605.1 The second standard of field work requires an
understanding of the “entity and its environment, including its internal control”
Requiring an understanding of the entity and its environment focuses the
auditor's attention on the fact that the understanding establishes a
frame of reference within which the auditor assesses the risks of
material misstatement and plans the audit in response to those risks.
- The auditor's focus in obtaining the required level of understanding
- should be on attaining a knowledge level sufficient to identify the
- risks of material misstatement of the financial statements and to design
- the nature, timing, and extent of further audit procedures. However,
- the understanding is a purpose-driven audit focus and not a general
- knowledge level that might be appropriate for some other purpose such as
- managing the entity.
605.2 Obtaining a solid in-depth
understanding of the client's business and how it operates is
fundamental to both audit efficiency and effectiveness
- This understanding is the key to
- knowing what the risks are and where to look to see if the risks have
- resulted in a material misstatement of the financial statements. It
- includes not only understanding the risks the client faces in operating,
- but ideally, understanding what management's response is to those
- risks, and, consequently, what residual risk of material misstatement of
- the financial statements remains. The auditor's process in obtaining
- this understanding should be focused on those matters that could cause
- material misstatements in the financial statements, including potential
- fraud risk factors, undisclosed related-party transactions, illegal
- acts, uncertainties, or going-concern problems.
605.3 The auditor's understanding of the entity also assists in:
- • Establishing planning materiality and evaluating whether such judgments remain appropriate throughout the audit.
- Evaluating whether certain observed conditions, such as unusual or
- unexpected relationships from preliminary analytical procedures, do not
- make sense and indicate possible risk considerations. •
- Considering fraud risk factors, for example, the existence of
- significant or complex related-party transactions. Knowledge of key
- personnel might help the auditor identify employees who could provide
- relevant information in response to fraud risk inquiries
.• Evaluating the appropriateness and sufficiency of audit evidence.
605.4 The audit personnel working
on the engagement must sufficiently understand the client's business and
industry to effectively analyze the risks and plan and perform an
efficient and effective audit in response to those risks
- The level of understanding that is
- attainable by individual members of the audit team will vary with the
- experience, training, and assigned engagement duties of the personnel,
- but the partner and manager should spend sufficient time in audit team
- meetings or on-the-job supervision to convey to the assigned staff the
- insight needed for effective performance of the audit.
605.5 The process of understanding
the client's business and industry is continual. For a new engagement, a
basic level of knowledge is needed to begin preliminary planning.
- However, a significant amount of
- knowledge is gained during the audit. Also, something changes each year.
- There are always important new developments with the client and within
- the industry. For this reason, it is advisable for each member of the
- audit team to continually try to improve client and industry knowledge
- by such measures as reading industry publications, taking self-study
- courses, and above all, talking to CIRA personnel, including personnel
- outside the accounting department.
605.6 In a continuing engagement,
the auditor should update knowledge of the CIRA and its environment
focusing on identifying changes from the prior year in
- internal or external conditions
- that might be of audit significance and affect the CIRA's business risk
- or the auditor's assessment of audit risk. (The discussion beginning at
- paragraph 604.20 addresses the auditor's use of the results of risk assessment procedures performed in prior periods.)
Components of the Understanding
605.7 The auditor's understanding of the entity and its environment consists of an understanding of the following items:
a. Industry, regulatory, and other external factors.
b. Nature of the entity.
c. Objectives, strategies, and related business risks.
d. Measurement and review of the entity's financial performance.e. Internal control.
605.8 As part of understanding the
entity and its environment, the auditor obtains an understanding of the
CIRA's selection and application of accounting policies.
- The selection and application of
- accounting policies is an integral part of the control environment
- component of internal control, but merits separate and focused attention
- because of its significance to the auditor's assessment of the risks of
- material misstatement. (See the discussion beginning at paragraph 605.41.)
- Similarly, the consideration of fraud risk factors is an important
- objective of performing risk assessment procedures. Although considering
- the presence of fraud risk factors occurs simultaneously with obtaining
- information about the entity and its environment, it also merits
- separate and focused attention. (See the discussion beginning at
- paragraph 605.49.)
- All components of the understanding, except for internal control, are
- discussed in this section. Items a. and b. are considered together in
- the following discussion because of their close interrelationship.
- Internal control is discussed in section 606.
605.9 Documentation SAS No. 109 (AU 314.122) indicates that auditors should document:
- • Key elements of the understanding obtained for each of the
- aspects of the entity and its environment to assess the risks of
- material misstatement in the financial statements.
• Sources of the information from which the understanding was obtained.
• Risk assessment procedures that were performed.
SAS No. 99 (AU 316) requires auditors to document their consideration of fraud risk factors.
SAS No. 99 (AU 316) requires auditors to document their consideration of fraud risk factors.
605.10 The practice aid “Understanding the Entity and Identifying Risks” at HOA-CX-3.1 can be used to document the auditor's understanding of the items in paragraph 605.7,
with the exception of internal control. Risks that are identified
throughout the process of obtaining the understanding, including the
auditor's consideration of fraud risks factors, can be documented on
that practice aid or HOA-CX-7.1
- “Risk Assessment Summary Form.” (HOA-CX-6.1, “Entity Risk Factors,” and HOA-CX-6.2,
- “Fraud Risk Factors,” provide lists of risk factors to consider when
- identifying financial statements risks. However, the risk factors listed
- are only examples and may serve as memory joggers to spark the
- auditor's consideration of additional or different risks relevant to the
- client.) Section 606
- discusses the understanding of internal control and the related
- documentation requirements and practice aids that can be used to meet
- those requirements.
605.11 Purpose of This Section
The following paragraphs provide a detailed discussion of each of the
aspects of the entity and its environment that the auditor is required
- procedures the auditor may perform
- to gain that understanding, and the types of risks the auditor may
- identify throughout that process.
Industry, Regulatory, and Other External Factors
605.12 The auditor should obtain an understanding of industry, regulatory, and other external factors relevant to the audit.
- The objective of the auditor's
- understanding is to evaluate whether the entity is subject to specific
- risks of material misstatement arising from the nature of the industry,
- the degree of regulation, or other external forces, such as political,
- economic, social, technological, or competitive forces.
605.13 Matters the auditor might
consider when obtaining an understanding of industry, regulatory, or
other external factors include the following:
- a. Industry conditions,
- including market and competition, economic or demographic changes,
- cyclical or seasonal activity, and availability and cost of materials
- and supplies.
- Regulatory environment, including relevant legislation and regulation,
- specific regulatory requirements, direct supervisory activities, and
c. Government policies, including monetary, fiscal, and financial incentives.
- Other external factors, including the general level of economic
- activity, societal attitudes, unemployment, interest rates, availability
- of credit, energy and insurance risks, and inflation.
605.14 AICPA Audit Risk Alert
The current financial and economics instability may affect the CIRA's
operations, risks, and financial reporting. This in turn may affect the
auditor's responsibilities in providing auditing services. The AICPA
issued an Audit Risk Alert, Current Economic Instability: Accounting and Auditing Considerations—2009, to help identify and respond to accounting and auditing issues related to the current economic environment.
605.15 In general, the current
economic instability may create additional audit risks, including risks
related to conditions that indicate an entity may not be able to
continue as a going concern for a reasonable period of time. In view of
the economic recession and the upheaval in financial markets, auditors
should carefully consider the implications on their clients and the
appropriate audit responses that may be necessary. The AICPA Alert
- how important it is for auditors to
- understand the meaning of audit risk given today's economic conditions.
- Furthermore, due to the rapidly changing economic and regulatory
- environment, the Alert underscores the importance of thoroughly
- understanding the entity and its environment when assessing the risks of
- material misstatement. Changes in the economy and regulatory
- environment often complicate the auditors' responsibility related to
- obtaining that understanding. For example, changed conditions may
- require auditors to reconsider their understanding about how the
- economic environment affects the entity, reassess audit risks, and
- modify planned audit procedures as the audit progresses.
605.16 The AICPA Alert also
addresses the following topics that may assist auditors when addressing
risks and considering the impact of the current economic climate on
their audit clients:
• Economic, legislative, and regulatory developments.
• Accounting, auditing, and attestation issues and developments.
• Recent accounting, audit and attest, independence, and ethics pronouncements.
• The status of outstanding accounting, auditing, and attest projects.
605.17 Possible Risk Assessment Procedures and Factors to Consider
The authors believe, in most situations, auditors will initially
gather information and identify risks related to the entity and its
environment through inquiry procedures.
- Many of the matters to be addressed
- are best approached through inquiry of appropriate client management
- and other employees. The auditor may need to expand his or her inquiries
- based on the client's responses to more fully understand the area and
- follow up on information that may be indicative of a potential risk.
- Factors to consider to develop inquiries and identify risks related to
- industry, regulatory, and other external factors are presented in HOA-CX-6.1, “Entity Risk Factors.”
605.18 As discussed in section 604, the auditor might supplement inquiry procedures with inspection or other risk assessment procedures
- For example, when obtaining an understanding of the industry and environment, the auditor might read this Guide, which is updated annually, the AICPA Audit and Accounting Guide, Common Interest Realty Associations,
- industry publications of CIRA membership organizations, financial
- statements of other CIRAs, textbooks, or trade journals, or might
- subscribe to services that provide an in-depth analysis of the CIRA's
- industry. The auditor might also read articles of incorporation, minutes
- of meetings of directors, and important contract agreements; review
- several prior years' financial statements, income tax returns, and
- revenue agent's reports; have discussions with individuals knowledgeable
- about the CIRA industry; participate in relevant internet discussions;
- or tour the CIRA's facilities. Regarding the regulatory environment, the
- auditor might read correspondence from taxing or other regulatory
- authorities, applicable regulations that were recently enacted, or
- proposed legislation that may affect the industry. The use of other risk
- assessment procedures, in addition to inquiry, may be influenced by the
- matters discussed in paragraph 604.40.
Nature of the Entity
The auditor should obtain an understanding of the nature of the entity
relevant to the audit. The nature of the entity includes its
- operations; its organizational
- structure, ownership, personnel and governance; the types of its
- investments; and its financing. Among other things, the understanding of
- the nature of the entity helps the auditor to understand the classes of
- transactions, account balances, and disclosures that would be expected
- in the financial statements.
605.20 Matters that the auditor
might consider about the entity's operations and its structure,
ownership, and governance include the following:
a. Revenue sources.
b. Number of residential and commercial units in the CIRA development.
c. Involvement in e-commerce.
d. Conduct of operations.
e. Important suppliers.
f. Major assets, including types of common property, and liabilities.
g. Major operating expenses and expenditures from replacement and capital improvement funds.
h. Policy, statutory requirements, and methods for funding major repairs and replacements.
i. Policy and methods for funding capital improvements.
j. Employment and human resource matters, including compensation methods and employee benefits.
k. Tax status.
l. Related parties and transactions with them.m. Location of facilities.
n. Types of investments.o. Financing activities
605.21 Organizational Structure and Personnel
Auditors should obtain an understanding of the CIRA's legal
structure, including the CIRA's legal form (corporation or
unincorporated association) and the legal form of the entity for which
it provides services (condominium, HOA, or cooperative housing
corporation). Copies of the
- declaration (for a condominium or
- homeowners' association), the corporate charter (for a cooperative
- housing corporation), articles of incorporation, and bylaws should be
- retained in the permanent file. Auditors should identify the key
- management members and whether there is an audit committee or an
- equivalent group. A CIRA normally has a volunteer governing board with
- board members simultaneously serving as officers. For example, the
- president is usually the chairman of the board, another board member
- serves as treasurer, and other board members have designated duties for
- the CIRA's operations. It is unusual for a CIRA to have an audit
- committee or other individual or group formally designated with
- responsibility for oversight of the financial reporting process.
605.22 A CIRA may be internally
managed, but it is relatively common for a CIRA to use a managing agent
or property management company for various operational and financial
functions. Auditors should obtain an understanding of the extent of the
managing agent's responsibilities and the degree of control that the
CIRA's board of directors exercises over the managing agent's
activities. Some CIRAs
- may have employees, and the
- auditors should obtain an understanding of the nature and size of the
- work force and the compensation methods.
605.23 Operating Characteristics
Auditors should obtain an understanding of the areas the CIRA
controls and the size of the CIRA (number of units, shares, or weeks),
location and types of common properties, and funding policies and
methods (for example, policy and methods for funding current operations
and for funding future major repairs and replacements).
- Auditors should also consider the
- importance of budgets in the CIRA's operations. Some of the CIRA's
- operating characteristics can impact its ability to obtain financing and
- may even impact the ability of unit owners to obtain financing.
605.24 Most CIRAs have common operating characteristics, as discussed in Chapter 1. Documenting those characteristics in a permanent file has the practical advantage of
- giving new staff a convenient means of obtaining knowledge without
- having client personnel answer questions already asked in prior years.
605.25 Governing Documents and Similar Documents The governing documents are the
- legal documents that created the CIRA. (See Chapter 2
- for a discussion of legal documents.) Normally, those documents will
- describe the board of directors' responsibility to unit owners,
- including responsibilities for maintaining common property and funding
- future major repairs and replacements. Auditors should review the
- governing documents as well as relevant state statutes or local
- ordinances. They should have an understanding of the effects of
- noncompliance on the financial statements. Auditors should also review
- the governing documents for items such as the CIRA being set up with a
- limited life rather than a perpetual life or accounting or financial
- reporting matters that are contrary to current practices or regulations.
- Any such defects in the governing documents should be discussed with
- management of the CIRA.
605.26 Either obtaining copies of
key agreements or preparing memoranda summarizing their key provisions
provides helpful information.
Chapter 2 discusses governing documents for various types of CIRAs.
605.27 Additionally, auditors
should review the minutes of meetings of the board of directors and
appropriate committees and consider matters that may affect the CIRA's
operations. Reviewing the minutes
- of the association can reveal to
- the auditor how involved the board of directors is in the association's
- financial decisions. The minutes normally include matters such as the
- status of conversions from developer/sponsor control to owner control,
- approvals of budgets and assessments, authorizations for capital
- expenditures, bank and investment accounts, approvals of contracts for
- services to be performed, changes in board members, related party
- transactions, and authorization for engaging a managing agent and paying
- the agent's fees.
605.28 Related-party Transactions
In a CIRA, related parties may include members of the CIRA's
governing board, management, and their immediate families and the
developer/sponsor. It is not uncommon for CIRAs to deal with related
parties. (As discussed in paragraph 605.21,
a CIRA's board members typically serve simultaneously as officers of
the CIRA.) Examples of related-party transactions with board members are
• Directors' fees.
• Board member is an insurance agent, CIRA broker, or on the board of a bank or other company that services the association.
• A member, or his or her relative, provides maintenance, professional, or other services to the CIRA on a nonemployee basis.
• Board member loans money to the CIRA.
• Member is materially delinquent in paying CIRA assessments.
It is not uncommon for a developer or sponsor, or entities controlled by
them, to provide services to CIRAs, such as insurance, equipment
leasing, or managerial or maintenance services. Also, a
developer/sponsor may be paying assessments on unsold units or may have
guaranteed interest rates or total maintenance expenses resulting in
related party receivables and revenue.
- [If 10% or more of a CIRA's revenues are derived from any one source, FASB 972-605-50-2 (formerly Paragraph 4.25 of the AICPA guide)
- requires that fact and the amounts of revenue from each source to be
- disclosed.] In addition, the auditors should consider whether the
- managing agent or one of its affiliates provides additional services
- (especially without going through the bid or approval process), such as
- maintenance or landscaping, engineering, special project administration,
- etc., to the CIRA. Such transactions could represent related party
- transactions and should be disclosed in the financial statements.
605.29 Auditors should review
documents in the permanent file, inquire of management, and review board
minutes to identify transactions with related parties. Also,
- auditors should consider whether
- such transactions are occurring but not being recognized in the
- accounting records. The names of known related parties should be
- communicated to the audit staff at the start of the audit so they can
- identify and examine related-party transactions in applicable audit
- areas, such as receivables and payables.
605.30 Often the best way to
become aware of related party transactions is through inquiry of
management or review of board minutes.
The authors have designed a practice aid—“Related Party Confirmation” at HOA-CL-12.4—to help obtain information about transactions between the CIRA and related parties. HOA-CX-6.2, “Fraud Risk Factors,” includes fraud risk factors that may involve transactions with related parties.
605.31 Risk Assessment Procedures and Factors to Consider
Similar to the understanding of industry, regulatory and other
external factors, the auditor often initially makes inquiries of
appropriate client personnel about matters pertaining to the nature of
- To make effective risk-based
- inquiries, it is critical that the auditor identify the right person
- within the CIRA who possesses not only the requisite knowledge about the
- matter queried, but also about the nature of risks, how the CIRA has
- addressed them, and what the remaining risk is to the CIRA. For example,
- in many CIRAs, the auditor may be able to confine all inquiries about
- the nature of the business to the CIRA's president. As the size,
- complexity, and management structure expands within a CIRA, the auditor
- might need to direct questions, for example, about operational matters
- for investments and financing, to the treasurer or managing agent.
605.32 The auditor's inquiries may
be supplemented by additional inquiries as deemed necessary to fully
understand the entity, its operations, structure, ownership, governance,
investments, and financing so that related risks can be identified.
- The understanding also provides the
- auditor with an expectation of what classes of transactions, account
- balances, and disclosures will be present in the financial statements.
- The auditor may need to expand inquiries based on the client's responses
- to more fully understand the area and follow up on information that may
- be indicative of a potential risk. Factors to consider to develop
- inquiries and identify risks related to the nature of the entity are
- presented in HOA-CX-6.1, “Entity Risk Factors.”
Objectives, Strategies, and Related Business Risks
605.33 The auditor should obtain an understanding of the CIRA's objectives, strategies, and related business risks.
- The basic concept here is that most
- business risks eventually have financial consequences and, thus, an
- effect on the financial statements. Not all business risks create risks
- of material misstatement, so the auditor needs to focus on those risks
- that have financial reporting implications in the CIRA's particular
605.34 The auditor obtains an
understanding of management's objectives and strategies to identify the
related business risks. Management determines the CIRA's objectives.
- Management's strategies are the
- operational approaches adopted to achieve the objectives. The related
- business risks are the significant conditions, events, circumstances,
- actions, or inactions that could adversely affect the CIRA's ability to
- achieve its objectives or implement its strategies. When obtaining an
- understanding of the CIRA's objectives and strategies, it is often
- helpful to consider whether strategies align with objectives and whether
- the strategies have been implemented. By doing so, the auditor may
- become aware of heightened or additional business risks and potential
- risks of material misstatement.
605.35 When obtaining an
understanding of management's objectives and strategies to identify the
related business risks, the risk assessment procedures employed by the
auditor may be influenced by the size and sophistication of the CIRA.
- Smaller CIRAs generally do not have
- formal plans or processes that are documented, which forces the auditor
- to rely primarily on inquiries. In contrast, some larger or more
- sophisticated CIRAs may have written strategic plans that provide a road
- map for the objectives, strategies, and associated business risks that
- have been selected and identified by the management team.
When making inquiries, the auditor
will generally restrict questioning to the CIRA's board of directors and
officers given the subject matter and the level of knowledge that is
needed to sufficiently address it. These inquiries would prompt
management to describe the CIRA's future trends, expectations,
objectives, and strategies in areas such as the following:
• Products and services for members.
• Regular and special assessments.
• Business expansion or restructuring.
• Major repairs and replacements and capital improvements.
• Employment or compensation.
Factors to consider to develop inquiries and identify risks related to the CIRA's objectives and strategies are presented in HOA-CX-6.1, “Entity Risk Factors.”
Factors to consider to develop inquiries and identify risks related to the CIRA's objectives and strategies are presented in HOA-CX-6.1, “Entity Risk Factors.”
Measurement and Review of the Entity's Financial Performance
605.36 The auditor should obtain an understanding of the measurement and review of the entity's financial performance made by
management and external parties.
Information used for measurement and review might include the following:
a. Key performance indicators (KPI), both financial and nonfinancial.
c. Key ratios and other operating and financial statistics.
d. Forecasts, budgets, and variance analyses.
e. Period-on-period financial performance.
f. Employee performance measures.
g. Performance reports for affiliated locations.
h. Comparisons to performance of comparable CIRAs (i.e., benchmarking).
605.37 Performance measures can
affect the audit and the auditor's assessment of the risks of material
misstatement in several ways, including the following:
- a. The pressure to meet
- performance targets could motivate management actions, including
- intentional misstatements, and, thus, affect the auditor's risk
- Use of performance measures might highlight unexpected results or
- trends such as an unusually rapid growth in service or parts sales,
- which upon investigation result in detection of misstatements.
- The auditor might be able to use key performance indicators or other
- measures used by management when performing analytical procedures.
- However, the auditor should consider whether the information used by
- management is reliable and provides the degree of precision that is
- needed for the analytical procedures.
605.38 Risk Assessment Procedures and Factors to Consider
The procedures used by the auditor for understanding the measurement
and review of the CIRA's financial performance will often be driven by
the size and sophistication of the CIRA. For example
- a sophisticated CIRA may have
- developed a “dashboard” reporting system that incorporates carefully
- selected key performance indicators that management has deemed to be the
- primary metrics in achieving its goals and objectives. In that case,
- the auditor could inspect and review these measures along with any
- accompanying analyses in order to identify risks that may be indicative
- of material misstatement.
605.39 In a smaller CIRA,
management may have identified key financial performance indicators that
it uses when managing the business, but it prepares no formal reporting
or analyses. Instead,
- as management reviews financial or
- other operating reports, a determination is made whether the business
- has achieved the targets that management has established for these
- indicators. For these situations, the auditor would likely use inquiry
- to determine what indicators management believes are important in
- managing and measuring the CIRA's results and inspect the reports that
- are used to monitor performance.
605.40 For all situations, the
auditor should consider inquiring whether there is any external
measurement of the CIRA's financial performance such as by credit
agencies, analysts, or the CIRA's creditors. If so, the auditor may
review available reports to
- identify potential risks. Factors
- to consider to develop inquiries and identify risks related to
- measurement and review of the CIRA's financial performance are presented
- in HOA-CX-6.1, “Entity Risk Factors.”
Selection and Application of Accounting Policies
605.41 The auditor should obtain an understanding of
- management's selection and
- application of accounting policies and evaluate whether the policies are
- appropriate for the CIRA and consistent with policies used in the CIRA
This understanding is important for
considering the risks of material misstatement at both the financial
statement and relevant assertion levels, including both misstatements
due to fraud and those due to error. The auditor's assessment of the
appropriateness of the
- accounting policies that management
- has selected and applied is an important element in determining what
- can go wrong in the preparation of financial statements and, hence, in
- assessing risks of material misstatement. For CIRAs, significant
- accounting policies include those for allocating assessments to
- replacement funds; accounting for common property, including
- capitalization policies; funding for future major repairs and
- replacements; and revenue recognition for special assessments.
605.42 The auditor's understanding of management's selection and application of accounting policies includes the following:
a. Relevant accounting standards and industry specific practices.
b. The methods the CIRA uses to account for significant and unusual transactions.
- The effect of significant accounting policies in controversial or
- emerging areas for which there is a lack of authoritative guidance or
- Changes in the CIRA's policies, including the reasons for the change and
- whether the change is appropriate and consistent with GAAP (or an
- Financial reporting standards and regulations that are new to the CIRA
- and management's plans to adopt such requirements, including new
- accounting standards.
f. The process used by management in formulating particularly sensitive accounting estimates.
g. The methods used to identify matters for disclosure and how the CIRA achieves clarity in disclosure.
605.43 The auditor uses the
understanding of these aspects of management's selection and application
of accounting policies to identify audit areas of higher risk and to
identify what could go wrong at the relevant assertion level.
- For example, because accounting for
- special assessments revenue or deferred revenue involves judgment,
- there ordinarily is a higher risk of material misstatement for the
- valuation of those assets. For items of disclosure, many auditors of
- smaller CIRAs assist management in preparing the financial statements.
- In those cases, identification and clarity of required disclosures are
- often heavily influenced by the auditor. Therefore, the potential for
- risk may be mitigated with respect to disclosure.
605.44 The auditor should use the
understanding of management's selection and application of accounting
policies along with the identification of fraud risk factors (paragraph 605.48) to evaluate whether an overall response is necessary.
- In establishing the overall audit strategy, the auditor focuses on
- whether the accounting principles selected and policies adopted are
- being applied in an inappropriate manner. If the auditor identifies a
- risk in this area, it is often addressed by an overall response, such as
- the assignment of more experienced personnel and a higher level of
- supervision, as well as by the selection of specific further audit
605.45 Risk Assessment Procedures
The nature and extent of the risk assessment procedures to obtain an
understanding of the selection and application of accounting policies
normally depend on factors such as:
- • The auditor's knowledge and experience with the CIRA industry.
- • The auditor's past experience with the client.
- • The degree of financial reporting sophistication of the client.
- • The extent of new accounting standards that are recently effective for the client.
- The auditor's participation in assisting the client with the selection
- of accounting policies and the preparation of the financial statements.
605.46 For many small CIRA
clients, the auditor is instrumental in both selecting accounting
principles and choosing the methods by which they are applied.
- Consideration of accounting
- policies for those clients ordinarily will not be a time-consuming
- process since the auditor already possesses much of the requisite
- knowledge. The auditor in those cases can generally confine inquiries of
- the client to matters such as the manner and consistency of
- application. For other situations where the auditor is not involved in
- the selection of accounting policies or has limited experience with the
- client, the auditor may inquire about the matters discussed in paragraph
- Also, the auditor may supplement inquiries with a review of prior year
- financial statements and supporting disclosures (for initial audits)
- coupled with a thorough review and understanding of relevant accounting
- standards that are either new or specifically applicable to CIRAs or the
- client's transactions.
Fraud Risk Factors
When obtaining information about the entity and its environment, the
auditor should consider whether the information indicates that fraud
risk factors are present. That is, the auditor considers the existence
of fraud risk factors while performing other audit planning procedures.
Auditors are not specifically required to look for fraud risk factors
during planning, but are required to
- consider, based on their knowledge
- of the entity and its environment, whether fraud risk factors exist.
- Fraud risk factors are conditions or events that indicate
- incentives/pressure to perpetuate fraud, opportunities to carry out the
- fraud, or attitudes/rationalizations to justify a fraudulent action.
605.48 The identification of fraud
risk factors is a natural by-product of performing risk assessment
procedures. Along with the other information obtained about the entity
and its environment, the fraud risk factors are an important component
in identifying the risks of material misstatement at the financial
statement and relevant assertion levels. The auditor's primary concern
in considering fraud risk factors is to identify whether a risk factor
- is present and should be considered in identifying and assessing risks of material misstatement due to fraud.
- The presence of a particular fraud risk factor does not necessarily
- indicate the existence of fraud. Whether a risk factor is present and
- should be considered in identifying and assessing the risks of material
- misstatement due to fraud is a matter of professional judgment.
605.49 Examples of Fraud Risk Factors SAS No. 99 (AU 316)
provides examples of fraud risk factors that may be considered when
identifying and assessing the risks of material misstatement due to
- The risk factors presented in SAS No. 99 are classified into factors
- related to fraudulent financial reporting and factors related to
- misappropriation of assets. Because it may be helpful to consider fraud
- risk factors in the context of the conditions generally present when
- fraud occurs, the standard further classifies the illustrative risk
- factors into conditions relating to incentives/pressures, opportunities,
- and attitudes/rationalizations.
It is important to note that these are only examples and the auditor
also may consider other risk factors not specifically listed. In fact,
SAS No. 99 (AU 316.33) states:
- Although the risk factors cover a broad range of situations, they are
- only examples and, accordingly, the auditor may wish to consider
- additional or different risk factors. Not all of these examples are
- relevant in all circumstances, and some may be of greater or lesser
- significance in entities of different size or with different ownership
- characteristics or circumstances.
“Fraud Risk Factors,” includes risk factors tailored for CIRAs, and it
can be used as a memory jogger for the auditor's consideration of fraud
- 605.50 HOA-CX-6.2,
- “Fraud Risk Factors,” includes risk factors tailored for CIRAs, and it
- can be used as a memory jogger for the auditor's consideration of fraud
- risk factors.
605.51 One of the risk factors related to fraudulent financial reporting in HOA-CX-6.2, “Fraud Risk Factors,” states, “CIRA management is dominated by a single individual or a small group
- without compensating controls.” Is that circumstance always a fraud risk
- factor? The authors believe that domination of management by a single
- individual or a small group does not, in and of itself, indicate a
- failure by management to display and communicate an appropriate attitude
- regarding internal control and the financial reporting process. In
- fact, in many small CIRAs, strong management involvement actually can be
- a control strength in that there is a great deal of oversight of
- employees throughout the process. The effect of management dominance is
- discussed further beginning in paragraph 606.28.
605.52 If the CIRA has a managing
agent, fraud risk factors related to a CIRA's management should also be
considered from the perspective of the CIRA's managing agent. For
- one of the fraud risk factors related to fraudulent financial reporting in HOA-CX-6.2,
- “Fraud Risk Factors,” states, “The CIRA has ineffective oversight over
- financial reporting and internal control by the board of directors or
- audit committee.” If the CIRA engages the service of a managing agent,
- auditors should consider whether the CIRA's board of directors
- understands the extent of managing agent responsibilities and if it
- exercises sufficient control over the managing agent's activities.
- Without effective oversight, a managing agent may have the ability to
- dominate activities or override controls.
605.53 Auditors should consider the importance of the modifying language in the risk factors (such as inappropriate means, unduly aggressive, etc.). For example, a fraud risk factor might be, “Management feels significant pressure to avoid budget overruns.”
- Many CIRAs have an interest in
- avoiding budget overruns. The primary consideration, however, is whether
- management has shown an interest in avoiding budget overruns through
- inappropriate means. If so, the situation would likely be considered a
- fraud risk factor. However, if management indicates interest in avoiding
- budget overruns through legitimate means, then the auditor would not
- consider the situation to be a fraud risk factor.
605.54 For misappropriation of
assets, the consideration of fraud risk factors is influenced by the
degree to which assets susceptible to misappropriation are present.
- some consideration should be given
- to risk factors related to incentives/pressures, opportunities arising
- from control deficiencies, and attitudes/rationalizations for
- misappropriation, even if assets susceptible to misappropriation are not
- material. In small to mid-sized CIRAs, there is always an asset subject
- to misappropriation. Similarly, securities in the custody of a broker
- may be susceptible to misappropriation through unauthorized trading.
- Therefore, there should always be some consideration of fraud risk
- factors related to misappropriation. In addition, when considering risk
- factors for misappropriation, the auditor may identify risk factors
- related to inadequate monitoring and weaknesses in internal control that
- could also be present when fraudulent financial reporting occurs.
605.55 The presence of risk
factors related to financial stress or dissatisfaction among employees
is particularly important when considering the risk of misappropriation
of assets because those conditions often provide both incentive and
rationalization for theft. The auditor, during the course of the audit,
may become aware of information that indicates potential financial
stress or dissatisfaction of employees with access to assets susceptible
to misappropriation. Examples include:
• Anticipated layoffs that are known to employees.
• Unfavorable changes in employee compensation or benefit plans.
• Failure to receive promotions or other expected rewards.
• Known unusual changes in behavior or lifestyle.
.• Employees who are known to be experiencing significant personal financial obligations.
• Behavior indicating dissatisfaction with the entity, including disregard for the entity's policies and procedures.
- the auditor becomes aware of the presence of these or similar risk
- factors, he or she should consider them when identifying the risks of
- material misstatement due to fraud.
605.56 If fraud risk factors are present, SAS No. 109 (AU 314.12)
requires that “the auditor should consider whether the assessment of
the risk of material misstatement due to fraud calls for an overall
response, one that is specific to a particular account balance, class of
transaction, or disclosure at the relevant assertion level, or both.”
overall response is considered in establishing the overall audit strategy (see section 607) and a specific response is considered in developing the detailed audit plan. (See section 610.)