtain written representations from management

  1. a. regarding its plans that are intended to mitigate the adverse effects of conditions or events that indicate there is substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time and the likelihood that those plans can be effectively implemented, and
  2. b. that the financial statements disclose all the matters of which management is aware that are relevant to the entity’s ability to continue as a going concern, including principal conditions or events and management’s plans.

Consideration of the Effects on the Auditor’s Report

5.176 Paragraphs .15–.16 of AU-C section 570A state that, if, after considering identified conditions and events and management's plans, the auditor concludes that substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time remains, the auditor should include an emphasis-of-matter paragraph38 in the auditor’s report to reflect that conclusion. The auditor’s conclusion about the entity’s ability to continue as a going concern should be expressed through the use of the phrase "substantial doubt about its (the entity’s) ability to continue as a going concern" or similar wording that includes the terms substantial doubt and going concern. In a going concern emphasis-of-matter paragraph, the auditor should not use conditional language in expressing a conclusion concerning the existence of substantial doubt about the entity’s ability to continue as going concern. Paragraph .A6 of AU-C section 570A provides an illustration of a going-concern emphasis-of-matter paragraph.

5.177 The auditor's decision about whether modification of the standard report is appropriate may depend also on

  • the institution's existing regulatory-capital position;
  • the likelihood that the institution's regulatory-capital position will improve or deteriorate within the next 12 months;
  • whether the plan has been accepted by regulatory authorities; and
  • the auditor's assessment of the institution's ability to achieve its capital plan, if any.

5.178 Chapter 23 of this guide discusses circumstances that the auditor might disclaim an opinion on.

Documentation

5.179 If the auditor believes, before consideration of management’s plans pursuant to paragraph .10 of AU-C section 570A (see paragraph 5.170), there is substantial doubt about the ability of the entity to continue as a going concern for a reasonable period of time, paragraph .22 of AU-C section 570A states that the auditor should document the following:

  • The conditions or events that led the auditor to believe that there is substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time.
  • The elements of management’s plans that the auditor considered to be particularly significant to overcoming the adverse effects of the conditions or events.
  • The auditing procedures performed to evaluate the significant elements of management’s plans and evidence obtained.
  • The auditor’s conclusion as to whether substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time remains or is alleviated. If substantial doubt remains, the auditor also should document the possible effects of the conditions or events on the financial statements and the adequacy of the related disclosures. If substantial doubt is alleviated, the auditor also should document the conclusion as to the need for and, if applicable, the adequacy of disclosure of the principal conditions and events that initially caused the auditor to believe there was substantial doubt.
  • The auditor’s conclusion with respect to the effects on the auditor’s report.

Written Representations

5.180 AU-C section 580, Written Representations (AICPA, Professional Standards), addresses the auditor’s responsibility to obtain written representations from management and, when appropriate, those charged with governance in an audit of financial statements.

Written Representations as Audit Evidence

5.181 According to paragraphs .03–.04 of AU-C section 580, written representations are necessary information that the auditor requires in connection with the audit of the entity’s financial statements. Accordingly, similar to responses to inquiries, written representations are audit evidence. Although written representations provide necessary audit evidence, they complement other auditing procedures and do not provide sufficient appropriate audit evidence on their own about any of the matters with which they deal. Furthermore, obtaining reliable written representations does not affect the nature or extent of other audit procedures that the auditor applies to obtain audit evidence about the fulfillment of management’s responsibilities or about specific assertions.

Management From Whom Written Representations Are Requested

5.182 As explained in paragraph .A2 of AU-C section 580, written representations are requested from those with overall responsibility for financial and operating matters whom the auditor believes are responsible for, and knowledgeable about, directly or through others in the organization, the matters covered by the representations, including the preparation and fair presentation of the financial statements. As such, in accordance with paragraph .09 of AU-C section 580, the auditor should request written representations from management with appropriate responsibilities for the financial statements and knowledge of the matters concerned.

5.183 Paragraph .A2 of AU-C section 580 further states that those individuals with overall responsibility may vary depending on the governance structure of the entity; however, management (rather than those charged with governance) is often the responsible party. Written representations may therefore be requested from the entity’s chief executive officer and chief financial officer or other equivalent persons in entities that do not use such titles. In some circumstances, however, other parties, such as those charged with governance, also are responsible for the preparation and fair presentation of the financial statements.

Written Representations About Management’s Responsibilities and Other Written Representations

5.184 Paragraphs .10–.18 of AU-C section 580 discuss matters the auditor should request management to provide written representation about such as preparation and fair presentation of the financial statements, information provided and completeness of transactions, fraud, laws and regulations, uncorrected misstatements, litigation an claims, estimates, related party transactions, and subsequent events. If, in addition to such required representations and those addressed in other AU-C sections,43 the auditor determines that it is necessary to obtain one or more written representations to support other audit evidence relevant to the financial statements or one or more specific assertions in the financial statements, paragraph .19 of AU-C section 580 states that the auditor should request such other written representations.

5.185 Additional representations specific to banks and savings institutions, credit unions, or both that may be obtained include the following:

  • All regulatory examination reports, supervisory correspondence, and similar materials from applicable regulatory agencies (particularly communications concerning supervisory actions or noncompliance with or deficiencies in the rules and regulations or supervisory actions) have been provided to the auditor.
  • The classification of securities between held-to-maturity, available-for-sale, or trading categories accurately reflects management's ability and intent.
  • The methodology for determining fair value disclosures is based on reasonable assumptions.
  • Adequate disclosure has been made of the status of the institution's capital plan filed with regulators, if applicable, and management believes it is in compliance with any formal agreements or orders in any memorandum of understanding or cease-and-desist order.
  • Contingent assets and liabilities have been adequately disclosed in the financial statements.
  • Related-party transactions have been entered into in compliance with existing regulations.
  • Adequate provision has been made for any losses, costs, or expenses that may be incurred on securities, loans, or leases and real estate as of the balance sheet date.
  • Other than temporary declines in the value of investment securities have been properly recognized in the financial statements.
  • Commitments to purchase or sell securities under forward-placement, financial-futures contracts, and standby commitments have been adequately disclosed in the financial statements.
  • Sales with recourse have been adequately disclosed in the financial statements.
  • Proper disclosure has been made regarding the nature, terms, and credit risk of financial instruments with off-balance-sheet risk.
  • No transactions or activities are planned that would result in any recapture of the base-year, tax-basis bad debt reserves.
  • Proper disclosure has been made regarding financial instruments with significant

—  off-balance-sheet risk and

—  individual or group concentrations of credit risk.

5.186 Paragraph .A22 of AU-C section 580 states that management's representations may be limited to matters that are considered either individually or collectively material to the financial statements, provided management and the auditor have reached an understanding on materiality for this purpose. Materiality may be different for different representations. A discussion of materiality may be included explicitly in the representation letter in either qualitative or quantitative terms. Materiality considerations do not apply to those representations that are not directly related to amounts included in the financial statements (for example, management’s representations about the premise underlying the audit). In addition, because of the possible effects of fraud on other aspects of the audit, materiality would not apply to management’s acknowledgment regarding its responsibility for the design, implementation, and maintenance of internal control to prevent and detect fraud.

Date of, and Period(s) Covered by, Written Representations

5.187 Paragraph .20 of AU-C section 580 states that the date of the written representations should be as of the date of the auditor’s report on the financial statements. The written representations should be for all financial statements and period(s) referred to in the auditor’s report.

Form of Written Representations

5.188 In accordance with paragraph .21 of AU-C section 580, the written representations should be in the form of a representation letter addressed to the auditor.

Doubt About the Reliability of Written Representations and Requested Written Representations Not Provided

5.189 Paragraph .25 of AU-C section 580 states that the auditor should disclaim an opinion on the financial statements in accordance with AU-C section 705 or withdraw from the engagement if

  1. a. the auditor concludes that sufficient doubt exists about the integrity of management such that the written representations required by paragraphs .10–.11 of AU-C section 580 are not reliable or
  2. b. management does not provide the written representations required by paragraphs .10–.11 of AU-C section 580.

Information Other Than Financial Statements

5.190 An institution may publish various documents that contain information in addition to audited financial statements and the auditor's report thereon. AU-C section 720, Other Information in Documents Containing Audited Financial Statements (AICPA, Professional Standards), addresses the auditor’s responsibility with respect to other information in documents containing audited financial statements and the auditor’s report thereon. In the absence of any separate requirement in the particular circumstances of the engagement, the auditor’s opinion on the financial statements does not cover other information, and the auditor has no responsibility for determining whether such information is properly stated. This section establishes the requirement for the auditor to read the other information of which the auditor is aware because the credibility of the audited financial statements may be undermined by material inconsistencies between the audited financial statements and other information.

5.191 In some circumstances, an auditor submits to the client or others a document that contains information in addition to the client's basic financial statements and the auditor's report thereon. AU-C section 725, Supplementary Information in Relation to the Financial Statements as a Whole (AICPA, Professional Standards), addresses the auditor’s responsibility when engaged to report on whether supplementary information is fairly stated, in all material respects, in relation to the financial statements as a whole. The information covered by this section is presented outside the basic financial statements and is not considered necessary for the financial statements to be fairly presented in accordance with the applicable financial reporting framework. This section also may be applied, with the report wording adapted as necessary, when an auditor has been engaged to report on whether required supplementary information is fairly stated, in all material respects, in relation to the financial statements as a whole.

5.192 AU-C section 730, Required Supplementary Information (AICPA, Professional Standards), addresses the auditor’s responsibility with respect to information that a designated accounting standards setter requires to accompany an entity’s basic financial statements (hereinafter referred to as required supplementary information). In the absence of any separate requirement in the particular circumstances of the engagement, the auditor’s opinion on the basic financial statements does not cover required supplementary information.

Certain Financial Reporting Matters

Disclosures of Certain Significant Risks and Uncertainties

5.193 FASB ASC 275-10-50-144 requires institutions to make disclosures in their financial statements about the risks and uncertainties existing as of the date of those statements in the following areas:

  1. a. The nature of their operations, including the activities in which the entity is currently engaged if principal operations have not commenced
  2. b. The use of estimates in the preparation of their financial statements
  3. c. Certain significant estimates
  4. d. Current vulnerability due to certain concentrations

5.194 An illustration of the application of these disclosure requirements by a bank or savings institution follows:

Nature of operations. ABC Institution operates seven branches in rural and suburban communities in the United States Midwest. The Institution's primary source of revenue is providing loans to customers that are predominantly small and middle-market businesses and middle-income individuals.

Use of estimates in the preparation of financial statements. The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities and disclosure of contingent assets and liabilities at the date of the financial statements and that affect the reported amounts of revenues and expenses during the reporting period. Actual results could differ from those estimates.

5.195 The application of these disclosure requirements by a bank or savings institution is discussed and illustrated in the following paragraphs.

Certain Significant Estimates

5.196 As explained in FASB ASC 275-10-50-7, disclosures are required regarding estimates used in the determination of the carrying amounts of assets or liabilities or in disclosure of gain or loss contingencies, as described herein. FASB ASC 275-10-50-8 goes on to state that disclosure regarding an estimate should be made when known information available before the financial statements are issued or are available to be issued (as discussed in FASB ASC 855-10-25) indicates that both of the following criteria are met:

  1. a. It is at least reasonably possible that the estimate of the effect on the financial statements of a condition, situation, or set of circumstances that existed at the date of the financial statements will change in the near term due to one or more future confirming events.
  2. b. The effect of the change would be material to the financial statements.

5.197 In accordance with FASB ASC 275-10-50-9, the disclosure should indicate the nature of the uncertainty and include an indication that it is at least reasonably possible that a change in the estimate will occur in the near term. If the estimate involves a loss contingency covered by FASB ASC 450-20, the disclosure also should include an estimate of the possible loss or range of loss, or state that such an estimate cannot be made.45

5.198 Following is an illustrative disclosure about the allowance for loan losses when no uncertainties meet the disclosure criteria established in FASB ASC 275-10-50-8 and FASB ASC 450-20-50-3.

Allowance for loan losses. The allowance for loan losses is established as losses are estimated to have occurred through a provision for loan losses charged to earnings. Loan losses are charged against the allowance when management believes the uncollectibility of a loan balance is confirmed. Subsequent recoveries, if any, are credited to the allowance.

The allowance for loan losses is evaluated on a regular basis by management and is based upon management’s periodic review of the collectibility of the loans in light of historical experience, the nature and volume of the loan portfolio, adverse situations that may affect the borrower’s ability to repay, estimated value of any underlying collateral, and prevailing economic conditions. This evaluation is inherently subjective as it relies on estimates that are susceptible to significant revision as more information becomes available.

5.199 The following illustrates a paragraph that might be added to the illustrative disclosure in paragraph 5.198 to disclose an uncertainty that meets the disclosure criteria of FASB ASC 275-10-50-8, is a loss contingency covered by FASB ASC 450-20, and affects the estimate of loan losses for only some portion of the institution's loan portfolio:

Three of the Institution's seven branches are in communities that were flooded in late 200X. These branches made loans to individuals and businesses affected by the flooding and the Institution considered the flood's effect in determining the adequacy of the allowance for loan losses. No estimate can be made of a range of amounts of loss that are reasonably possible with respect to that event.46

5.200 The following illustrates a paragraph that might be added to the illustration in paragraph 5.198 to disclose an uncertainty that meets the disclosure criteria of FASB ASC 275-10-50-8 and is a loss contingency covered by FASB ASC 450-20:

The Institution lends primarily to individuals employed at ABC Air Force Base and businesses local to the base. On December 19, 20X3, the President of the United States ratified a plan that includes the closing of the base effective November 20X4. It is reasonably possible that a change in estimated loan losses will occur in the near term. No estimate can be made of a range of amounts of loss that are reasonably possible with respect to the base closing.

5.201 FASB ASC 275-10-50-15 gives examples of assets and liabilities and related revenues and expenses, and of disclosure of gain or loss contingencies included in financial statements that, based on facts and circumstances existing at the date of the financial statements, may be based on estimates that are particularly sensitive to change in the near term.

5.202 Besides valuation allowances for loans, examples of similar estimates often included in banks', savings institutions', and credit unions’ financial statements include the following:

  • Impairment of long-lived assets, for example, assets related to marginal branches
  • Estimates involving assumed prepayments, for example, discounts or premiums on certain financial assets (such as securities or loans), mortgage servicing rights and excess servicing receivables, and mortgage related securities
  • Lives of identifiable intangible assets (for example, depositor or borrower relationships)

5.203 For example, during 20X5, DEF Bank evaluated the profitability of its branch operations. DEF Bank determined that it will significantly change the extent or manner in which it uses a group of long-lived assets related to six of its branches. In applying FASB ASC 360, Property, Plant, and Equipment, DEF Bank determined that the sum of the estimated future cash flows (cash inflows less associated cash outflows) that are directly associated with and that are expected to arise as a direct result of the use and eventual disposition of the asset group, excluding interest charges, exceeds the carrying amount of the long-lived asset group. In addition, the carrying amount of the asset group does not exceed its fair value. Thus, an impairment loss has not been recognized under FASB ASC 360. The significant change in the extent or manner in which the assets are used, however, indicates that the estimate associated with the carrying amounts of those assets may be particularly sensitive in the near term.47 Following is an illustrative disclosure:

Management of DEF Bank has reevaluated and will significantly change its use of a group of long-lived assets associated with six of its branches. It is reasonably possible that the Bank's estimate of the carrying amounts of these assets will change in the near term. No estimate can be made of a range of amounts of loss that are reasonably possible.

Current Vulnerability Due to Certain Concentrations

5.204 FASB ASC 275-10-50-16 requires institutions to disclose the concentrations described in FASB ASC 275-10-50-18 if, based on information known to management before the financial statements are issued or are available to be issued (as discussed in FASB ASC 855-10-25), all of the following criteria are met:

  1. a. The concentration exists at the date of the financial statements.
  2. b. The concentration makes the institution vulnerable to the risk of a near-term severe impact.
  3. c. It is at least reasonably possible that the events that could cause the severe impact will occur in the near term.

5.205 FASB ASC 275, Risks and Uncertainties, does not address concentrations of financial instruments. However, as discussed in chapter 7, chapter 8, "Loans," and chapter 18 of this guide, and elsewhere in this guide, FASB ASC 825, Financial Instruments, includes the disclosure provisions about concentrations of credit risk.48

5.206 The following concentrations described in FASB ASC 275-10-50-18 require disclosure if they meet the criteria of FASB ASC 275-10-50-16:

  1. a. Concentrations in the volume of business transacted with a particular customer, supplier, lender, grantor, or contributor
  2. b. Concentrations in revenue from particular products, services, or fund-raising events
  3. c. Concentrations in the available sources of supply of materials, labor, or services, or of licenses or other rights used in the entity's operations
  4. d. Concentrations in the market or geographic area in which an entity conducts its operations

5.207 Examples of concentrations that may fall in one or more of these categories and that may exist at certain financial institutions include

  • sale of a substantial portion of or all receivables or loan products to a single customer;
  • loss of approved status as a seller to or servicer for a third party;
  • concentration of revenue from issuances involving a third-party guarantee program;
  • concentration of revenue from mortgage banking activities; and
  • in the case of a credit union, membership in the institution is concentrated with employees of a specific industry or in a region.

5.208 For example, assume a significant portion of GHI Institution's net income is from sales of originated loans. In 20X5, GHI Institution originated $800 million of loans. GHI Institution sold the loans and servicing rights to a substantial portion of these loans to a single servicer, TCB. TCB has historically purchased a substantial portion of the loans and servicing originated by GHI Institution. Following is an illustrative disclosure:

A substantial portion of GHI Institution's loan and loan-servicing-right originations is sold to a single servicer.

5.209 Assume a significant portion of JKL Bank's revenues is from the origination of loans guaranteed by the Small Business Administration under its Section 7 program and sale of the guaranteed portions of those loans. Funding for the Section 7 program depends on annual appropriations by the U.S. Congress. The customer base for this lending specialization and the resulting profits depend on the continuation of the program. Following is an illustrative disclosure:

A substantial portion of JKL Bank's revenues is from origination of loans guaranteed by the Small Business Administration under its Section 7 program and sale of the guaranteed portions of those loans. Funding for the Section 7 program depends on annual appropriations by the U.S. Congress.

Segment Reporting

5.210 FASB ASC 280-10 provides guidance to public entities on how to report certain information about operating segments in complete sets of financial statements of the public entity and in condensed financial statements of interim periods issued to shareholders. Refer to FASB ASC 280, Segment Reporting, for further discussion and detail regarding segment reporting requirements.

5.211 Per the FASB ASC glossary, a public entity is defined as a business entity or a not-for-profit entity that meets any of the following conditions:

  • It has issued debt or equity securities or is a conduit bond obligor for conduit debt securities that are traded in a public market (a domestic or foreign stock exchange or an over-the-counter market, including local or regional markets).
  • It is required to file financial statements with the SEC.
  • It provides financial statements for the purpose of issuing any class of securities in a public market.

Regulation and Supervision of Depository Institutions

Introduction

5.212 Laws and their implementing regulations affect the areas and ways in which certain financial institutions operate while creating standards with which those institutions must comply. Some laws and regulations directly address the responsibilities of auditors.49

5.213 The primary objective of this section is to explain why and how auditors might consider regulatory matters in the audits of certain financial institutions. This chapter also addresses the overall regulatory approach and environment, and the relative responsibilities of those institutions, examiners, and auditors. Considerations auditors might give to specific areas of regulation are highlighted in subsequent chapters.

5.214 Auditors might consider the effect regulations have on various engagements:

  1. a. Acceptance of engagements in the affected industry
  2. b. Planning activities (that is, development of the expected conduct and scope of an engagement)
  3. c. Responsibility for detection of errors and irregularities
  4. d. Evaluation of contingent liabilities and related disclosures
  5. e. Consideration of an institution's ability to continue as a going concern

5.215 Paragraph .12 of AU-C section 315 indicates that auditors should obtain an understanding of relevant regulatory factors, including the applicable financial reporting framework. In that regard, it is helpful for auditors to be familiar with the nature and purpose of regulatory examinations—including the differences and relationship between examinations and financial statement audits.

5.216 Finally, an understanding of the regulatory environment in which these institutions operate is necessary to complement the auditor's knowledge of existing regulatory requirements. Because the regulatory environment is continually changing, the auditor might consider monitoring relevant regulatory changes and consider their implications in the audit process.

5.217 One primary objective of regulation is to maintain the strength of the financial system, in turn, promoting and enforcing the public role of certain financial institutions as financial intermediaries, protecting depositors, and preserving funds for federal deposit insurance. Regulations are generally associated with one or more of the following objectives: capital adequacy, asset quality, management competence, earnings, liquidity, and sensitivity to market risk.

5.218 Many laws and areas of regulation address the public role of certain financial institutions. For example, laws and regulations exist to ensure the availability of credit to all creditworthy applicants without discrimination and to satisfy the credit needs of low- and moderate-income neighborhoods in institutions' local communities.

5.219 Other regulations address directly these institution's operations and, therefore, have broader financial implications. For example, rules exist that restrict the acceptance and renewal of brokered deposits based on a bank or savings institution's level of capitalization.

5.220 In addition to the specific regulatory matters outlined in subsequent chapters, the three aspects of the regulatory process that are particularly important to auditors are rule making, examinations, and enforcement.

Rule Making

5.221 Regulations are created by the agencies based on their ongoing authority or as specifically mandated by legislation. Proposed rules and regulations are generally published for comment in the Federal Register, a daily publication of the federal government. Final rules also appear in the Federal Register and are codified in Title 12, Banks and Banking, of U.S. CFR. The Federal Register may be accessed at the Government Printing Office website. The rules applicable to a given institution depend on the institution's charter and other factors, such as whether it is federally insured and whether it is a member of the Federal Reserve System. Institutions are informed of new rules, policies, and guidance through publications of the agencies.

5.222 Discussions of specific regulatory matters found throughout this guide should not be substituted for a complete reading of related regulations, rulings, or other documents where appropriate. It is important for auditors to keep apprised of recent changes in regulations, as the regulatory environment is constantly changing.

Examinations

5.223 As used in this guide, the term audit refers to an audit performed by an auditor for the purpose of expressing an opinion on an institution’s financial statements, unless the context in which the term is used clearly indicates that the reference is to an internal audit. The term examination generally refers to an examination made by a regulatory authority. There are several types of regulatory examinations, including a Safety and Soundness Examination, an Information Systems Examination, a Trust Examination and a Compliance Examination. These examinations may be combined or performed separately. The purpose of the regulatory examination is to determine the safety and soundness of an institution. The term examiner as used in this guide means those individuals—acting on behalf of a regulatory agency—responsible for supervising the performance or preparation of reports of examination and, when appropriate, supervisory personnel at the district and national level.

5.224 Federally insured financial institutions are required to have periodic full-scope, on-site examinations by the appropriate agency. In some cases the OCC and the Federal Reserve will perform off site examinations. In certain cases, an examination by a state regulatory agency is accepted. Full-scope and other examinations are intended primarily to provide early identification of problems at insured institutions rather than as a basis for expressing an opinion on fair presentation of an institution's financial statements.

5.225 The scope of an examination is generally unique to each institution based on risk factors assessed by the examiner; however, general areas that might be covered include the following:

  • Capital adequacy
  • Asset quality
  • Management
  • Earnings
  • Liquidity
  • Sensitivity to market risk
  • Funds management
  • Internal systems and controls
  • Consumer affairs
  • Electronic data processing
  • Fiduciary activities

5.226 Examinations are sometimes targeted to a specific area of operations. Separate compliance examination programs also exist to address institutions' compliance with laws and regulations in areas such as consumer protection, insider transactions, and reporting under the Bank Secrecy and USA Patriot Acts.

5.227 An examination generally begins with a review of various background material and information, including practices, policies or procedures established by an institution. The examiner compares these practices, policies, or procedures to regulatory and supervisory requirements and assesses the institution's adherence to sound fundamental principles in its day-to-day operations. Any additional detailed procedures considered necessary are then applied. A written report of procedures and findings is then prepared by the examiner. The relationship between the work of the examiner and that of the auditor is further discussed in the following paragraph.

5.228 Results of examinations are also used in assigning the institution a rating under regulatory rating systems. The FFIEC has adopted the Uniform Financial Institutions Rating System, which bases an institution's composite CAMELS (the rating on component factors addressing capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk). Further, the Federal Reserve assigns BOPEC (the rating stands for the five key areas of supervisory concern: the condition of the BHC's bank subsidiaries, other nonbank subsidiaries, parent company, earnings, and capital adequacy) ratings to bank holding companies based on consideration of the bank's CAMELS rating, operation of significant nonbanking subsidiaries, the parent's strength and operations, earnings of the banking organization, and capital of the banking organization. Both systems involve a five-point rating scale, with one being the highest possible rating.

Enforcement

5.229 Regulatory enforcement is sometimes carried out through a written agreement between the regulator and the institution—ranging from the least severe commitment letter to a cease-and-desist order. Among other actions that can be taken, the agencies may enforce regulations by

  • ordering an institution to cease and desist from certain practices or violations;
  • removing an officer or prohibiting an officer from participating in the affairs of the institution or the industry;
  • assessing civil money penalties; and
  • terminating insurance of an institution's deposits.

5.230 The examination focus has shifted from complete reliance on transaction testing to an assessment of risks and each of the agencies has issued guidance on "supervision by risk," under which examiners identify the risks a bank faces and evaluate how the institution manages those risks. Derivative activities (including the use of credit derivatives), as well as bank trading activities, have also received increased scrutiny. In addition, recent losses involving fraud have led to a reemphasis on the identification of significant internal control weaknesses and other potential indicators of fraud.

5.231 Further, insured financial institutions may be subject to other mandatory and discretionary actions taken by regulators under prompt corrective action (PCA) provisions of the FDI Act and the Federal Credit Union Act (FCUA). As described in chapters 1 and 2 of this guide, possible actions range from the restriction or prohibition of certain activities to appointment of a receiver or conservator of the institution's net assets.

5.232 Many enforcement actions—such as civil money penalties—apply not only to an insured financial institution but also to a broader class of institution-affiliated parties, which could include auditors. For example, regulatory agencies may assess civil money penalties of up to $1 million50 per day against an institution or institution-affiliated party that violates a written agreement or any condition imposed in writing by the agency, breaches a fiduciary duty, or engages in unsafe or unsound practices. Because the term unsafe or unsound is not defined in any law or regulation, the potential liability of institution-affiliated parties is great.

5.233 The FDI Act also authorizes the agencies that regulate banks and savings institutions—on a showing of good cause—to remove, suspend, or bar an auditor from performing engagements required under the FDI Act.

5.234 Due to the passage of Credit Union Membership Access Act of 1998 in 1998, the NCUA adopted stiffer net worth requirements and PCA regulations. Practitioners should understand these regulations and their effect on the credit union.

5.235 The NCUA is required to publicly disclose formal and informal enforcement orders and any modifications to or terminations of such orders. Publication may be delayed for a reasonable time if disclosure would seriously threaten the safety or soundness of the credit union.

5.236 Currently, federal and most state credit union regulators use a letter of understanding and agreement or similar contractual arrangement to formalize the negotiated agreement between the regulatory agency or agencies (the regional director represents the NCUA) and the credit union's board of directors concerning problems, the actions to be taken, and the timetable for completing each action. In dealing with a state-chartered, non-National Credit Union Share Insurance Fund–insured credit union, the state regulator will usually involve the appropriate state or private insurer.

Planning

5.237 AU-C section 315 addresses the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements through understanding the entity and its environment, including the entity’s internal control. The auditor should obtain knowledge about regulatory matters and developments as part of the understanding of an institution's business. The auditor might also consider the results of regulatory examinations, as discussed previously.

Detection of Errors and Fraud

5.238 AU-C section 240 addresses the auditor’s responsibilities relating to fraud in an audit of financial statements. Specifically, it expands on how AU-C sections 315 and 330 are to be applied regarding risks of material misstatement due to fraud. Noncompliance with laws and regulations (for example, noncompliance with regulatory capital requirements) is one indicator of higher risk that is especially relevant in the industry. Events of noncompliance are often described in

  • regulatory reports and
  • cease-and-desist orders or other regulatory actions, whether formal or informal.

5.239 In accordance with paragraph .A10 of AU-C section 250, the auditor’s responsibility regarding misstatements resulting from noncompliance with laws and regulations having a direct effect on the determination of material amounts and disclosures in the financial statements is the same as that for misstatements caused by fraud or error. For purposes of AU-C section 250, noncompliance is defined as acts of omission or commission by the entity either intentional or unintentional, which are contrary to the prevailing laws or regulations. Such acts include transactions entered into by, or in the name of, the entity or on its behalf by those charged with governance, management, or employees. Noncompliance does not include personal misconduct (unrelated to the business activities of the entity) by those charged with governance, management, or employees of the entity.

Evaluation of Contingent Liabilities and Related Disclosures

5.240 Management's financial statement assertions include those about the completeness, presentation, and disclosure of liabilities. Because some areas of regulation relate more to operations than to financial reporting or accounting, consideration of compliance in those areas would normally be limited to the evaluation of disclosures of any contingent liability based on alleged or actual violation of the law.

Going-Concern Considerations

5.241 Paragraphs 5.163–.179 address going-concern considerations. In addition to the matters discussed in those paragraphs, the auditor's consideration might include regulatory matters such as the following:

  • Noncompliance with laws and regulations
  • Supervisory actions or regulatory changes that place limitations or restrictions on operating activities
  • Classification of the institution under PCA provisions of the FDI Act and the FCUA (see chapters 1 and 2 of this guide)

5.242 For example, regulatory changes in 1992 placed new restrictions on the acceptance of brokered deposits by certain banks and savings institutions. This change had two implications. First, it potentially limited sources of liquidity and created a compliance requirement. An auditor auditing the financial statements of an institution subject to those restrictions would have needed to evaluate whether the effect on the institution's liquidity, when considered with other factors, raised substantial doubt about the institution's ability to remain a going concern for a reasonable period of time. The auditor would also have needed to consider the financial statement effects of any known event of noncompliance with the requirement itself. Examples of other events or conditions that would warrant the auditor's consideration include

  • the continued existence of conditions that brought about previous regulatory actions or restrictions;
  • effects of scheduled increases in deposit insurance premiums;
  • failure to meet minimum regulatory capital requirements;
  • limitations on the availability of borrowings through the Federal Reserve System discount window; and
  • exposure to the institution posed by transactions with correspondent banks and related limitations on interbank liabilities.

Regulatory Reporting Matters—Interpretation and Reporting Related to GAAP

5.243 General purpose financial statements are prepared in accordance with GAAP. Every national bank and savings and loan association, state member bank and state chartered savings and loan association, and insured state nonmember bank is required to file FFIEC Call Reports. Every federally insured credit union is required to file the NCUA 5300 Call Report. Call Reports (for example, FFIEC and NCUA) present an institution’s financial condition and results of operations on a consolidated basis in accordance with GAAP. These reports are used by regulators as a basis for supervisory action, a source of statistical information, and other such purposes. In 1997, the banking regulators adopted instructions for these reports that follow GAAP.

5.244 FDI Act Section 37(a)(2) requires that reports and other regulatory filings for banks and savings institutions follow accounting principles that are uniform and consistent with GAAP. Regulatory reporting topics noted herein are consistent with acceptable practices under GAAP. The Call Report instructions explain certain specific reporting guidance in greater detail. Information may often be found in the appropriate entries in the "Glossary" section of the Call Report or, in more detail, in the GAAP standards. Financial institutions are encouraged to discuss specific events and transactions not covered by GAAP or the guidance in the regulatory report instructions with their primary supervisory agency for more technical detail on the application of the GAAP accounting standards.

5.245 Appendix B, "Regulatory Reporting Matters—Interpretation and Reporting Related to U.S. GAAP," of this guide serves as an aid in specific selected areas and is not intended to be a comprehensive discussion of the principles of bank accounting or reporting.

5.246 For financial institutions, the allowance for loan and lease losses (ALLL) is an area that requires judgment and is a focus of auditors and examiners. At the same time, the Interagency Policy Statement on the Allowance for Loan and Lease Losses, dated December 13, 2006, emphasizes that the ALLL should be consistent with GAAP. This policy statement reminds institutions that the ALLL generally should not be based solely on a "standard percentage" of loans. To that end, the policy statement no longer references standardized loss estimates for classified loans. Banks should review the entry allowance for loan and lease losses in the “Glossary” section of the FFIEC’s Instructions for Preparation of Consolidated Reports of Condition and Income, and the interagency policy statement on the ALLL.

5.247 Bank examiners will review the reasonableness of the range and management’s best estimate within the range. The agencies find that an ALLL established in accordance with the December 13, 2006, Interagency Policy Statement on the Allowance for Loan and Lease Losses and the Interagency Policy Statement on Allowance for Loan and Lease Losses Methodologies and Documentation for Banks and Savings Institutions, issued July 2001 (2001 Policy Statement) as applicable, falls within the range of acceptable estimates determined in accordance with GAAP. The guidance in the 2001 Policy Statement was substantially adopted by the NCUA through its Interpretive Ruling and Policy Statement 02-3, Allowance for Loan and Lease Losses Methodologies and Documentation for Federally-Insured Credit Unions, in May 2002.

Auditor and Examiner Relationship

5.248 Banking regulators conduct periodic on-site examinations to address broader regulatory and supervisory issues. There are some objectives shared by examiners and auditors, and coordination in consultation with the institution may be beneficial.

5.249 The primary objective of communicating with examiners is to ensure that auditors consider competent audit evidence produced by examiners before expressing an opinion on audited financial statements. In areas such as the adequacy of credit loss allowances and violations of laws or regulations, for example, information known to or judgments made by examiners generally should be made known to management and the auditor before financial statements are issued or an audit opinion is rendered. Such communication will minimize the possibility that a regulatory agency will subsequently require restatement—based on the examiner's additional knowledge or different judgment—of Call Reports and affect the general purpose financial statements, on which the auditor has already expressed an opinion, dated during or subsequent to the period in which a regulatory examination was being conducted.

5.250 FDI Act Section 36(h) requires that each bank and savings institution provide its auditor with copies of the institution's most recent Call Report and examination report (see 12 CFR 363). According to regulations, the institution must also provide the auditor with any of the following documents related to the period covered by the engagement:

  1. a. Any memorandum of understanding or other written agreement between the institution and any federal or state banking agency
  2. b. The report of any action initiated or taken by any federal or state banking agency, including any assessment of civil money penalties

5.251 The auditor might consider reviewing communications from examiners and, when appropriate, make inquiries of examiners. Specifically, the auditor could

  1. a. request that management provide access to all reports of examination and related correspondence;
  2. b. review the reports of examination and related correspondence between examiners and the institution during the period under audit and through the date of the auditor's opinion;
  3. c. with prior approval of the institution, communicate with the examiners if their examination is still in process, the institution's appeal of an examination finding is outstanding, or their examination report is still pending; and
  4. d. with prior approval of the institution, consider attending, as an observer, the exit conference between the examiner and the institution's board of directors, its executive officers, or both.

5.252 The auditor's attendance at other meetings between examiners and representatives of the institution is based on prior approval by the regulatory agency.

5.253 Auditors may request a meeting with the appropriate regulatory representatives to inquire about supervisory matters relevant to the client institution. The management of the institution would generally be present at such a meeting, and matters discussed would generally be limited to findings already presented to management. Federal regulatory policy also permits meetings between examiners and auditors in the absence of the institution's management.51

5.254 Management refusal to furnish access to reports or correspondence, or to permit the auditor to communicate with the examiner, would ordinarily be a limitation on the scope of a financial statement audit sufficient to preclude an opinion. Refusal by an examiner to communicate with the auditor may create the same scope limitation, depending on the auditor's assessment of the circumstances. AU-C section 705 addresses how the form and content of the auditor’s report is affected when the auditor expresses a modified opinion in the auditor’s report. (For a detailed discussion on reports issued under the guidance of AU-C section 705, along with AU-C sections 700 and 706, Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs in the Independent Auditor’s Report [AICPA, Professional Standards], and related PCAOB requirements when performing integrated audits see chapter 23 of this guide.)

5.255 Examiners might request permission to attend the meeting between the auditor and representatives of the institution (for example, the audit committee of the board of directors) to review the auditor's report on the institution's financial statements. If such a request is made and management concurs, the auditor should be responsive to the request.

5.256 Examiners and others may, from time to time, request auditors of financial statements of banks and savings institutions to provide access to working papers and audit documentation. The FFIEC’s Interagency Policy Statement on External Auditing Programs for Banks and Savings Associations states that the independent public auditor or other auditor of an institution should agree in the engagement letter to grant examiners access to all the auditor’s working papers and other material pertaining to the institution prepared in the course of performing the completed external auditing program. The FDIC issued guidance concerning the review of external auditor’s working papers (Regional Director Memorandum No. 2000-019, Reviews of External Auditors’ Workpapers, dated March 21, 2000.) Auditors who have been requested to provide such access should consider Interpretation No. 1, "Providing Access to or Copies of Audit Documentation to a Regulator" (AICPA, Professional Standards, AU-C sec. 9230 par. .01–.15), of AU-C section 230. The interpretation states when a regulator requests access to audit documentation pursuant to law, regulation, or audit contract, the auditor may take the following steps:

  • Consider advising the client that the regulator has requested access to (and possibly copies of) the audit documentation and that the auditor intends to comply with such request.
  • Make appropriate arrangements with the regulator for the review.
  • Maintain control over the audit documentation.
  • Consider submitting to the regulator a letter clarifying that an audit performed in accordance with GAAS is not intended to, and does not, satisfy a regulator's oversight responsibilities. An example of such a letter is illustrated in paragraph .06 of Interpretation No. 1 of AU-C section 230.

In addition, the interpretation addresses situations in which an auditor has been requested by a regulator to provide access to the audit documentation before the audit has been completed and the report released. Also, the interpretation notes that if a regulator engages an independent party, such as another independent public auditor, to perform the audit documentation review on behalf of the regulatory agency, there are some precautions auditors might consider observing.

5.257 Information in examination reports, inspection reports, and supervisory discussions—including summaries or quotations—is considered confidential. Such information may not be disclosed to any party without the written permission of the appropriate agency, and unauthorized disclosure of such information could subject the auditor to civil and criminal enforcement actions.

Exhibit 5-1
Fraud Risk Factors

Two types of fraud are relevant to the auditor’s consideration, namely, fraudulent financial reporting and the misappropriation of assets. For each of these types of fraud, the risk factors are further classified based on the three conditions generally present when material misstatements due to fraud occur, which are incentives/pressures, opportunities, and attitudes/rationalizations. Although the risk factors cover a broad range of situations, they are only examples and, accordingly, the auditor may identify additional or different risk factors. Also, the order of the examples of risk factors provided is not intended to reflect their relative importance or frequency of occurrence.

Although fraud is a broad legal concept, for the purposes of GAAS, paragraph .03 of AU-C section 240, Considerations of Fraud in a Financial Statement Audit (AICPA, Professional Standards), states that the auditor is primarily concerned with fraud that causes a material misstatement in the financial statements. Some of the following factors and conditions are present in entities in which specific circumstances do not present a risk of material misstatement. Also, specific controls may exist that mitigate the risk of material misstatement due to fraud, even though risk factors or conditions are present. When identifying risk factors and other conditions, the auditors might assess whether those risk factors and conditions, individually and in combination, present a risk of material misstatement of the financial statements.

Fraudulent Financial Reporting

The following are examples of risk factors that might result in misstatements arising from fraudulent financial reporting.

Incentives/Pressures

  1. 1. Financial stability or profitability is threatened by economic, industry, or entity operating conditions, such as (or as indicated by) the following:
  1. a. High degree of competition or market saturation, accompanied by declining margins shown by the following:

1.  An increase of competitor investment products that are close alternatives for the institution’s deposit products (for example, mutual funds, insurance annuities, and mortgage loans), placing pressure on the institution’s deposit rates

ii.  Competitor product pricing that results in loss of customers or market share for such products as loan, deposit, trust, asset management, and brokerage offerings

  1. b. High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates, exemplified by the following:

i.  A failure or inability to keep pace with or to afford rapid changes in technology, if the financial stability or profitability of the particular institution is placed at risk due to that failure or inability

ii.  Significant unexpected volatility (for example, in interest rates, foreign exchange rates, and commodity prices) in financial markets where the institution has a significant capital market presence and is exposed to loss of revenue or has not appropriately hedged its risk to price changes that effect proprietary positions

iii.  Flattening yield curves or extremely high or low market interest rate environments

  1. c. Significant declines in customer demand and increasing business failures in either the industry or overall economy, such as the following:

i.  Deteriorating economic conditions (for example, declining corporate earnings, adverse exchange movements, and real estate prices) within industries or geographic regions in which the institution has significant credit concentrations

ii.  For credit unions, losing a very substantial portion of the membership base, which places considerable pressure on management insofar as financial projections are often based on gaining new members and offering commercial loans

  1. d. Rapid growth or unusual profitability, especially compared to that of other peer financial institutions; for example, unusually large growth in the loan portfolio without a commensurate increase in the size of the allowance for loan and lease losses (ALLL)
  2. e. New and existing accounting, statutory, or regulatory requirements, such as the following:

i.  Substantially weak CAMELS (capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk) or, for bank-holding companies, BOPEC (bank’s CAMELS rating, operation of significant nonbanking subsidiaries, parent’s strength and operations, earnings of the banking organization, and capital of the banking organization) ratings.

ii.  Regulatory capital requirements

  1. f. Decline in asset quality due to the following:

i.  Borrowers affected by recessionary declines and layoffs

ii.  Issuers affected by recessionary declines and industry factors

  1. 2. Excessive pressure exists for management or operating personnel to meet financial targets established by those charged with governance, including incentive goals:
  1. a. Unrealistically aggressive loan goals and lucrative incentive programs for loan originations, shown by the following, for example:

i.  Relaxation of credit standards

ii.  Excessive extension of credit standards with approved deviation from policy

iii.  Excessive concentration of lending (particularly new lending)

iv.  Excessive lending in new products

v.  Excessive pricing concessions not linked to enhanced collateral positions or other business rational (for example, sales of other products or services)

vi.  Excessive refinancing at lower rates that may delay the recognition of problem loans

  1. b. Perceived or real adverse effects of reporting poor financial results on significant pending transactions, such as business combinations (For example, the acquisition of another institution has been announced in the press with the terms dependent on the future financial results of the acquiring institution.)
  2. c. Willingness by management to respond to these pressures by pursuing business opportunities for which the institution does not possess the needed expertise
  3. d. Excessive reliance on wholesale funding (brokered deposits)
  4. e. Speculative use of derivatives
  5. f. Failure to establish economic hedges against key risks (for example, interest rate) through effective asset liability committee processes
  6. g. Changes in a bank’s loan loss accounting methodology that are not accompanied by observed changes in credit administration practices or credit conditions
  7. h. Frequent or unusual exceptions to credit policy
  8. i. Threat of a downgrade in the institution’s overall regulatory rating (for example, CAMEL, MACRO [rating stands for management, asset quality, capital adequacy, risk management and operating results], or BOPEC) that could preclude expansion or growth plans
  9. j. Threat of failing to meet minimum capital adequacy requirements that could cause adverse regulatory actions
  1. 3. Management’s or those charged with governance's personal net worth is threatened by the entity’s financial performance arising from the following:
  1. a. Heavy concentrations of their personal net worth in the entity
  2. b. Bank is privately owned by one person or family whose net worth or income (from dividends) is dependent on the bank

Opportunities

  1. 1. The nature of the industry or the entity’s operations provides opportunities to engage in fraudulent financial reporting that can arise from the following:
  1. a. Significant related party transactions not in the ordinary course of business or with related entities not audited or audited by another firm, such as the following:

i.  Loans and other transactions with directors, officers, significant shareholders, affiliates, and other related parties, particularly those involving favorable terms

ii.  Variable interest entities (VIEs)

iii.  Certain types of lending practices such as, subprime and predatory lending by banks in an effort to obtain better yields

iv.  Transfers of impaired assets

  1. b. Assets, liabilities, revenues, or expenses based on significant estimates that involve subjective judgments or uncertainties that are difficult to corroborate (Significant estimates generally include the allowance for loan losses, and the valuation of servicing rights, residual interests, and deferred tax assets, fair value determinations, and the recognition of other impairment losses; for example, goodwill and investments)
  2. c. Significant, unusual, or highly complex transactions, especially those close to year end that pose difficult "substance over form" questions, such as the following:

i.  Consolidation questions with VIEs

ii.  Material amounts of complex financial instruments and derivatives held by the institution that are difficult to value, or the institution’s use of complex collateral disposition schemes

  1. d. Frequent or unusual adjustments to the ALLL
  2. e. Loan sales that result in retained beneficial interests (Valuation of retained beneficial interests is based on estimates and assumptions and are susceptible to manipulation if not properly controlled.)
  3. f. Complex transactions that result in income or gains, such as sale and leasebacks, with arbitrarily short leaseback terms
  4. g. Deferred tax assets, arising from net operating loss carryforwards, without valuation allowances
  5. h. Deferral of loan origination costs that exceed the appropriate costs that may be deferred under FASB ASC 310-20
  1. 2. Internal control components are deficient as a result of the following:
  1. a. Inadequate monitoring of controls, including automated controls and controls over financial reporting, such as lack of oversight of critical processes in the following areas:

i.  Cash and correspondent banks—Reconciliation and review

ii.  Intercompany or interbranch cash or suspense accounts and "internal" demand deposit accounts (DDAs)—Monitoring of activity and resolution of aged items

iii.  Lending—Lack of credit committee and lack of stringent underwriting procedures

iv.  Treasury—Securities/derivatives valuation (selection of models, methodologies, and assumptions)

v.  Regulatory compliance—Lack of knowledge of pertinent regulation

vi.  Deposits—Lack of monitoring unusual and significant activity

  1. b. Ineffective internal audit function
  2. c. Lack of board-approved credit (underwriting and administration) or investment policies
  3. d. Vacant staff positions remain unfilled for extended periods, thereby preventing the proper segregation of duties
  4. e. Lack of an appropriate system of authorization and approval of transactions in areas such as lending and investment, in which the policies and procedures for the authorization of transactions are not established at the appropriate level
  5. f. Lack of independent processes for the establishment and review of allowance for loan losses
  6. g. Lack of independent processes for the evaluation of other than temporary impairments
  7. h. Inadequate controls over transaction recording, including the setup of loans on systems
  8. i. Lack of controls over the perfection of interests in lending collateral
  9. j. Inadequate methods of identifying and communicating exceptions and variances from planned performance
  10. k. Inadequate accounting reconciliation policies and practices, including appropriate supervisory review, the monitoring of stale items and out of balance conditions, and the timeliness of write-offs
  11. l. Failure to establish adequate segregation of duties between approval transactions and the disbursement of funds
  12. m. Lack of control over the regulatory reporting process, in which key decision makers also have control over the process
  13. n. Lack of adequate reporting to the board of directors and executive management regarding credit, interest-rate, liquidity, and market risks
  14. o. Change from an internal audit function that has been outsourced to the external auditor or other provider to a new in-house internal audit department or another outsourcing provider

Attitudes and Rationalizations

  1. 1. Known history of violations of securities laws or other laws and regulations, or claims against the entity, its senior management, or those charged with governance alleging fraud or violations of laws and regulations, such as the following:
  1. a. The existence of a regulatory cease and desist order, memorandum of understanding, or other regulatory agreements (whether formal or informal) that concern management competence or internal control
  2. b. Repeated criticisms or apparent violations cited in regulatory examination reports that management has ignored
  1. 2. Nonfinancial management’s excessive participation in or preoccupation with the selection of accounting principles or the determination of significant estimates, such as the following:
  1. a. Consideration of "business issues" (for example, shareholder expectations) in determining significant estimates
  2. b. Adjustments to the allowance for loan losses by senior management or the board for which there is no written documentation
  3. c. An unusual propensity to enter into complex asset disposition agreements
  1. 3. The disregard of control-related recommendations from internal or external auditors
  2. 4. A high level of customer complaints (especially when management does not fix the cause of them promptly)
  3. 5. Indications that internal audit is not adequately staffed or trained, and does not have appropriate specialized skills given the environment
  4. 6. Indications that internal audit is not independent (authority and reporting relationships) and does not have adequate access to the audit committee (or equivalent)
  5. 7. Inappropriate scope of internal audit’s activities (for example, the balance between financial and operational audits, coverage, and rotation of decentralized operations)
  6. 8. Limited authority of internal audit to examine all aspects of the client’s operations or failure to exercise its authority
  7. 9. Failure by internal audit to adequately plan, perform risk assessments, or document the work performed or conclusions reached
  8. 10. Failure of internal audit to adhere to professional standards
  9. 11. Operating responsibilities assigned to internal audit
  10. 12. Inability to prepare accurate and timely financial reports, including interim reports
  11. 13. Failure of planning and reporting systems (such as business planning; budgeting, forecasting, and profit planning; and responsibility accounting) to adequately set forth management’s plans and the results of actual performance
  12. 14. A low level of user satisfaction with information systems processing, including reliability and timeliness of reports
  13. 15. Understaffed accounting or information technology department, inexperienced or ineffective accounting or information technology personnel, or high turnover
  14. 16. Lack of timely and appropriate documentation for transactions
  15. 17. Dividend requirements by management or ownership frequently at or near the maximum allowable by law (In closely held companies, executive management/ownership combines high dividends with frequently substantial increases in cash salary or bonus compensation. The bank has been cited for dividend violations by regulatory authorities.)

Misappropriation of Assets

Risk factors that relate to misstatements arising from the misappropriation of assets are also classified according to the three conditions generally present when fraud exists, namely, incentives/pressures, opportunity, and attitudes/rationalizations. Some of the risk factors related to misstatements arising from fraudulent financial reporting also may be present when misstatements arising from misappropriation of assets occur. For example, ineffective monitoring of management and other deficiencies in internal control that are not effective may be present when misstatements due to either fraudulent financial reporting or the misappropriation of assets exist. The following sections show examples of risk factors related to misstatements arising from misappropriation of assets.

Incentives and Pressures

  1. 1. Adverse relationships between the institution and employees with access to cash or other assets susceptible to theft may motivate those employees to misappropriate those assets. For example, the following may create adverse relationships:
  1. a. It is likely that the institution will be merged into or acquired by another institution and there is uncertainty regarding the employees’ future employment opportunities.
  2. b. The institution has recently completed a merger or acquisition, employees are working long hours on integration projects, and morale is low.
  3. c. The institution is under regulatory scrutiny, and there is uncertainty surrounding the future of the institution.
  1. 2. Members of executive management evidence personal financial distress through indications such as frequent informal "loans" or "salary advances" to key executive officers or their family members.

Opportunities

  1. 1. Certain characteristics or circumstances may increase the susceptibility of assets to misappropriation. For example, opportunities to misappropriate assets increase when the following exist:
  1. a. Large amounts of cash on hand and wire transfer capabilities
  2. b. Easily convertible assets, such as bearer bonds or diamonds, that may be in safekeeping
  3. c. Inadequate or ineffective physical security controls, for example, overliquid assets or information systems
  4. d. Access to customer accounts
  1. 2. Inadequate internal control over assets may increase the susceptibility of misappropriation of those assets. For example, misappropriation of assets may occur because the following exist:
  1. a. Inadequate management oversight of employees responsible for assets, such as the following:

i.  Vacant branch manager positions or managers are away on leave without replacements for an inordinate amount of time, causing a considerable lack of management oversight.

ii.  The independent risk management function does not have the appropriate level of sophistication or the capability to effectively monitor and measure the risks, such as capital markets trading activities.

iii.  Lack of adherence or enforcement of vacation policy.

  1. b. Inadequate job applicant screening and monitoring of employees, such as the following:

i.  Federal Bureau of Investigation background checks, credit reports, and bonding eligibility screening are not incorporated into the hiring process for employees with access to significant assets susceptible to misappropriation.

ii.  A monitoring process does not identify employees who have access to assets susceptible to misappropriation and who are known to have financial difficulties.

  1. c. Inadequate segregation of duties or independent checks, such as the following:

i.  Lack of independent monitoring of activity in internal DDAs and correspondent bank accounts

ii.  No independent monitoring and resolution of customer exceptions/inquiries related to electronic funds transfer (EFT) transactions, loan disbursements/payments, customer deposit accounts, securities and derivatives transactions, and trust/fiduciary accounts

iii.  Lack of key periodic independent reconciliations (in addition to reconciliations of subledgers to the general ledger) for wire transfer, treasury, trust, suspense accounts, automated teller machines, and cash

iv.  Lack of segregation of duties in the following areas:

(1)  EFT—Origination, processing, confirmation, and recordkeeping

(2)  Lending—Relationship management, underwriting (including approval), processing, cash collection/disbursement, and recordkeeping; no periodic confirmation of customer loan information or indebtedness by personnel independent of the relationship officer.

(3)  Treasury—Trading, processing, settlement, and recordkeeping. (The derivatives positions on the Treasury system are not priced by an independent operations area. The capital markets risk management process is not independent from the trading function. There is no independent confirmation of individual trades.)

(4)  Trust—Relationship management, transaction authorization, transaction execution, settlement, custody, and account recordkeeping. (There is no annual review of the activity in trust accounts by an investment committee to ensure compliance with the terms of the trust agreement and bank investment guidelines.)

(5)  Fiduciary—Issuance, registration, transfer, cancellation, and recordkeeping

(6)  Charged-off loan accounts and recoveries

(7)  Dormant and inactive DDAs and the escheatment process.

  1. d. No independent mailing of customer statements or monitoring of "Do not Mail/Hold" statements
  2. e. Lack of control over new accounts
  3. f. Failure to reconcile "due from" bank accounts on a regular basis, and review open items
  4. g. Loans are purchased from loan brokers, but the loans are not re-underwritten before purchase
  5. h. Inadequate segregation of duties because the institution is small and has limited staff
  6. i. Lack of appropriate system of authorization and approval of transactions, such as the following:

i.  No verification of EFT initiation and authorization, including those instances in which bank employees initiate a transaction on a customer’s behalf

ii.  Frequent underwriting exceptions to board-established credit authorization limits

iii.  Frequent instances of cash disbursements on loans that have not yet received all approvals or met all preconditions for funding

iv.  Lack of board approval for significant loans or unusually high loan-officer approval limits (Be alert to the existence of multiple loans being funded just below a loan officer’s limit.)

  1. j. Poor physical safeguards over cash, investments, customer information, or fixed assets, such as the following:

i.  Lack of adequate physical security over the EFT operations area and customer records

ii.  Failure to appropriately limit access to the vault to authorized employees acting within the scope of their job

iii.  Lack of dual control over the vault, negotiable instruments (including travelers’ checks and money orders), and blank-check stock

iv.  Lack of accountability over negotiable instruments

  1. k. Inadequate training of tellers and operations personnel regarding the following:

i.  "Knowing your customer"

ii.  Recognizing check fraud and kiting activities

iii.  Controls over cash, negotiable instruments, and EFT

Attitudes and Rationalization

  1. 1. Disregard for the need for monitoring or reducing risks related to misappropriations of assets
  2. 2. Disregard for internal control over misappropriation of assets by overriding existing controls or by failing to take appropriate remedial action on known deficiencies in internal control
  3. 3. Behavior indicating displeasure or dissatisfaction with the entity or its treatment of the employee
  4. 4. Changes in behavior or lifestyle that may indicate assets have been misappropriated
  5. 5. The belief by some executives that their level of authority justifies a certain level of compensation and personal privileges
  6. 6. Tolerance of petty theft

Notes

  • A FICU with assets of more than $50 million must adopt a written IRR policy and implement an effective IRR program.
  • A FICU with assets of $10 million or more but not greater than $50 million must adopt a written IRR policy and implement an effective IRR program if the total of first mortgage loans it holds combined with total investments with maturities greater than 5 years, as reported by the FICU on its most recent call report, is equal to or greater than 100 percent of its net worth.
  • A FICU with assets less than $10 million is not required to comply regardless of the amount of first mortgage loans and total investments with maturities greater than 5 years it holds.

The final rule provides discussion on the roles and responsibilities of the FICU’s board of directors and management in establishing and implementing the IRR policy and program; risk management systems, methods, and valuation measures; internal control; decision making informed by IRR measurement systems; and guidelines addressing the adequacy and effectiveness of the policy and program.

  1. a. An accrual is not made for a loss contingency because any of the conditions in FASB ASC 450-20-25-2 are not met.
  2. b. An exposure to loss exists in excess of the amount accrued pursuant to the provisions of FASB ASC 450-20-30-1.

As stated in FASB ASC 450-20-50-4, the disclosure in FASB ASC 450-20–50–3 should include both of the following:

  1. a. The nature of the contingency
  2. b. An estimate of the possible loss or range of loss or a statement that such an estimate cannot be made

__________________________