Professional Documents
Culture Documents
GENERAL INSTRUCTIONS
This template has been developed to provide illustrative examples to assist engagement teams in addressing the Risks of Material Misstatement (ROMM) for material classes of transactions and
account balances. The pre-populated risks of material misstatement (i.e., "what could go wrong") and relevant control activities included within this template are derived from the "Core Risks and
Controls" section of Form 1830SDI-4, Risk and Controls Guide —Banking and Finance — Recourse Liabilities. The substantive procedures responsive to the risks identified are derived from Form
1840SDI-4, Substantive Procedures Guide — Banking and Finance — Recourse Liabilities.
NOTE: This template is designed for accounts for which the engagement team is performing an integrated audit. For nonintegrated audits, the engagement team may modify this template
accordingly or may consider other options, such as Form 18**AICPA-BS, Blank Risk of Material Misstatement Worksheet — Balance Sheet; Form 18**AICPA-IS, Blank Risk of Material Misstatement
Worksheet — Income Sheet; and Form Series 18**AICPA, AICPA Risk of Material Misstatement Worksheets.
Terminology
Within this template, the term class of transactions refers to Income Statement accounts and account balance refers to Balance Sheet accounts. The term transaction type is used to
describe an activity or series of activities that results in one or more classes of transactions, account balances, and disclosures. [Derived from U.S. AAM 13200.8a.]
Transaction Types, Relevant Assertions, or Risks of Material Misstatement Referenced to Other Audit Area Documentation
To the extent that a relevant assertion or a transaction type is appropriately addressed and documented within documentation of another class of transaction, account balance, or disclosure RoMM
template, redundant documentation is not necessary — although clear, specific, and concise referencing is appropriate. Consider referencing as appropriate to other audit sections that document
the risks of material misstatement, relevant control activities, and planned procedures to test the operating effectiveness of the control activity and substantive procedures.
Risks of material misstatement, relevant control activities, and responsive substantive procedures relating to these noncommon transactions can be found in Form 1830SDI-4, in the "Other
Possible Risks and Controls" section for each account, and Form 1840SDI-4.
Form 18**SDI.4, Recourse Liabilities ROMM Overview
Recourse Liabilities: Audit Plan by Material Account Balance (Balance Sheet)/Class of Transaction (Income Statement)/Disclosure — ROMM Overview
Assertion Name
— Relevant Assertion Identification of Risk of Material Misstatement
("What Could Go Wrong") {a}
Presentation &
Completeness
Valuation and
obligations
Control Control
Rights and
Disclosure
allocation
Existence
Account Balance/ Classification of Risk Associated Design Implementation Control OE
Class of Significant Inherent Risk Risk of Material with the Control Conclusion Conclusion Conclusion
Transaction/ Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, (Implemented, (Effective,
Disclosure Risk Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Not Implemented) Ineffective) Substantive Procedures Planned
Note 1 Note 2 Note 3 Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10
Recording Recourse X Recourse liabilities exist but are not recorded (e.g., loan is sold to a third party On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Perform
and Tests
legal counsel
of Unrecorded
departments
Liabilities
to discuss developments and or changes in the business that may impact recorded recourse liability
Liabilities and lender guarantees performance of loan with recourse obligations, but such
recourse liability is not acknowledged and recorded).
Transaction documents for sales of loans are reviewed by finance personnel to identify potential recourse liabilities. Management reviews the calculation of the recourse liability recorded at time of the sale.
Recording Recourse X The initial measurement of the recourse liability does not properly reflect the fair A written policy is in place related to loans sold with recourse requiring a liability be recorded at the estimated fair value of the related
Testing
guarantee.
Entity'sThe
Methodology
journal entry
for and
Estimating
documentation
Recoursesupporting
Reservesthe
arising
initialfrom
measurement
mortgage and
of the
other
recourse
loan activities
liability is reviewed and approved b
Liabilities value of the representation, warranty or other guarantee.
Recording Recourse X The entity uses an inappropriate methodology or incorrect significant Recourse liabilities are valued based on an analysis performed by qualified personnel at the entity or by a qualified third party specialist
Testing, which
Entity's
includes
Methodology
amongfor
other
Estimating
item s the
Recourse
following:
Reserves
1 Historical
arisingtrend
fromanalysis
mortgageover
andanother
appropriate
loan activities
period 2
Liabilities assumptions to calculate and record recourse liabilities.
On a regular basis management retrospectively reviews historical experience related to recourse liabilities as well as current industry
Developing
trends including
Independent
the methodology
Expectation used
of Recourse
significant
Liabilities
assumptions utilized and the underlying data relied upon in developing these estimat
Management’s methodology is reviewed by a third party or internal audit. Performing Retrospective Review of Significant Accounting Estimates
Recording Recourse X Underlying data used to calculate and record recourse liabilities does not agree Data used in the calculation is reconciled to the entity’s records. Testing Entity's Methodology for Estimating Recourse Reserves arising from mortgage and other loan activities
Liabilities to the records.
Recording Recourse X X Recourse liabilities are initially recorded when no liability exists. Finance personnel prepare the journal entry supporting documentation and account analysis to record recourse liabilities. Management
Test Recourse
reviews Liability
and approves
Balances
the for
journal
On going
entry relevance
supporting documentation and account analysis before the journal entry is
Liabilities
On a monthly basis finance personnel reconcile recorded recourse liabilities to supporting detail. Management reviews the reconciliation and supporting documentation and unusual activity or invalid reconciling items are investigated and resolved in a timely manner.
Adjusting Recourse X X Recourse liabilities are not relieved when a liability no longer exists (e.g., loan On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Testand
Recourse
legal counsel
Liabilitydepartments
Balances fortoOn
discuss
going developments
relevance and or changes in the business that may impact recorded recourse liability.
Liabilities has been repurchased and recorded on the entity’s balance sheet).
Adjusting Recourse X Claims and settlements are not recorded in the correct period. On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Perform
and Tests
legal counsel
of Unrecorded
departments
Liabilities
to discuss developments and or changes in the business that may impact recorded recourse liability.
Liabilities
Adjusting Recourse X X Previously recorded recourse liabilities are incorrectly removed when a liability On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Perform
and Tests
legal counsel
of Unrecorded
departments
Liabilities
to discuss developments and or changes in the business that may impact recorded recourse liability.
Liabilities still exists.
Adjusting Recourse X Adjustments (including claims and settlements) to recourse liabilities are On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Testing
andEntity's
legal counsel
Methodology
departments
for Estimating
to discuss
Recourse
developments
Reserves
andarising
or changes
from mortgage
in the business
and other
that loan
may activities
impact recorded recourse liability.
Liabilities recorded in the general ledger at incorrect amounts.
Identify_and_Test_for_Disputed_Claims
Using Analytical Procedures and/or Tests of Details to Update Tests Performed at an Interim Date
Recourse Liabilities X The entity does not calculate its reserve in accordance with its stated policy or On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Testing
andEntity's
legal counsel
Methodology
departments
for Estimating
to discuss
Recourse
developments
Reserves
andarising
or changes
from mortgage
in the business
and other
that loan
may activities
impact recorded recourse liability.
other known conditions and current events that the entity has considered.
Presentation &
Completeness
Valuation and
obligations
Control Control
Rights and
Disclosure
allocation
Existence
Account Balance/ Classification of Risk Associated Design Implementation Control OE
Class of Significant Inherent Risk Risk of Material with the Control Conclusion Conclusion Conclusion
Transaction/ Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, (Implemented, (Effective,
Disclosure Risk Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Not Implemented) Ineffective) Substantive Procedures Planned
Note 1 Note 2 Note 3 Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10
Recourse Liabilities X X The reserve for a mortgage loan in foreclosure or other real estate owned On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Testing
andEntity's
legal counsel
Methodology
departments
for Estimating
to discuss
Recourse
developments
Reserves
andarising
or changes
from mortgage
in the business
and other
that loan
may activities
impact recorded recourse liability.
(“OREO”) is removed, although the property has not been sold or
indemnification liability has not been relieved.
Recourse Liabilities X The calculation of the recourse reserve does not agree to the amount recorded On a monthly basis finance personnel reconcile recorded recourse liabilities to supporting detail. Management reviews the reconciliation
Test_Presentation_and_Disclosures_on_Recourse_Liabilities_and_Repurchase_Reserves
and supporting documentation and unusual activity or invalid reconciling items are investigated and resolved in a timely manner.
in the G/L.
Recourse Liabilities X Proper documentation over loan originations, servicing and securitizations has Refer to control activities described within the Loans and Mortgage Servicing Rights ROMMs over loan underwriting and servicing. Testing Entity's Methodology for Estimating Recourse Reserves arising from mortgage and other loan activities
not been properly maintained by the entity which could increase recourse
exposure. (For example, concerns regarding title documentation have caused
many banks to suspend foreclosure proceedings out of concern that improper
foreclosure decisions may be reached.)
Perform_Tests_of_Unrecorded_Liabilities
Recourse Liabilities X Disclosures related to the nature, methodology and amounts of recourse The Controller ensures accounting policies used in the preparation of the financial statements are consistent with the entity s applicable
Test Presentation
financial reporting
and Disclosures
framework on
in conjunction
Recourse Liabilities
with his her
andquarterly
Repurchase
review
Reserves
of the financial statements and completion of a U.S. GAAP re
liabilities is not properly made by the entity, including but not limited to the
following:
Findings and
Application Observations
System (None Noted, Change to
Control Operating (if control is Plan, Deficiency, Identified
Effectiveness Testing Operating Frequency Is IPE Used automated or Suspected Fraud,
Strategy (Annually, Quarterly, in Testing or and/or we are Testing Reference Management Letter
(Test in Current Period, Monthly, Weekly, Daily, Performing a testing IPE Testing Reference — to Planned Nature, Timing, and Extent of Procedures to Testing Comment, Material
Control Control That Addresses Risk of Material Misstatement Using Prior Period Evidence, Control Year Many Times per Day, Control Relevant through tests of Reference — General IT Evaluation Evaluate Operating Effectiveness (OE) of Controls Reference — Weakness, Significant
ID — Description OE Testing Not Required) Last Tested As Needed) Automated? Control? List IPE controls) IPE Controls of D&I OE Deficiency)
Note 8 Note 11 Note 12 Note 13 Note 14 Note 15 Note 16 Note 17 Note 18 Note 19 Note 20 Note 21
On a regular basis, finance personnel (including management of mortgage servicing
department) meet with members of the loan sales and legal counsel departments to
discuss developments and/or changes in the business that may impact recorded
recourse liabilities (e.g., representations and warranties from mortgage loans sold), or
may impact the need to record a recourse liability.
A written policy is in place related to loans sold with recourse requiring a liability be
recorded at the estimated fair value of the related guarantee. The journal entry and
documentation supporting the initial measurement of the recourse liability is reviewed
and approved by the appropriate level of management prior to being recorded into the
general ledger.
7) Loss severity
The methodology, significant assumptions, and underlying data used as well as the
journal entry are reviewed, evaluated, and approved by management and/or the Board
with appropriate knowledge before the journal entry is recorded.
Form 18**SDI.4, Recourse Liabilities Plan Control Testing
Findings and
Application Observations
System (None Noted, Change to
Control Operating (if control is Plan, Deficiency, Identified
Effectiveness Testing Operating Frequency Is IPE Used automated or Suspected Fraud,
Strategy (Annually, Quarterly, in Testing or and/or we are Testing Reference Management Letter
(Test in Current Period, Monthly, Weekly, Daily, Performing a testing IPE Testing Reference — to Planned Nature, Timing, and Extent of Procedures to Testing Comment, Material
Control Control That Addresses Risk of Material Misstatement Using Prior Period Evidence, Control Year Many Times per Day, Control Relevant through tests of Reference — General IT Evaluation Evaluate Operating Effectiveness (OE) of Controls Reference — Weakness, Significant
ID — Description OE Testing Not Required) Last Tested As Needed) Automated? Control? List IPE controls) IPE Controls of D&I OE Deficiency)
Note 8 Note 11 Note 12 Note 13 Note 14 Note 15 Note 16 Note 17 Note 18 Note 19 Note 20 Note 21
On a regular basis, management retrospectively reviews historical experience related
to recourse liabilities as well as current industry trends; including the methodology
used, significant assumptions utilized and the underlying data relied upon in
developing these estimates. Revisions are made to the methodology or significant
assumptions and underlying data used in the current-period estimation process as
necessary and approved by the appropriate level of management.
Finance personnel prepare the journal entry, supporting documentation, and account
analysis to record recourse liabilities. Management reviews and approves the journal
entry, supporting documentation, and account analysis before the journal entry is
recorded.
Refer to control activities described within the Loans and Mortgage Servicing Rights
ROMMs over loan underwriting and servicing.
The Controller ensures accounting policies used in the preparation of the financial
statements are consistent with the entity's applicable financial reporting framework in
conjunction with his/her quarterly review of the financial statements and completion of
a U.S. GAAP reporting checklist. This review also includes consideration of recent
SEC comment letters applicable to the entity’s business.
Form 18**SDI.4, Recourse Liabilities Plan Substantive Testing
Recourse Liabilities: Audit Plan by Material Account Balance (Balance Sheet)/Class of Transaction (Income Statement)/Disclosure — Substantive Testing
D Testing Entity's Methodology for Estimating Recourse Reserves (arising from mortgage and other loan activities)
D1 A. Understand, document, and evaluate the reasonableness of the methods and assumptions used by management to estimate recourse reserves stemming from representations and warranties
made by the entity.
Consider whether such methods and assumptions include, but are not limited to, the following:
• Written policy on the entity’s process for estimating the recourse reserve, including the extent of management review (e.g., Board approval/review required)
• Information on pending and threatening litigation related to representations and warranties made by the entity from discussions with internal legal counsel
• Success of appeals analysis
• Historical analysis of loan repurchase activity by the entity
• Future expected repurchase activity
• Quality of loan underwriting and servicing of loans originated by the entity for which recourse liabilities exist
• Amount of losses incurred on loans repurchase
• Pools of loans for which repurchase demands are possible.
• Benchmark analysis to competitors with recourse liabilities, if reasonable
B. If management's methods and assumptions are reasonable, test the accuracy and completeness of the data used by management by the following means:
(1) Check mathematical accuracy of model.
(2) Perform audit procedures directly on the information being relied upon and assumptions being used. These procedures may include either of the following:
a. Reproducing the information.
b. Agreeing summary information to underlying data or third-party source documents and tracing a selection of information from the entity's underlying data or third-party source documents into the
information.
C. Identify and obtain audit evidence to support the key assumptions underlying the estimate.
D. Consider guidance within the Audit Quality Alert 10-10 and PCAOB Practice Alert No.7 on auditing litigation and other contingencies related to mortgage and other loan activities.
E. In instances when the audit evidence is inconsistent among differing sources, perform additional audit procedures to resolve the inconsistency.
F. Using the appropriate data, assumptions, and methodology, recompute the recourse reserve.
G Using Analytical Procedures and/or Tests of Details to Update Tests Performed at an Interim Date
G1 A. Make inquiries of the entity's personnel knowledgeable of the recourse liability recorded at the interim date regarding their knowledge of any changes in facts or circumstances in the intervening
period that might have a significant impact on the year-end balance.
B. Perform substantive analytical procedures to test the year-end account balance.
(1) Develop expectations of the year-end account balance by considering factors identified during the interim test as well changes in facts or circumstances during the intervening period identified
during inquires made. (i.e., compare relevant information at interim with comparable information at final).
(2) Determine threshold.
(3) Compare the expectation to the recorded amount and identify any differences. For any difference that is more than the threshold, obtain, quantify, and corroborate explanations for the difference
by performing further analysis or inquiry and examining supporting documents. Explanations should be sought for the full amount of the difference, not just for the part that exceeds the threshold.
and/or:
C. Perform test of details on the account balance change in the intervening period (i.e., from the interim test date to the balance sheet date) by examining activity within the account balance.
B. Read and analyze the description of the process for estimating the recourse liabilities and repurchase reserve. Determine that the description accurately describes the process used by the entity
to obtain the estimate and that the description is appropriately understandable.
C. Read and analyze the footnote disclosures related to the recourse liabilities and repurchase reserve and determine that they accurately describe the exposure of the entity as of year end.
• Disclose the methodology used to estimate the reserves related to recourse exposures
• Level and types of repurchase claims the entity is receiving
• Level of allowance established related to the repurchase
• Method of settling claims; success rate in avoiding claims
• Time limit of recourse obligation and trends by loan vintage
• Rollforward of reserves for periods presented
Form 18**SDI.4, Recourse Liabilities Notes
NOTES
Note 2
Relevant AssertionsThe assertions are considered at the class of transactions, account balance, and disclosure level. See the "Assertions" tab of this template for a description and examples of each assertion.Refer to U.S. AAM 13150
NOTE: For a class of transactions (Income Statement account), account balance (Balance Sheet account), or disclosure, if an assertion is not considered relevant, include
documentation in the working papers explaining why the assertion is not relevant for that class of transactions, account balance, or disclosure.
The determination of whether an assertion is relevant is based on inherent risk, without regard to the effect of internal controls. [U.S. AAM and PCAOB AAM Glossary]
Consideration of transaction types may be relevant to our identification and assessment of risks of material misstatement at the relevant assertion level for classes of
transactions, account balances, and disclosures. [Derived from U.S. AAM 13200.8a.]
NOTE: For integrated and nonintegrated audits performed in accordance with the standards of the PCAOB or for integrated audits performed in accordance with the
standards of the AICPA, we are required to document our understanding of the flows of transactions using process flow diagrams to supplement narratives or other
documentation related to:
• Accounts or disclosures for which we have identified a significant risk
• Revenue accounts identified as material to the financial statements [Derived from U.S. AAM 23001-I.56/PCAOB AAM 12200.73.]
For nonintegrated audits performed in accordance with the standards of the AICPA, if we intend to rely on the operating effectiveness of controls in determining the nature,
timing, and extent of substantive procedures to address risks of material misstatement that are (1) significant risks or (2) related to revenue accounts identified as
material to the financial statements, we are required to document our understanding of the applicable flows of transactions related to the accounts or disclosures using
process flow diagrams to supplement narratives or other documentation. [Derived from U.S. AAM 12200.98a.]
The consideration of what can go wrong for the classes of transactions, account balances, and disclosures may assist us in identifying the risks of material misstatement,
relating these risks to the relevant assertions, and in designing more effective and efficient procedures to respond to those risks. This means that we think about those
things that could go wrong of sufficient likelihood to lead to material misstatement and does not mean that we have to contemplate all possible things that could go wrong
regardless of their likelihood. [U.S. AAM 13150.5/PCAOB AAM 13150.5, emphasis added.]
A risk of material misstatement is a risk that the financial statements are materially misstated prior to audit. This consists of two components, described as follows at the
assertion level:
- Inherent risk: The susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or
when aggregated with other misstatements, before consideration of any related controls.
- Control risk: The risk that a misstatement could occur in an assertion about a class of transaction, account balance, or disclosure that could be material, either
individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity's internal control. [U.S. AAM
and PCAOB AAM Glossary]
A risk of material misstatement may relate to one or more relevant assertions. Further, one or more risks of material misstatement may exist for a relevant assertion.
Refer to U.S. AAM 13150 and 12200 or PCAOB AAM 13150 and 12200 for further guidance.
Form 18**SDI.4, Recourse Liabilities Notes
Note 4 Significant Findings or Issues
Significant findings or issues represent matters of importance to the engagement partner or Engagement Quality Control (EQC) Reviewer in planning, supervising, and
reviewing our audit. We categorize these items as significant findings or issues to draw the attention of engagement leaders to them and to designate them as matters for
which the engagement partner is required to perform a primary review in addition to that of the manager. While a significant risk gives rise to an audit response that is
incremental to that required for a normal risk, a significant finding or issue may not result in changes to the nature, timing, or extent of audit testing. However, we
separately identify significant findings or issues in our audit documentation (including our planning and summary memoranda) and subject our related work to more
detailed review by the engagement partner and EQC Reviewer.
Risks of material misstatement related to significant findings or issues, identified during planning and which affect the audit procedures performed, may result in
customization of one or all of the related risks of material misstatement, control activities, and/or the related substantive procedures described in this template.
Significant findings or issues for planning purposes include, but are not limited to, the following:
- Risks of material misstatement that are determined to be significant risks and the results of the auditing procedures performed in response to those risks
- Matters that are significant involving the selection, application, and consistency of accounting principles, including related disclosures (e.g., new accounting
pronouncements)
- Accounting for complex or unusual transactions
- Accounting estimates highly dependent upon judgment
- Significant uncertainties
- Matters that led to the classification of engagement risk as greater than normal or much greater than normal
- Circumstances that cause us significant difficulty in applying necessary audit procedures. [Derived from U.S. AAM 00200.16-16a/PCAOB AAM 00200.23-23a.]
Note 5
Classification of Inherent Risk
As part of the risk assessment, we are required to determine whether any of the risks identified are, in our judgment, a significant risk. In exercising this judgment, we
are required to exclude the effects of identified controls related to the risk. [U.S. AAM 13150.52/PCAOB AAM 13150.3 and 27]
A significant risk is an identified and assessed risk of material misstatement that, in the auditor's judgment, requires special auditor consideration. [U.S. AAM and PCAOB
AAM Glossary]
Risks of material misstatement related to significant risks may result in customization of one or all of the related risks of material misstatement, control activities, and/or
related substantive procedures described in this template.
In exercising judgment as to which risks are significant risks, we are required to consider at least the following:
- Whether the risk is a risk of fraud
- Whether the risk is related to recent significant economic, accounting, or other developments and, therefore, requires special attention
- The complexity of transactions
- Whether the risk involves significant transactions with related parties
- The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement
uncertainty
- Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. [U.S. AAM
13150.53/PCAOB AAM 13150.28]
Due to the unpredictable way in which management override of controls could occur, it is a risk of material misstatement due to fraud and thus a significant risk.
[Excerpted from U.S. AAM 13350.4/PCAOB AAM 13350.2.]
Refer to U.S. AAM 13150 and 13350 or PCAOB AAM 13150 and 13350 for further guidance.
We are required to treat those assessed risks of material misstatement due to fraud as significant risks and accordingly, to the extent not already done so, we are required
to obtain an understanding of the entity’s related controls, including control activities, relevant to such risks, and evaluate whether such controls have been suitably
designed and implemented to mitigate such fraud risks. [U.S. AAM 13150.42/PCAOB AAM 13150.33]
Identifying potential fraud schemes may facilitate the evaluation of the design of relevant controls and the development of effective audit procedures. [U.S. AAM
13300.49a/PCAOB AAM 13300.70b]
Refer to U.S. AAM 13150 and 13300 or PCAOB AAM 13150 and 13300 for further guidance.
Form 18**SDI.4, Recourse Liabilities Notes
Note 7
Risk Associated with the Control – For Audits Performed in Accordance with the Standards of the PCAOB and for Integrated Audits Performed in
Accordance with the Standards of the AICPA
The risk associated with a control consists of the risk that the control might not be effective and, if not effective, the risk that a material weakness would result.
[Excerpted from U.S. AAM 23001-I.71/PCAOB AAM 23001.20.]
The risk associated with a control may be assessed as either “higher” or “not higher,” based on the factors in PCAOB AS 5.47 and PCAOB AS 5.48 (PCAOB AS 13.31). See
Deloitte Guidance (Q&A) 3-1, Risk Associated with the Control — Relationship to Inherent Risk, for additional information.
It is not necessary to separately document our consideration of each factor in PCAOB AS 5.47 and PCAOB AS 5.48 (PCAOB AS 13.31); it may be possible to document our
considerations on a collective basis (e.g., for groups of controls with similar characteristics where the risk associated with the control is similar).
If the risk of material misstatement associated with the related account(s) or assertions(s) is a significant risk, the risk associated with the control is higher. [Excerpt
from U.S. AAM 23001-I.73/PCAOB AAM 23001.21a.]
Integrated Audits
If we are performing an integrated audit, control activities that are relevant to the audit include those that address the assessed risks of material misstatement for each
relevant assertion. [U.S. PCAOB AAM 12200.85]
Nonintegrated Audits
We are required to obtain an understanding of control activities relevant to the audit, being those we judge it necessary to understand in order to assess the risks of
material misstatement at the assertion level and design further audit procedures responsive to assessed risks. [Excerpt from U.S. AAM 12200.99/PCAOB AAM
12200.78.]
We are required to obtain an understanding of the process for reconciling detailed records to the general ledger for material classes of transactions and account balances.
[U.S. AAM 12200.99a/PCAOB AAM 12200.79a]
When obtaining an understanding of controls that are relevant to the audit, we are required to evaluate the design of those controls and determine whether they have
been implemented, by performing procedures in addition to inquiry of the entity’s personnel. [U.S. AAM 12200.30/PCAOB AAM 12200.35]
Determine whether we have a basis for relying on those controls and whether we are able to perform our planned extent of substantive procedures. If an integrated audit,
evaluate the effect on the ICFR opinion.
Refer to U.S. AAM 23001/PCAOB AAM 23001 for further guidance. Consider using Form 2342S, Evaluation of Deficiencies in Internal Control, and Form 2343S, Evaluation
of an Individual Deficiency in Internal Control, to assist in the evaluation.
Form 18**SDI.4, Recourse Liabilities Notes
Note 10 Substantive Procedures Planned
Irrespective of the assessed risks of material misstatement, we are required to design and perform substantive procedures for each relevant assertion related to each
material class of transactions, account balance, and disclosure [significant account and disclosure]. [U.S. AAM 13300.22/PCAOB AAM 13300.48]
The nature, timing, and extent of planned procedures may vary in response to the assessed risk of material misstatement at the assertion level.
A substantive procedure may address more than one risk. We may consider the audit procedures and risks which they address when planning and performing substantive
procedures so that the substantive procedures performed are effective and efficient. [U.S. AAM 23002-1.34]
NOTE: For audits performed in accordance with the standards of the PCAOB, for significant risks, we are required to perform substantive procedures, including tests of
details, that are specifically responsive to the assessed risks. Therefore, for audits performed in accordance with the standards of the PCAOB, regardless of whether we are
relying on controls, our substantive procedures responsive to a significant risk will either comprise tests of details alone or tests of details performed in combination with
substantive analytical procedures. [U.S. PCAOB AAM 13300.65]
Because the assessment of the risk of material misstatement takes account of internal control, the extent of substantive procedures may need to be increased when the
results from tests of controls are unsatisfactory. However, increasing the extent of an audit procedure is appropriate only if the audit procedure itself is relevant to the
specific risk. [U.S. AAM 23002-1.8/PCAOB AAM 23002-1.13]
In designing tests of details, the extent of testing is ordinarily thought of in terms of the sample size. However, other matters are also relevant, including whether it is
more effective to use other selective means of testing. [U.S. AAM 23002-1.9/PCAOB AAM 23002-1.15]
Corollary Testing
Depending on the classes of transactions, account balances, and disclosures being audited and the audit procedures performed, corollary testing may provide audit
evidence related to the risks of material misstatement identified.
Note 11
If we are performing an integrated audit, we are required to test those controls that are important to our conclusion about whether the company’s controls sufficiently
address the assessed risk of misstatement to each relevant assertion. We must test those entity-level controls that are important to our conclusion about whether the
company has effective internal control over financial reporting. [U.S. AAM 23001-I.36 and 62/PCAOB AAM 13300.34 and 38]
For audits performed in accordance with the standards of the PCAOB, or for integrated audits performed in accordance with the standards of the AICPA, we should only use
the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 for those controls where we have assessed the risk associated with
the control as lower than in the initial year (or the year when we last tested the control using at least the normal extent of testing set forth in U.S. AAM Figure 23001-I.1
or U.S. PCAOB AAM Figure 23001.1). Use of the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 is never required. [U.S.
AAM 23001-I.94/PCAOB AAM 23001.56]
If we are using the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 to test a relevant control, we are required to have (1)
assessed the risk associated with the control as "not higher"; (2) tested the operating effectiveness of the control in one of the prior two audits, using at least the sample
sizes in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 for a normal extent of testing, and have concluded that the control was effective; (3) confirmed
that there have been no changes in the control or the process in which it operates since the prior audit; and (4) based on consideration of (1), (2), and (3), have
concluded that the risk associated with the control is lower than in the initial year (or the year when we last tested the control using at least the normal extent of testing
set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1), such that the use of the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S.
PCAOB AAM Figure 23001.1 is considered appropriate. [U.S. AAM 23001-I.95/PCAOB AAM 23001.57]
If we are performing a nonintegrated audit in accordance with the standards of the PCAOB, we should obtain evidence during the current year about the design and
operating effectiveness of controls upon which we rely. [Excerpt from U.S. PCAOB AAM 23001.19]
Refer to U.S. AAM 23001 and 23001-I or PCAOB AAM 13300 and 23001 for further guidance. In addition, refer to Chapter 3, "Testing Operating Effectiveness," within the
Internal Control Guide.
NOTE: For nonintegrated audits performed in accordance with the standards of the AICPA, refer to
the guidance at U.S. AAM 23001.7-11.
Form 18**SDI.4, Recourse Liabilities Notes
Note 12 Control Year Last Tested — For Audits Performed in Accordance with the Standards of the PCAOB and for Integrated Audits Performed in Accordance with
the Standards of the AICPA
The "Control Year Last Tested" represents the last year the relevant control was tested using a normal extent of testing.
For audits performed in accordance with the standards of the PCAOB or for integrated audits performed in accordance with the standards of the AICPA, refer to U.S. AAM
Figure 23001-I.1 or PCAOB AAM Figure 23001.1 for suggested sample sizes for inspection of documentation to support our inquiries for the purpose of testing the
operating effectiveness of controls.
Depending on the circumstances, we may use professional judgment to determine that larger sample sizes may be appropriate, for example, when we are performing tests
of controls that address one or more significant risks. [U.S. AAM 23001.40/PCAOB AAM 23001.51]
When testing the operating effectiveness of a control that operates less frequently than many times per day, depending on the nature of the control, the risk associated
with the control, and the number of times that it is applied when it operates, we may make additional selections to test its operating effectiveness. [Excerpted from U.S.
AAM 23001.40a/PCAOB AAM 23001.54.]
Refer to U.S. AAM 23001.28-42 or 23001-I.82-99/PCAOB AAM 23001.44-64 for additional guidance regarding determination of the sample size. Also, see Deloitte
Guidance Q&A IC 3-9, Determining the Frequency of a Control, for additional information.
- Standard "out of the box" reports as shipped with the system that have not been modified and do not allow for customization of inputs/outputs
- Parameter-driven reports generated by the entity's application system that allow for user selection of inputs (fields/parameters) to generate the report output
- Custom-developed reports that are not standard to the application and are defined and generated by user-operated tools such as scripts, report writers, programming
language, and query tools
- Spreadsheets that include relevant information (e.g., data (1) obtained from an outside source, (2) manually entered into a spreadsheet, (3) summarized or analyzed
using spreadsheet formulas or data exported from ledger system into an MS Access Database, and (4) then manipulated and summarized)
- Client-prepared analyses and schedules that are manually prepared by entity personnel either from information generated from the entity's system or from other internal
or external sources.
Substantive Procedures
IPE in the Context of Substantive Audit Procedures
IPE in the context of substantive audit procedures includes information that we rely upon when performing our substantive audit procedures. If the information is the
starting point or subject of our substantive audit procedures, our planned substantive audit procedures will typically address the accuracy and completeness of the
information, and no additional procedures may therefore be necessary. In other cases, our substantive audit procedures may rely on a report that is not the subject of our
substantive audit procedures and/or tests of relevant controls, and it may be necessary to perform additional procedures to address the completeness and accuracy of the
report.
NOTE: The requirement to obtain audit evidence about the accuracy and completeness of IPE also applies when we are using the work of others. If IPE has not been
appropriately tested by those whose work we are using, we may either request that they perform the necessary procedures or we may perform the procedures ourselves.
Refer to U.S. AAM 22500-1/PCAOB AAM 22500-1 and the Information Produced by the Entity Guide for further guidance.
Form 18**SDI.4, Recourse Liabilities Notes
Note 15 Application System
Document the names of relevant application systems.
Identifying the relevant application system within this template allows us to establish the linkage between the risks of material misstatement to which the relevant
application systems and IT infrastructure relate, the relevant IT risks related to these application systems and IT infrastructure, and the general IT controls that address
such risks. IT risks and general IT controls may be documented in the IT Risk Worksheet — General Information Technology (Form 18**S-GITC) or other supporting
working papers.
IT risks and general IT controls may be documented in the IT Risk Worksheet — General Information Technology (Form 18**S-GITC) or other supporting working papers.
Note 16 Planned Procedures to Obtain Audit Evidence of Accuracy and Completeness of IPE
Reference to where IPE testing is performed.
NOTE: Procedures to obtain audit evidence about the accuracy and completeness of IPE may be addressed within the documentation of the planned response to test the
control or substantive procedure or aggregated and documented individually in a separate IPE workbook (Form 18**S-IPE).
For nonintegrated audits performed in accordance with the standards of the AICPA, when using information produced by the entity we are required to evaluate whether the
information is sufficiently reliable for our purposes, including as necessary in the circumstances:
• Obtaining audit evidence about the accuracy and completeness of the information
• Evaluating whether the information is sufficiently precise and detailed for our purposes. [U.S. AAM 22500-1.3]
For audits performed in accordance with the standards of the PCAOB (for integrated audits, see also U.S. AAM 22500-1.3), when using information produced by the entity
as audit evidence, we are required to evaluate whether the information is sufficient and appropriate for purposes of the audit by performing procedures to:
• Test the accuracy and completeness of the information, or test the controls over the accuracy and completeness of that information
• Evaluate whether the information is sufficiently precise and detailed for purposes of the audit. [U.S. PCAOB AAM 22500-1.2]
For audits performed in accordance with the standards of the PCAOB, when testing a relevant control that is dependent upon information produced by the entity (and the
effectiveness of the control is therefore dependent upon the accuracy and completeness of such information), we are required to (1) identify controls that address the
accuracy and completeness of such information produced by the entity and (2) test the design and operating effectiveness of such controls (see U.S. PCAOB AAM
13300.22). [U.S. AAM 22500-1.3]
Obtaining audit evidence about the accuracy and completeness of information produced by the entity includes procedures to address:
• The accuracy and completeness of the source data
• The creation and modification of the applicable report logic and parameters. [U.S. AAM 22500-1.5a/PCAOB AAM 22500-1.5a]
Refer to U.S. AAM 22500-1 or PCAOB AAM 22500-1 and the Information Produced by the Entity Guide for further guidance.
Implementation of a control means that the control exists and that the entity is using it.
Refer to U.S. AAM 12200.30-40/PCAOB AAM 12200.35-38 for additional guidance regarding the evaluation of design and determination of implementation for relevant
controls.
The evaluation of the design of controls documentation may include consideration of the (1) the nature and significance of the risks of material misstatement addressed by
the control, (2) the characteristics or details of the control, and (3) the following factors to determine whether the control is appropriately designed (i.e., the precision of a
control) to address the identified risk.
For more information regarding these factors, see the Internal Control Guide, Chapter 2, "Understanding Likely Sources of Misstatement and Testing Design Effectiveness
for Controls That Address Risk of Material Misstatement."
The extent of documentation may vary depending upon the nature of the control and the level of subjectivity involved.
For example: Management reviews and other higher level controls (e.g., direct and precise entity-level controls) would typically require more extensive documentation
than an attribute-based control.
NOTE: In an integrated audit, the purpose of a test of design effectiveness is not to determine whether the control has been implemented. We do not need to separately
test implementation if we are also testing operating effectiveness. However, the procedures performed to test design and to determine implementation may be similar.
Note 19 Planned Nature, Timing, and Extent of Procedures to Evaluate Operating Effectiveness of Controls
Consider nature, timing, and extent of our tests when planning procedures to evaluate operating effectiveness of controls.
Nature of Tests of Controls
Nature of tests of controls includes inspection of documentation supporting our inquiries, reperformance supporting our inquiries, and observation supporting our inquiries.
In addition, for PCAOB audits matters we may also consider in determining the extent of tests of controls include the following:
- The nature of the control, including, in particular, whether it is a manual control or an automated control
- For an automated control, the effectiveness of relevant general IT controls. [Excerpted from U.S. PCAOB AAM 23001.43]
Refer to U.S. AAM 23001 and 23001-I or U.S. PCAOB AAM 23001 for further guidance.
NOTE: For audits performed in accordance with the standards of the PCAOB or for integrated audits performed in accordance with the standards of the AICPA, for each
control selected for testing, the evidence necessary to persuade the auditor that the control is effective depends upon the risk associated with the control. The risk
associated with a control consists of the risk that the control might not be effective and, if not effective, the risk that a material weakness would result. As the risk
associated with the control being tested increases, the evidence that the auditor should obtain also increases.
[Derived from U.S. AAM 23001-I.71/PCAOB AAM 23001.20.]
NOTE: When evaluating the operating effectiveness of relevant controls, we are required to evaluate whether misstatements that have been detected by substantive
procedures indicate that controls are not operating effectively. The absence of misstatements detected by substantive procedures, however, does not provide audit
evidence that controls related to the assertion being tested are effective. [U.S. AAM 23001.50/PCAOB AAM 23001.84] The identification by us of a material
misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control is
an indicator of a material weakness. [U.S. AAM 23001.51/PCAOB AAM 23001.110]
In an audit of internal control over financial reporting, the auditor should evaluate the effect of the findings of the substantive auditing procedures performed in the audit of
financial statements on the effectiveness of internal control over financial reporting. This evaluation should include, at a minimum—
• The auditor’s risk assessments in connection with the selection and application of substantive procedures, especially those related to fraud.
• Findings with respect to illegal acts and related party transactions.
• Indications of management bias in making accounting estimates and in selecting accounting principles.
• Misstatements detected by substantive procedures. The extent of such misstatements might alter the auditor’s judgment about the effectiveness of controls. [U.S. AAM
23001-I.196/PCAOB AAM 23001.117]
Tests of Details
If we use audit sampling, our sample sizes may be determined using U.S. AAM Figure 23002-4.1 or U.S. PCAOB AAM Figure 23002-4.1.
Assertions used by us to consider the different types of potential misstatements that may occur (i.e., "what could go wrong") fall into the following three
categories and may take the following forms:
Note: The table below provides the linkage between the current Deloitte Touche Tohmatsu Limited (DTTL) Audit Approach Manual (DTTL AAM) terminology
(which is consistent with the ISAs) and PCAOB assertions.
Assertions about classes of transactions (income The following are examples of potential Misstatements relating to the assertions PCAOB Assertions
statement accounts) and events for the period under below. These examples are neither exhaustive nor always applicable as facts
audit: and circumstance may vary from one entity to the next.
Occurrence Transactions and events that have Potential Misstatements relating to the Assertion occurrence, for income statement Existence or occurrence
been recorded have occurred and account balances, may result from:
pertain to the entity. - Fictitious or unauthorized transactions are entered on source documents or directly into
the application system (input)
- Transactions are duplicated when input
- Invalid input is captured in the subsidiary ledgers.
Completeness All transactions and events that Potential Misstatements relating to the Assertion completeness, for income statement Completeness
should have been recorded have account balances, may result from:
been recorded. - Transactions or events that are not identified and therefore are not entered on a source
document or directly into the application system (input)
- Input is not captured into the subsidiary ledgers
- Input that is rejected is not resubmitted for capture in the subsidiary ledger.
Accuracy Amounts and other data relating to Potential Misstatements relating to the Assertion accuracy, for income statement account Valuation or allocation
recorded transactions and events balances, may result from:
have been recorded appropriately. - Input is inaccurately captured into the subsidiary ledgers
- Input or subsequent processing reflects amounts in excess or less than appropriate
amounts
- Processing of transactions is inaccurate (i.e., summarizing, calculating, and posting)
- Inaccurate adjustments are made to the subsidiary ledgers or general ledger.
Cutoff Transactions and events have been Potential Misstatements relating to the Assertion cutoff, for income statement account Valuation or allocation
recorded in the correct accounting balances, may result from:
period. - Transactions or events that have occurred or will occur are recorded too early (i.e., they
are recorded in a period prior to when they should have been recorded)
- Transactions or events that have occurred are recorded too late (i.e., they are recorded
in a period after the period in which they should have been recorded).
Classification Transactions and events have been Potential Misstatements relating to the Assertion classification, for income statement Valuation or allocation
recorded in the proper accounts. account balances, may result from:
- Input is recorded in the incorrect subsidiary ledger or general ledger account
- Subsequent processing of a transaction results in it being reflected in the incorrect
subsidiary ledger or general ledger account.
Rights and The entity holds or controls the rights Potential Misstatements relating to the Assertion rights and obligations, for balance sheet Rights and obligations
obligations to assets, and liabilities are the account balances, may result from:
obligations of the entity. - The entity no longer having the right to an asset that was previously correctly recorded
- The entity no longer having an obligation to settle a liability that was previously
correctly recorded.
Completeness All assets, liabilities, and equity Potential Misstatements relating to the Assertion completeness, for balance sheet account Completeness
interests that should have been balances, may result from:
recorded have been recorded. - A liability that should have been recorded has not been recorded (e.g., no accrual at
period-end for certain liabilities).
Valuation and Assets, liabilities, and equity interests Potential Misstatements relating to the Assertion valuation and allocation, for balance Valuation or allocation
allocation are included in the financial sheet account balances, may result from:
statements at appropriate amounts - Impairments of assets that are not identified and properly recorded
and any resulting valuation or - Inaccurate adjustments that are made to a balance sheet account balance that
allocation adjustments are inappropriately adjust the value of that balance sheet account balance
appropriately recorded. - Assets which are amortized over the incorrect period resulting in the remaining asset
balance being incorrectly valued
- Fair value adjustments that are not identified and properly recorded.
Tickmarks
{a} For most "what could go wrongs" listed within the "ROMM Overview" tab, multiple control activities have
been listed to possibly address the related risk. Engagement teams are encouraged to use professional
judgment in assessing which control or controls properly address the specific risk at their financial institution.
More than one control may apply and need to be tested to adequately address the related risk. Additionally,
dual-purpose testing may be appropriate with certain controls and substantive procedures. Therefore,
engagement teams are encouraged to consider both controls and substantive procedures when determining
the audit plan for the Recourse Liabilities.