605

understanding of the “entity and its environment, including its internal control”

• The auditor's focus in obtaining the required level of understanding
• should be on attaining a knowledge level sufficient to identify the
• risks of material misstatement of the financial statements and to design
• the nature, timing, and extent of further audit procedures. However,
• the understanding is a purpose-driven audit focus and not a general
• knowledge level that might be appropriate for some other purpose such as
• managing the entity.

• This understanding is the key to
• knowing what the risks are and where to look to see if the risks have
• resulted in a material misstatement of the financial statements. It
• includes not only understanding the risks the client faces in operating,
• but ideally, understanding what management's response is to those
• risks, and, consequently, what residual risk of material misstatement of
• the financial statements remains. The auditor's process in obtaining
• this understanding should be focused on those matters that could cause
• material misstatements in the financial statements, including potential
• fraud risk factors, undisclosed related-party transactions, illegal
• acts, uncertainties, or going-concern problems.

• • Establishing planning materiality and evaluating whether such judgments remain appropriate throughout the audit.
• •
• Evaluating whether certain observed conditions, such as unusual or
• unexpected relationships from preliminary analytical procedures, do not
• make sense and indicate possible risk considerations. •
• Considering fraud risk factors, for example, the existence of
• significant or complex related-party transactions. Knowledge of key
• personnel might help the auditor identify employees who could provide
• relevant information in response to fraud risk inquiries

.• Evaluating the appropriateness and sufficiency of audit evidence.

• The level of understanding that is
• attainable by individual members of the audit team will vary with the
• experience, training, and assigned engagement duties of the personnel,
• but the partner and manager should spend sufficient time in audit team
• meetings or on-the-job supervision to convey to the assigned staff the
• insight needed for effective performance of the audit.

• However, a significant amount of
• knowledge is gained during the audit. Also, something changes each year.
• There are always important new developments with the client and within
• the industry. For this reason, it is advisable for each member of the
• audit team to continually try to improve client and industry knowledge
• by such measures as reading industry publications, taking self-study
• courses, and above all, talking to CIRA personnel, including personnel
• outside the accounting department.

• internal or external conditions
• that might be of audit significance and affect the CIRA's business risk
• or the auditor's assessment of audit risk. (The discussion beginning at
• paragraph 604.20 addresses the auditor's use of the results of risk assessment procedures performed in prior periods.)

a. Industry, regulatory, and other external factors.

b. Nature of the entity.

c. Objectives, strategies, and related business risks.

d. Measurement and review of the entity's financial performance.e. Internal control.

• The selection and application of
• accounting policies is an integral part of the control environment
• component of internal control, but merits separate and focused attention
• because of its significance to the auditor's assessment of the risks of
• material misstatement. (See the discussion beginning at paragraph 605.41.)
• Similarly, the consideration of fraud risk factors is an important
• objective of performing risk assessment procedures. Although considering
• the presence of fraud risk factors occurs simultaneously with obtaining
• information about the entity and its environment, it also merits
• separate and focused attention. (See the discussion beginning at
• paragraph 605.49.)
• All components of the understanding, except for internal control, are
• discussed in this section. Items a. and b. are considered together in
• the following discussion because of their close interrelationship.
• Internal control is discussed in section 606.

• • Key elements of the understanding obtained for each of the
• aspects of the entity and its environment to assess the risks of
• material misstatement in the financial statements.

• Sources of the information from which the understanding was obtained.

• Risk assessment procedures that were performed.

SAS No. 99 (AU 316) requires auditors to document their consideration of fraud risk factors.

• “Risk Assessment Summary Form.” (HOA-CX-6.1, “Entity Risk Factors,” and HOA-CX-6.2,
• “Fraud Risk Factors,” provide lists of risk factors to consider when
• identifying financial statements risks. However, the risk factors listed
• are only examples and may serve as memory joggers to spark the
• auditor's consideration of additional or different risks relevant to the
• client.) Section 606
• discusses the understanding of internal control and the related
• documentation requirements and practice aids that can be used to meet
• those requirements.

• procedures the auditor may perform
• to gain that understanding, and the types of risks the auditor may
• identify throughout that process.

• The objective of the auditor's
• understanding is to evaluate whether the entity is subject to specific
• risks of material misstatement arising from the nature of the industry,
• the degree of regulation, or other external forces, such as political,
• economic, social, technological, or competitive forces.

• a. Industry conditions,
• including market and competition, economic or demographic changes,
• cyclical or seasonal activity, and availability and cost of materials
• and supplies.

• b.
• Regulatory environment, including relevant legislation and regulation,
• specific regulatory requirements, direct supervisory activities, and
• taxation.

c. Government policies, including monetary, fiscal, and financial incentives.

• d.
• Other external factors, including the general level of economic
• activity, societal attitudes, unemployment, interest rates, availability
• of credit, energy and insurance risks, and inflation.

issued an Audit Risk Alert, Current Economic Instability: Accounting and Auditing Considerations—2009, to help identify and respond to accounting and auditing issues related to the current economic environment.

• how important it is for auditors to
• understand the meaning of audit risk given today's economic conditions.
• Furthermore, due to the rapidly changing economic and regulatory
• environment, the Alert underscores the importance of thoroughly
• understanding the entity and its environment when assessing the risks of
• material misstatement. Changes in the economy and regulatory
• environment often complicate the auditors' responsibility related to
• obtaining that understanding. For example, changed conditions may
• require auditors to reconsider their understanding about how the
• economic environment affects the entity, reassess audit risks, and
• modify planned audit procedures as the audit progresses.

• Economic, legislative, and regulatory developments.

• Accounting, auditing, and attestation issues and developments.

• Recent accounting, audit and attest, independence, and ethics pronouncements.

• The status of outstanding accounting, auditing, and attest projects.

• Many of the matters to be addressed
• are best approached through inquiry of appropriate client management
• and other employees. The auditor may need to expand his or her inquiries
• based on the client's responses to more fully understand the area and
• follow up on information that may be indicative of a potential risk.
• Factors to consider to develop inquiries and identify risks related to
• industry, regulatory, and other external factors are presented in HOA-CX-6.1, “Entity Risk Factors.”

• For example, when obtaining an understanding of the industry and environment, the auditor might read this Guide, which is updated annually, the AICPA Audit and Accounting Guide, Common Interest Realty Associations,
• industry publications of CIRA membership organizations, financial
• statements of other CIRAs, textbooks, or trade journals, or might
• subscribe to services that provide an in-depth analysis of the CIRA's
• industry. The auditor might also read articles of incorporation, minutes
• of meetings of directors, and important contract agreements; review
• several prior years' financial statements, income tax returns, and
• revenue agent's reports; have discussions with individuals knowledgeable
• about the CIRA industry; participate in relevant internet discussions;
• or tour the CIRA's facilities. Regarding the regulatory environment, the
• auditor might read correspondence from taxing or other regulatory
• authorities, applicable regulations that were recently enacted, or
• proposed legislation that may affect the industry. The use of other risk
• assessment procedures, in addition to inquiry, may be influenced by the
• matters discussed in paragraph 604.40.

• operations; its organizational
• structure, ownership, personnel and governance; the types of its
• investments; and its financing. Among other things, the understanding of
• the nature of the entity helps the auditor to understand the classes of
• transactions, account balances, and disclosures that would be expected
• in the financial statements.

a. Revenue sources.

b. Number of residential and commercial units in the CIRA development.

c. Involvement in e-commerce.

d. Conduct of operations.

e. Important suppliers.

f. Major assets, including types of common property, and liabilities.

g. Major operating expenses and expenditures from replacement and capital improvement funds.

h. Policy, statutory requirements, and methods for funding major repairs and replacements.

i. Policy and methods for funding capital improvements.

j. Employment and human resource matters, including compensation methods and employee benefits.

k. Tax status.

l. Related parties and transactions with them.m. Location of facilities.

n. Types of investments.o. Financing activities

• declaration (for a condominium or
• homeowners' association), the corporate charter (for a cooperative
• housing corporation), articles of incorporation, and bylaws should be
• retained in the permanent file. Auditors should identify the key
• management members and whether there is an audit committee or an
• equivalent group. A CIRA normally has a volunteer governing board with
• board members simultaneously serving as officers. For example, the
• president is usually the chairman of the board, another board member
• serves as treasurer, and other board members have designated duties for
• the CIRA's operations. It is unusual for a CIRA to have an audit
• committee or other individual or group formally designated with
• responsibility for oversight of the financial reporting process.

• may have employees, and the
• auditors should obtain an understanding of the nature and size of the
• work force and the compensation methods.

• Auditors should also consider the
• importance of budgets in the CIRA's operations. Some of the CIRA's
• operating characteristics can impact its ability to obtain financing and
• may even impact the ability of unit owners to obtain financing.

• giving new staff a convenient means of obtaining knowledge without
• having client personnel answer questions already asked in prior years.

• legal documents that created the CIRA. (See Chapter 2
• for a discussion of legal documents.) Normally, those documents will
• describe the board of directors' responsibility to unit owners,
• including responsibilities for maintaining common property and funding
• future major repairs and replacements. Auditors should review the
• governing documents as well as relevant state statutes or local
• ordinances. They should have an understanding of the effects of
• noncompliance on the financial statements. Auditors should also review
• the governing documents for items such as the CIRA being set up with a
• limited life rather than a perpetual life or accounting or financial
• reporting matters that are contrary to current practices or regulations.
• Any such defects in the governing documents should be discussed with
• management of the CIRA.

Chapter 2 discusses governing documents for various types of CIRAs.

• of the association can reveal to
• the auditor how involved the board of directors is in the association's
• financial decisions. The minutes normally include matters such as the
• status of conversions from developer/sponsor control to owner control,
• approvals of budgets and assessments, authorizations for capital
• expenditures, bank and investment accounts, approvals of contracts for
• services to be performed, changes in board members, related party
• transactions, and authorization for engaging a managing agent and paying
• the agent's fees.

• Directors' fees.

• Board member is an insurance agent, CIRA broker, or on the board of a bank or other company that services the association.

• A member, or his or her relative, provides maintenance, professional, or other services to the CIRA on a nonemployee basis.

• Board member loans money to the CIRA.

• Member is materially delinquent in paying CIRA assessments.

• [If 10% or more of a CIRA's revenues are derived from any one source, FASB 972-605-50-2 (formerly Paragraph 4.25 of the AICPA guide)
• requires that fact and the amounts of revenue from each source to be
• disclosed.] In addition, the auditors should consider whether the
• managing agent or one of its affiliates provides additional services
• (especially without going through the bid or approval process), such as
• maintenance or landscaping, engineering, special project administration,
• etc., to the CIRA. Such transactions could represent related party
• transactions and should be disclosed in the financial statements.

• auditors should consider whether
• such transactions are occurring but not being recognized in the
• accounting records. The names of known related parties should be
• communicated to the audit staff at the start of the audit so they can
• identify and examine related-party transactions in applicable audit
• areas, such as receivables and payables.

The authors have designed a practice aid—“Related Party Confirmation” at HOA-CL-12.4—to help obtain information about transactions between the CIRA and related parties. HOA-CX-6.2, “Fraud Risk Factors,” includes fraud risk factors that may involve transactions with related parties.

• To make effective risk-based
• inquiries, it is critical that the auditor identify the right person
• within the CIRA who possesses not only the requisite knowledge about the
• matter queried, but also about the nature of risks, how the CIRA has
• addressed them, and what the remaining risk is to the CIRA. For example,
• in many CIRAs, the auditor may be able to confine all inquiries about
• the nature of the business to the CIRA's president. As the size,
• complexity, and management structure expands within a CIRA, the auditor
• might need to direct questions, for example, about operational matters
• for investments and financing, to the treasurer or managing agent.

• The understanding also provides the
• auditor with an expectation of what classes of transactions, account
• balances, and disclosures will be present in the financial statements.
• The auditor may need to expand inquiries based on the client's responses
• to more fully understand the area and follow up on information that may
• be indicative of a potential risk. Factors to consider to develop
• inquiries and identify risks related to the nature of the entity are
• presented in HOA-CX-6.1, “Entity Risk Factors.”

• The basic concept here is that most
• business risks eventually have financial consequences and, thus, an
• effect on the financial statements. Not all business risks create risks
• of material misstatement, so the auditor needs to focus on those risks
• that have financial reporting implications in the CIRA's particular
• circumstances.

• Management's strategies are the
• operational approaches adopted to achieve the objectives. The related
• business risks are the significant conditions, events, circumstances,
• actions, or inactions that could adversely affect the CIRA's ability to
• achieve its objectives or implement its strategies. When obtaining an
• understanding of the CIRA's objectives and strategies, it is often
• helpful to consider whether strategies align with objectives and whether
• the strategies have been implemented. By doing so, the auditor may
• become aware of heightened or additional business risks and potential
• risks of material misstatement.

• Smaller CIRAs generally do not have
• formal plans or processes that are documented, which forces the auditor
• to rely primarily on inquiries. In contrast, some larger or more
• sophisticated CIRAs may have written strategic plans that provide a road
• map for the objectives, strategies, and associated business risks that
• have been selected and identified by the management team.

• Products and services for members.

• Regular and special assessments.

• Business expansion or restructuring.

• Major repairs and replacements and capital improvements.

• Employment or compensation.

Factors to consider to develop inquiries and identify risks related to the CIRA's objectives and strategies are presented in HOA-CX-6.1, “Entity Risk Factors.”

management and external parties.

a. Key performance indicators (KPI), both financial and nonfinancial.

b. Trends.

c. Key ratios and other operating and financial statistics.

d. Forecasts, budgets, and variance analyses.

e. Period-on-period financial performance.

f. Employee performance measures.

g. Performance reports for affiliated locations.

h. Comparisons to performance of comparable CIRAs (i.e., benchmarking).

• a. The pressure to meet
• performance targets could motivate management actions, including
• intentional misstatements, and, thus, affect the auditor's risk
• assessment.

• b.
• Use of performance measures might highlight unexpected results or
• trends such as an unusually rapid growth in service or parts sales,
• which upon investigation result in detection of misstatements.

• c.
• The auditor might be able to use key performance indicators or other
• measures used by management when performing analytical procedures.
• However, the auditor should consider whether the information used by
• management is reliable and provides the degree of precision that is
• needed for the analytical procedures.

• a sophisticated CIRA may have
• developed a “dashboard” reporting system that incorporates carefully
• selected key performance indicators that management has deemed to be the
• primary metrics in achieving its goals and objectives. In that case,
• the auditor could inspect and review these measures along with any
• accompanying analyses in order to identify risks that may be indicative
• of material misstatement.

• as management reviews financial or
• other operating reports, a determination is made whether the business
• has achieved the targets that management has established for these
• indicators. For these situations, the auditor would likely use inquiry
• to determine what indicators management believes are important in
• managing and measuring the CIRA's results and inspect the reports that
• are used to monitor performance.

• identify potential risks. Factors
• to consider to develop inquiries and identify risks related to
• measurement and review of the CIRA's financial performance are presented
• in HOA-CX-6.1, “Entity Risk Factors.”

• management's selection and
• application of accounting policies and evaluate whether the policies are
• appropriate for the CIRA and consistent with policies used in the CIRA
• industry.

• accounting policies that management
• has selected and applied is an important element in determining what
• can go wrong in the preparation of financial statements and, hence, in
• assessing risks of material misstatement. For CIRAs, significant
• accounting policies include those for allocating assessments to
• replacement funds; accounting for common property, including
• capitalization policies; funding for future major repairs and
• replacements; and revenue recognition for special assessments.

a. Relevant accounting standards and industry specific practices.

b. The methods the CIRA uses to account for significant and unusual transactions.

• c.
• The effect of significant accounting policies in controversial or
• emerging areas for which there is a lack of authoritative guidance or
• consensus.

• d.
• Changes in the CIRA's policies, including the reasons for the change and
• whether the change is appropriate and consistent with GAAP (or an
• OCBOA).

• e.
• Financial reporting standards and regulations that are new to the CIRA
• and management's plans to adopt such requirements, including new
• accounting standards.

f. The process used by management in formulating particularly sensitive accounting estimates.

g. The methods used to identify matters for disclosure and how the CIRA achieves clarity in disclosure.

• For example, because accounting for
• special assessments revenue or deferred revenue involves judgment,
• there ordinarily is a higher risk of material misstatement for the
• valuation of those assets. For items of disclosure, many auditors of
• smaller CIRAs assist management in preparing the financial statements.
• In those cases, identification and clarity of required disclosures are
• often heavily influenced by the auditor. Therefore, the potential for
• risk may be mitigated with respect to disclosure.

• In establishing the overall audit strategy, the auditor focuses on
• whether the accounting principles selected and policies adopted are
• being applied in an inappropriate manner. If the auditor identifies a
• risk in this area, it is often addressed by an overall response, such as
• the assignment of more experienced personnel and a higher level of
• supervision, as well as by the selection of specific further audit
• procedures.

• • The auditor's knowledge and experience with the CIRA industry.
• • The auditor's past experience with the client.
• • The degree of financial reporting sophistication of the client.
• • The extent of new accounting standards that are recently effective for the client.
• •
• The auditor's participation in assisting the client with the selection
• of accounting policies and the preparation of the financial statements.

• Consideration of accounting
• policies for those clients ordinarily will not be a time-consuming
• process since the auditor already possesses much of the requisite
• knowledge. The auditor in those cases can generally confine inquiries of
• the client to matters such as the manner and consistency of
• application. For other situations where the auditor is not involved in
• the selection of accounting policies or has limited experience with the
• client, the auditor may inquire about the matters discussed in paragraph
• 605.39.
• Also, the auditor may supplement inquiries with a review of prior year
• financial statements and supporting disclosures (for initial audits)
• coupled with a thorough review and understanding of relevant accounting
• standards that are either new or specifically applicable to CIRAs or the
• client's transactions.

• consider, based on their knowledge
• of the entity and its environment, whether fraud risk factors exist.
• Fraud risk factors are conditions or events that indicate
• incentives/pressure to perpetuate fraud, opportunities to carry out the
• fraud, or attitudes/rationalizations to justify a fraudulent action.

• is present and should be considered in identifying and assessing risks of material misstatement due to fraud.
• The presence of a particular fraud risk factor does not necessarily
• indicate the existence of fraud. Whether a risk factor is present and
• should be considered in identifying and assessing the risks of material
• misstatement due to fraud is a matter of professional judgment.

• The risk factors presented in SAS No. 99 are classified into factors
• related to fraudulent financial reporting and factors related to
• misappropriation of assets. Because it may be helpful to consider fraud
• risk factors in the context of the conditions generally present when
• fraud occurs, the standard further classifies the illustrative risk
• factors into conditions relating to incentives/pressures, opportunities,
• and attitudes/rationalizations.

• Although the risk factors cover a broad range of situations, they are
• only examples and, accordingly, the auditor may wish to consider
• additional or different risk factors. Not all of these examples are
• relevant in all circumstances, and some may be of greater or lesser
• significance in entities of different size or with different ownership
• characteristics or circumstances.

• 605.50 HOA-CX-6.2,
• “Fraud Risk Factors,” includes risk factors tailored for CIRAs, and it
• can be used as a memory jogger for the auditor's consideration of fraud
• risk factors.

• without compensating controls.” Is that circumstance always a fraud risk
• factor? The authors believe that domination of management by a single
• individual or a small group does not, in and of itself, indicate a
• failure by management to display and communicate an appropriate attitude
• regarding internal control and the financial reporting process. In
• fact, in many small CIRAs, strong management involvement actually can be
• a control strength in that there is a great deal of oversight of
• employees throughout the process. The effect of management dominance is
• discussed further beginning in paragraph 606.28.

• one of the fraud risk factors related to fraudulent financial reporting in HOA-CX-6.2,
• “Fraud Risk Factors,” states, “The CIRA has ineffective oversight over
• financial reporting and internal control by the board of directors or
• audit committee.” If the CIRA engages the service of a managing agent,
• auditors should consider whether the CIRA's board of directors
• understands the extent of managing agent responsibilities and if it
• exercises sufficient control over the managing agent's activities.
• Without effective oversight, a managing agent may have the ability to
• dominate activities or override controls.

• Many CIRAs have an interest in
• avoiding budget overruns. The primary consideration, however, is whether
• management has shown an interest in avoiding budget overruns through
• inappropriate means. If so, the situation would likely be considered a
• fraud risk factor. However, if management indicates interest in avoiding
• budget overruns through legitimate means, then the auditor would not
• consider the situation to be a fraud risk factor.

• some consideration should be given
• to risk factors related to incentives/pressures, opportunities arising
• from control deficiencies, and attitudes/rationalizations for
• misappropriation, even if assets susceptible to misappropriation are not
• material. In small to mid-sized CIRAs, there is always an asset subject
• to misappropriation. Similarly, securities in the custody of a broker
• may be susceptible to misappropriation through unauthorized trading.
• Therefore, there should always be some consideration of fraud risk
• factors related to misappropriation. In addition, when considering risk
• factors for misappropriation, the auditor may identify risk factors
• related to inadequate monitoring and weaknesses in internal control that
• could also be present when fraudulent financial reporting occurs.

• Anticipated layoffs that are known to employees.

• Unfavorable changes in employee compensation or benefit plans.

• Failure to receive promotions or other expected rewards.

• Known unusual changes in behavior or lifestyle.

.• Employees who are known to be experiencing significant personal financial obligations.

• Behavior indicating dissatisfaction with the entity, including disregard for the entity's policies and procedures.

• If
• the auditor becomes aware of the presence of these or similar risk
• factors, he or she should consider them when identifying the risks of
• material misstatement due to fraud.

overall response is considered in establishing the overall audit strategy (see section 607) and a specific response is considered in developing the detailed audit plan. (See section 610.)