Form 18 Sdi 4 - Recourse Liabilities - Risk of Material Misstatement (Romm) Worksheet

Form 18**SDI.
4, Recourse Liabilities Overview
Risk of Material Misstatement Worksheet — Overview
GENERAL INSTRUCTIONS
This template has been developed to provide illustrative examples to assist engagement teams in addressing the Risks of Material Misstatement (ROMM) for material classes of transactions and
account balances. The pre-populated risks of material misstatement (i.e., "what could go wrong") and relevant control activities included within this template are derived from the "Core Risks and
Controls" section of Form 1830SDI-4, Risk and Controls Guide —Banking and Finance — Recourse Liabilities. The substantive procedures responsive to the risks identified are derived from Form
1840SDI-4, Substantive Procedures Guide — Banking and Finance — Recourse Liabilities.
NOTE: This template is designed for accounts for which the engagement team is performing an integrated audit. For nonintegrated audits, the engagement team may modify this template
accordingly or may consider other options, such as Form 18**AICPA-BS, Blank Risk of Material Misstatement Worksheet — Balance Sheet; Form 18**AICPA-IS, Blank Risk of Material Misstatement
Worksheet — Income Sheet; and Form Series 18**AICPA, AICPA Risk of Material Misstatement Worksheets.
Terminology
Within this template, the term class of transactions refers to Income Statement accounts and account balance refers to Balance Sheet accounts. The term transaction type is used to
describe an activity or series of activities that results in one or more classes of transactions, account balances, and disclosures. [Derived from U.S. AAM 13200.8a.]
Transaction Types, Relevant Assertions, or Risks of Material Misstatement Referenced to Other Audit Area Documentation
To the extent that a relevant assertion or a transaction type is appropriately addressed and documented within documentation of another class of transaction, account balance, or disclosure RoMM
template, redundant documentation is not necessary — although clear, specific, and concise referencing is appropriate. Consider referencing as appropriate to other audit sections that document
the risks of material misstatement, relevant control activities, and planned procedures to test the operating effectiveness of the control activity and substantive procedures.
ROMM Overview Tab

This worksheet within the template is intended to be a “dashboard” presenting a summary of the audit plan for the account including the (1) relevant control activities and substantive procedures
that address each risk of material misstatement and (2) related control design, implementation, and operating effectiveness conclusions. The dashboard provides internal linking between the
summarized description and the more extensive description of the control activities and/or substantive procedures on subsequent worksheets within the template. Note: It is recommended that
the control description under the column labeled “Control That Addresses Risk of Material Misstatement — Control Name” be less than 100 characters due to requirements
within the forthcoming Engagement Management System of the Deloitte Audit platform. For information on how to create links for additional controls (e.g., an entity-specific control),
engagement teams may look to the following topics within the Excel Help function: “creating a hyperlink to a specific location in a workbook” and “preventing invalid data entry in a worksheet (text
length).”
Risks of Material Misstatement Related to Presentation and Disclosure

This template does not include risks of material misstatement related to presentation and disclosure. Engagement teams may use Form 18**S.20, Presentation and Disclosure, to document risks of
material misstatement and the planned audit responses for presentation and disclosure risks. Alternatively, engagement teams may document risks of material misstatement related to presentation
and disclosure and the planned audit responses within each of the account-level ROMM templates.
CUSTOMIZATION OF RISKS OF MATERIAL MISSTATEMENT, CONTROL ACTIVITIES, AND RELATED PROCEDURES

This template is designed to assist audit engagement teams in the evaluation of the risks of material misstatement (i.e., "what could go wrong") and responsive procedures. The risks of material
misstatement, relevant control activities, and substantive procedures provided in this template may or may not be applicable to or at the level of specificity for your engagement. Engagement
teams will need to consider their specific facts and circumstances, including the risk assessment performed, to determine whether modification of this pre-populated ROMM
template may be needed. Other items excluded from this template may need to be added based on the specifics of the engagement.
Risks of material misstatement, relevant control activities, and responsive substantive procedures relating to these noncommon transactions can be found in Form 1830SDI-4, in the "Other
Possible Risks and Controls" section for each account, and Form 1840SDI-4.
Form 18**SDI.4, Recourse Liabilities ROMM Overview
Recourse Liabilities: Audit Plan by Material Account Balance (Balance Sheet)/Class of Transaction (Income Statement)/Disclosure — ROMM Overview
Assertion Name
— Relevant Assertion Identification of Risk of Material Misstatement
("What Could Go Wrong") {a}
Presentation &
Completeness
Valuation and
obligations
Control Control
Rights and
Disclosure
allocation
Existence
Account Balance/ Classification of Risk Associated Design Implementation Control OE
Class of Significant Inherent Risk Risk of Material with the Control Conclusion Conclusion Conclusion
Transaction/ Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, (Implemented, (Effective,
Disclosure Risk Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Not Implemented) Ineffective) Substantive Procedures Planned
Note 1 Note 2 Note 3 Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10
Recording Recourse X Recourse liabilities exist but are not recorded (e.g., loan is sold to a third party On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Perform
and Tests
legal counsel
of Unrecorded
departments
Liabilities
to discuss developments and or changes in the business that may impact recorded recourse liability
Liabilities and lender guarantees performance of loan with recourse obligations, but such
recourse liability is not acknowledged and recorded).
Transaction documents for sales of loans are reviewed by finance personnel to identify potential recourse liabilities. Management reviews the calculation of the recourse liability recorded at time of the sale.
Recording Recourse X The initial measurement of the recourse liability does not properly reflect the fair A written policy is in place related to loans sold with recourse requiring a liability be recorded at the estimated fair value of the related
Testing
guarantee.
Entity'sThe
Methodology
journal entry
for and
Estimating
documentation
Recoursesupporting
Reservesthe
arising
initialfrom
measurement
mortgage and
of the
other
recourse
loan activities
liability is reviewed and approved b
Liabilities value of the representation, warranty or other guarantee.
Developing Independent Expectation of Recourse Liabilities
Performing Retrospective Review of Significant Accounting Estimates
Recording Recourse X The entity uses an inappropriate methodology or incorrect significant Recourse liabilities are valued based on an analysis performed by qualified personnel at the entity or by a qualified third party specialist
Testing, which
Entity's
includes
Methodology
amongfor
other
Estimating
item s the
Recourse
following:
Reserves
1 Historical
arisingtrend
fromanalysis
mortgageover
andanother
appropriate
loan activities
period 2
Liabilities assumptions to calculate and record recourse liabilities.
On a regular basis management retrospectively reviews historical experience related to recourse liabilities as well as current industry
Developing
trends including
Independent
the methodology
Expectation used
of Recourse
significant
Liabilities
assumptions utilized and the underlying data relied upon in developing these estimat
Management’s methodology is reviewed by a third party or internal audit. Performing Retrospective Review of Significant Accounting Estimates
Recording Recourse X Underlying data used to calculate and record recourse liabilities does not agree Data used in the calculation is reconciled to the entity’s records. Testing Entity's Methodology for Estimating Recourse Reserves arising from mortgage and other loan activities
Liabilities to the records.
Recording Recourse X X Recourse liabilities are initially recorded when no liability exists. Finance personnel prepare the journal entry supporting documentation and account analysis to record recourse liabilities. Management
Test Recourse
reviews Liability
and approves
Balances
the for
journal
On going
entry relevance
supporting documentation and account analysis before the journal entry is
Liabilities
On a monthly basis finance personnel reconcile recorded recourse liabilities to supporting detail. Management reviews the reconciliation and supporting documentation and unusual activity or invalid reconciling items are investigated and resolved in a timely manner.
Adjusting Recourse X X Recourse liabilities are not relieved when a liability no longer exists (e.g., loan On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Testand
Recourse
legal counsel
Liabilitydepartments
Balances fortoOn
discuss
going developments
relevance and or changes in the business that may impact recorded recourse liability.
Liabilities has been repurchased and recorded on the entity’s balance sheet).
Identify and Test for Disputed Claims
Adjusting Recourse X Claims and settlements are not recorded in the correct period. On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Perform
and Tests
legal counsel
of Unrecorded
departments
Liabilities
to discuss developments and or changes in the business that may impact recorded recourse liability.
Liabilities
Identify and Test for Disputed Claims
Adjusting Recourse X X Previously recorded recourse liabilities are incorrectly removed when a liability On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Perform
and Tests
legal counsel
of Unrecorded
departments
Liabilities
to discuss developments and or changes in the business that may impact recorded recourse liability.
Liabilities still exists.
Adjusting Recourse X Adjustments (including claims and settlements) to recourse liabilities are On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Testing
andEntity's
legal counsel
Methodology
departments
for Estimating
to discuss
Recourse
developments
Reserves
andarising
or changes
from mortgage
in the business
and other
that loan
may activities
impact recorded recourse liability.
Liabilities recorded in the general ledger at incorrect amounts.
Identify_and_Test_for_Disputed_Claims
Using Analytical Procedures and/or Tests of Details to Update Tests Performed at an Interim Date
Recourse Liabilities X The entity does not calculate its reserve in accordance with its stated policy or On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Testing
andEntity's
legal counsel
Methodology
departments
for Estimating
to discuss
Recourse
developments
Reserves
andarising
or changes
from mortgage
in the business
and other
that loan
may activities
other known conditions and current events that the entity has considered.

Form 18**SDI.4, Recourse Liabilities ROMM Overview
Assertion Name
— Relevant Assertion Identification of Risk of Material Misstatement
("What Could Go Wrong") {a}
Presentation &
Completeness
Valuation and
obligations
Control Control
Rights and
Disclosure
allocation
Existence
Account Balance/ Classification of Risk Associated Design Implementation Control OE
Class of Significant Inherent Risk Risk of Material with the Control Conclusion Conclusion Conclusion
Transaction/ Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, (Implemented, (Effective,
Disclosure Risk Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Not Implemented) Ineffective) Substantive Procedures Planned
Note 1 Note 2 Note 3 Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10
Recourse Liabilities X X The reserve for a mortgage loan in foreclosure or other real estate owned On a regular basis finance personnel including management of mortgage servicing department meet with members of the loan sales
Testing
andEntity's
legal counsel
Methodology
departments
for Estimating
to discuss
Recourse
developments
Reserves
andarising
or changes
from mortgage
in the business
and other
that loan
may activities
(“OREO”) is removed, although the property has not been sold or
indemnification liability has not been relieved.
Perform Tests of Unrecorded Liabilities
Recourse Liabilities X The calculation of the recourse reserve does not agree to the amount recorded On a monthly basis finance personnel reconcile recorded recourse liabilities to supporting detail. Management reviews the reconciliation
Test_Presentation_and_Disclosures_on_Recourse_Liabilities_and_Repurchase_Reserves
and supporting documentation and unusual activity or invalid reconciling items are investigated and resolved in a timely manner.
in the G/L.
Recourse Liabilities X Proper documentation over loan originations, servicing and securitizations has Refer to control activities described within the Loans and Mortgage Servicing Rights ROMMs over loan underwriting and servicing. Testing Entity's Methodology for Estimating Recourse Reserves arising from mortgage and other loan activities
not been properly maintained by the entity which could increase recourse
exposure. (For example, concerns regarding title documentation have caused
many banks to suspend foreclosure proceedings out of concern that improper
foreclosure decisions may be reached.)
Perform_Tests_of_Unrecorded_Liabilities
Recourse Liabilities X Disclosures related to the nature, methodology and amounts of recourse The Controller ensures accounting policies used in the preparation of the financial statements are consistent with the entity s applicable
Test Presentation
financial reporting
and Disclosures
framework on
in conjunction
Recourse Liabilities
with his her
andquarterly
Repurchase
review
Reserves
of the financial statements and completion of a U.S. GAAP re
liabilities is not properly made by the entity, including but not limited to the
following:
1. The methodology used to estimate the reserves related to recourse

exposures
2. Level and types of repurchase claims the entity is receiving
3. Level of allowance established related to the repurchase
4. Method of settling claims; success rate in avoiding claims
5. Time limit of recourse obligation and trends by loan vintage
6. Rollforward of reserves for periods presented

Form 18**SDI.4, Recourse Liabilities Plan Control Testing
Recourse Liabilities: Audit Plan by Material Account Balance (Balance Sheet)/Class of Transaction (Income Statement)/Disclosure — Control Testing
Findings and
Application Observations
System (None Noted, Change to
Control Operating (if control is Plan, Deficiency, Identified
Effectiveness Testing Operating Frequency Is IPE Used automated or Suspected Fraud,
Strategy (Annually, Quarterly, in Testing or and/or we are Testing Reference Management Letter
(Test in Current Period, Monthly, Weekly, Daily, Performing a testing IPE Testing Reference — to Planned Nature, Timing, and Extent of Procedures to Testing Comment, Material
Control Control That Addresses Risk of Material Misstatement Using Prior Period Evidence, Control Year Many Times per Day, Control Relevant through tests of Reference — General IT Evaluation Evaluate Operating Effectiveness (OE) of Controls Reference — Weakness, Significant
ID — Description OE Testing Not Required) Last Tested As Needed) Automated? Control? List IPE controls) IPE Controls of D&I OE Deficiency)
Note 8 Note 11 Note 12 Note 13 Note 14 Note 15 Note 16 Note 17 Note 18 Note 19 Note 20 Note 21
On a regular basis, finance personnel (including management of mortgage servicing
department) meet with members of the loan sales and legal counsel departments to
discuss developments and/or changes in the business that may impact recorded
recourse liabilities (e.g., representations and warranties from mortgage loans sold), or
may impact the need to record a recourse liability.
Such meetings might include discussion of the following topics:

• Listing of recourse liabilities recorded to determine balance recorded and
completeness
• The existence of a condition, situation, or set of circumstances indicating an
uncertainty as to the possible loss to the entity arising from litigation and claims
• Trends in claims
• Portfolios subject to possible claims
• The period in which the underlying cause for legal action occurred
• The probability of an unfavorable outcome
• The amount or range of potential loss
• Current status of appeals
• Payments made related to claims or settlements.
Finance personnel prepare a journal entry and supporting documentation, which is

reviewed by management before the journal entry is recorded.
Transaction documents for sales of loans are reviewed by finance personnel to

identify potential recourse liabilities. Management reviews the calculation of the
recourse liability recorded at time of the sale.
A written policy is in place related to loans sold with recourse requiring a liability be
recorded at the estimated fair value of the related guarantee. The journal entry and
documentation supporting the initial measurement of the recourse liability is reviewed
and approved by the appropriate level of management prior to being recorded into the
general ledger.
Recourse liabilities are valued based on an analysis performed by qualified personnel

at the entity or by a qualified third-party specialist, which includes, among other items,
the following:
1) Historical trend analysis over an appropriate period
2) Expected future repurchase/claims activity
3) Quality of loan underwriting during the periods of analysis
4) Regular discussions with legal counsel on pending or threatening litigation related

to representations and warranties made by the entity
5) Investor repurchase demand
6) Appeal success rates
7) Loss severity
8) Loans subject to possible future claims
The methodology, significant assumptions, and underlying data used as well as the
journal entry are reviewed, evaluated, and approved by management and/or the Board
with appropriate knowledge before the journal entry is recorded.
Form 18**SDI.4, Recourse Liabilities Plan Control Testing
Findings and
Application Observations
System (None Noted, Change to
Control Operating (if control is Plan, Deficiency, Identified
Effectiveness Testing Operating Frequency Is IPE Used automated or Suspected Fraud,
Strategy (Annually, Quarterly, in Testing or and/or we are Testing Reference Management Letter
(Test in Current Period, Monthly, Weekly, Daily, Performing a testing IPE Testing Reference — to Planned Nature, Timing, and Extent of Procedures to Testing Comment, Material
Control Control That Addresses Risk of Material Misstatement Using Prior Period Evidence, Control Year Many Times per Day, Control Relevant through tests of Reference — General IT Evaluation Evaluate Operating Effectiveness (OE) of Controls Reference — Weakness, Significant
ID — Description OE Testing Not Required) Last Tested As Needed) Automated? Control? List IPE controls) IPE Controls of D&I OE Deficiency)
Note 8 Note 11 Note 12 Note 13 Note 14 Note 15 Note 16 Note 17 Note 18 Note 19 Note 20 Note 21
On a regular basis, management retrospectively reviews historical experience related
to recourse liabilities as well as current industry trends; including the methodology
used, significant assumptions utilized and the underlying data relied upon in
developing these estimates. Revisions are made to the methodology or significant
assumptions and underlying data used in the current-period estimation process as
necessary and approved by the appropriate level of management.
Management’s methodology is reviewed by a third party or internal audit.
Data used in the calculation is reconciled to the entity’s records.
Finance personnel prepare the journal entry, supporting documentation, and account
analysis to record recourse liabilities. Management reviews and approves the journal
entry, supporting documentation, and account analysis before the journal entry is
recorded.
On a monthly basis, finance personnel reconcile recorded recourse liabilities to

supporting detail. Management reviews the reconciliation and supporting
documentation, and unusual activity or invalid reconciling items are investigated and
resolved in a timely manner.
Refer to control activities described within the Loans and Mortgage Servicing Rights
ROMMs over loan underwriting and servicing.
The Controller ensures accounting policies used in the preparation of the financial
statements are consistent with the entity's applicable financial reporting framework in
conjunction with his/her quarterly review of the financial statements and completion of
a U.S. GAAP reporting checklist. This review also includes consideration of recent
SEC comment letters applicable to the entity’s business.
Form 18**SDI.4, Recourse Liabilities Plan Substantive Testing
Recourse Liabilities: Audit Plan by Material Account Balance (Balance Sheet)/Class of Transaction (Income Statement)/Disclosure — Substantive Testing
Information Produced by the Entity

Planned Extent of Substantive Testing (IPE)
[Risk (Not Significant) and Relying on Controls — Low Extent of
Testing
Risk (Not Significant) and Relying on Controls — Normal Extent of Findings and Observations
Testing (None Noted, Change to Plan,
Significant Risk and Relying on Controls Is IPE used in Application System Identified or Suspected Fraud,
Risk (Not Significant) and Not Relying on Controls Performing List IPE (if testing IPE through tests of Testing Reference — Management Letter Comment,
ID Substantive Procedures Planned Significant Risk and Not Relying on Controls] Substantive Testing? controls) Testing Reference — IPE Substantive Procedures Misstatement)
Note 10 Note 22 Note 14 Note 15 Note 16 Note 20 Note 21

A Test Recourse Liability Balances for Ongoing relevance
A1 A. Obtain a list of recourse liabilities and foot and agree the total per the reconciliation to the general ledger.
B. Inquire of management and review information in prior-year working papers concerning the nature of the recorded recourse liability and identify the specific need for each reserve.
(1) For a recourse liability that has not changed since the prior year end, assess whether the circumstances requiring the accrual in the prior year still exist.
C. Inquire of management and obtain an understanding of accruals recorded in the current year and identify the specific need for each reserve.
D. Make an audit sample of recourse liabilities from the listing above. For each selection, examine related sales agreements to determine the recourse liability is required.
B Identify and Test for Disputed Claims

B1 A. Obtain a list of recourse liabilities from management and inquire of members of management, including those independent of the accounting department (e.g., legal, risk management, loan
sales), as to the existence of significant disputed claims. For identified items, perform the following:
(1) Obtain audit evidence pertaining to the disputed claim and document our understanding of the disputed claim.
(2) Determine whether the disputed claim should be included or excluded from the general ledger at period end.
(3) Trace disputed claim to appropriate inclusion/exclusion in the period end general ledger balance.
C Perform Tests of Unrecorded Liabilities

C1 A. Inquire of management and review information in the prior-year working papers concerning the nature of the recorded recourse liability and identify the specific need for each accrual.
B. For the list of accounts utilized in Possible Procedure 1 "Test Recourse Liabilities" for Existence above, obtain a rollforward of the liability, showing prior-year balance, any additions, payments,
and/or settlements, and the ending balance.
(1) If a reduction in the prior year recourse balance was not due to a specific payment or disposition, inquire as to the events that triggered the reduction and determine if such reduction is
appropriate.
C. Consider the evidence obtained as part of the search for unrecorded liabilities performed on Accounts Payable.
D. Consider examining the following documents for evidence of unrecorded recourse liabilities as:
(1) Attorneys' letters
(2) In-house counsel litigation binders
(3) Insurance policies
(5) Board of directors' minutes, or inquire of key personnel such as:
a. In-house legal counsel
b. Director of Risk Management
c. Operational department leaders
D Testing Entity's Methodology for Estimating Recourse Reserves (arising from mortgage and other loan activities)
D1 A. Understand, document, and evaluate the reasonableness of the methods and assumptions used by management to estimate recourse reserves stemming from representations and warranties
made by the entity.
Consider whether such methods and assumptions include, but are not limited to, the following:
• Written policy on the entity’s process for estimating the recourse reserve, including the extent of management review (e.g., Board approval/review required)
• Information on pending and threatening litigation related to representations and warranties made by the entity from discussions with internal legal counsel
• Success of appeals analysis
• Historical analysis of loan repurchase activity by the entity
• Future expected repurchase activity
• Quality of loan underwriting and servicing of loans originated by the entity for which recourse liabilities exist
• Amount of losses incurred on loans repurchase
• Pools of loans for which repurchase demands are possible.
• Benchmark analysis to competitors with recourse liabilities, if reasonable
B. If management's methods and assumptions are reasonable, test the accuracy and completeness of the data used by management by the following means:
(1) Check mathematical accuracy of model.
(2) Perform audit procedures directly on the information being relied upon and assumptions being used. These procedures may include either of the following:
a. Reproducing the information.
b. Agreeing summary information to underlying data or third-party source documents and tracing a selection of information from the entity's underlying data or third-party source documents into the
information.
C. Identify and obtain audit evidence to support the key assumptions underlying the estimate.
D. Consider guidance within the Audit Quality Alert 10-10 and PCAOB Practice Alert No.7 on auditing litigation and other contingencies related to mortgage and other loan activities.
E. In instances when the audit evidence is inconsistent among differing sources, perform additional audit procedures to resolve the inconsistency.
F. Using the appropriate data, assumptions, and methodology, recompute the recourse reserve.
E Developing Independent Expectation of Recourse Liabilities

Form 18**SDI.4, Recourse Liabilities Plan Substantive Testing
Recourse Liabilities: Audit Plan by Material Account Balance (Balance Sheet)/Class of Transaction (Income Statement)/Disclosure — Substantive Testing
Information Produced by the Entity

Planned Extent of Substantive Testing (IPE)
[Risk (Not Significant) and Relying on Controls — Low Extent of
Testing
Risk (Not Significant) and Relying on Controls — Normal Extent of Findings and Observations
Testing (None Noted, Change to Plan,
Significant Risk and Relying on Controls Is IPE used in Application System Identified or Suspected Fraud,
Risk (Not Significant) and Not Relying on Controls Performing List IPE (if testing IPE through tests of Testing Reference — Management Letter Comment,
ID Substantive Procedures Planned Significant Risk and Not Relying on Controls] Substantive Testing? controls) Testing Reference — IPE Substantive Procedures Misstatement)
Note 10 Note 22 Note 14 Note 15 Note 16 Note 20 Note 21

E1 A. Develop a point estimate or range.
B. When developing a point estimate or range, obtain audit evidence to support that the data used to make our point estimate or range is independent and reliable and if we are using information
produced by the entity, that it is accurate and complete.
C. When using information that is produced by the entity, obtain audit evidence about the accuracy and completeness of the data by either of the following means:
(1) Perform tests of the operating effectiveness of controls over the production and maintenance of the information. [Note: Tests of the operating effectiveness of general computer controls alone
do not provide assurance over the accuracy and completeness of information produced by the entity.]
(2) Perform audit procedures directly on the information being relied upon. These procedures ordinarily include either of the following:
a. Reproducing the information, using the entity's underlying data and file-interrogation software on computer-generated information (e.g., ACL).
b. Agreeing summary information to underlying data or third-party source documents and tracing a selection of information from the entity's underlying data or third-party source documents into the
information.
D. In instances when the audit evidence to be used in forming our expectations is inconsistent among differing sources, perform additional audit procedures to resolve the inconsistency.
E. Compare the recorded amount(s) to our point estimate or range and evaluate any differences. When a point estimate has been developed, the difference between our point estimate and the
recorded estimate constitutes a misstatement. When a range provides sufficient appropriate audit evidence and the recorded estimate lies outside the range, the misstatement is no less than the
difference between the recorded amount and the nearest point in the range.
F Performing Retrospective Review of Significant Accounting Estimates

F1 A. Perform a retrospective review of significant accounting estimates related to recourse liabilities and repurchase reserves of the prior year and consider the results of this retrospective review in
evaluating the current year estimates. If we identify a possible bias on the part of management in making accounting estimates, we should evaluate whether circumstances producing such a bias
represent a risk of a material misstatement due to fraud.
G Using Analytical Procedures and/or Tests of Details to Update Tests Performed at an Interim Date
G1 A. Make inquiries of the entity's personnel knowledgeable of the recourse liability recorded at the interim date regarding their knowledge of any changes in facts or circumstances in the intervening
period that might have a significant impact on the year-end balance.
B. Perform substantive analytical procedures to test the year-end account balance.
(1) Develop expectations of the year-end account balance by considering factors identified during the interim test as well changes in facts or circumstances during the intervening period identified
during inquires made. (i.e., compare relevant information at interim with comparable information at final).
(2) Determine threshold.
(3) Compare the expectation to the recorded amount and identify any differences. For any difference that is more than the threshold, obtain, quantify, and corroborate explanations for the difference
by performing further analysis or inquiry and examining supporting documents. Explanations should be sought for the full amount of the difference, not just for the part that exceeds the threshold.
and/or:
C. Perform test of details on the account balance change in the intervening period (i.e., from the interim test date to the balance sheet date) by examining activity within the account balance.
H Test Presentation and Disclosures on Recourse Liabilities and Repurchase Reserves

H1 A. Tie the total recourse liability and repurchase reserve included in the general ledger and tested in our leadsheet to the amount included in the financial statements.
B. Read and analyze the description of the process for estimating the recourse liabilities and repurchase reserve. Determine that the description accurately describes the process used by the entity
to obtain the estimate and that the description is appropriately understandable.
C. Read and analyze the footnote disclosures related to the recourse liabilities and repurchase reserve and determine that they accurately describe the exposure of the entity as of year end.
D. Determine that the following disclosures are made by the entity:
• Disclose the methodology used to estimate the reserves related to recourse exposures
• Level and types of repurchase claims the entity is receiving
• Level of allowance established related to the repurchase
• Method of settling claims; success rate in avoiding claims
• Time limit of recourse obligation and trends by loan vintage
• Rollforward of reserves for periods presented
Form 18**SDI.4, Recourse Liabilities Notes
NOTES
Note 1 Account Balance/Class of Transactions/Disclosure

Within this template, the term class of transactions refers to Income Statement accounts and account balance refers to Balance Sheet accounts. The term
transaction type is used to describe an activity or series of activities that results in one or more classes of transactions, account balances, and disclosures. [Derived from
U.S. AAM 13200.8a.]
Note 2
Relevant AssertionsThe assertions are considered at the class of transactions, account balance, and disclosure level. See the "Assertions" tab of this template for a description and examples of each assertion.Refer to U.S. AAM 13150
NOTE: For a class of transactions (Income Statement account), account balance (Balance Sheet account), or disclosure, if an assertion is not considered relevant, include
documentation in the working papers explaining why the assertion is not relevant for that class of transactions, account balance, or disclosure.
The determination of whether an assertion is relevant is based on inherent risk, without regard to the effect of internal controls. [U.S. AAM and PCAOB AAM Glossary]
Note 3 Risk of Material Misstatement

For the material classes of transactions, account balances, and disclosures [significant accounts and disclosures] identified, we are required to identify risks of material
misstatement at the relevant assertion level to provide a basis for designing and performing further audit procedures. [U.S. AAM 13200.3/PCAOB AAM 13200.2]
Consideration of transaction types may be relevant to our identification and assessment of risks of material misstatement at the relevant assertion level for classes of
transactions, account balances, and disclosures. [Derived from U.S. AAM 13200.8a.]
NOTE: For integrated and nonintegrated audits performed in accordance with the standards of the PCAOB or for integrated audits performed in accordance with the
standards of the AICPA, we are required to document our understanding of the flows of transactions using process flow diagrams to supplement narratives or other
documentation related to:
• Accounts or disclosures for which we have identified a significant risk
• Revenue accounts identified as material to the financial statements [Derived from U.S. AAM 23001-I.56/PCAOB AAM 12200.73.]
For nonintegrated audits performed in accordance with the standards of the AICPA, if we intend to rely on the operating effectiveness of controls in determining the nature,
timing, and extent of substantive procedures to address risks of material misstatement that are (1) significant risks or (2) related to revenue accounts identified as
material to the financial statements, we are required to document our understanding of the applicable flows of transactions related to the accounts or disclosures using
process flow diagrams to supplement narratives or other documentation. [Derived from U.S. AAM 12200.98a.]
The consideration of what can go wrong for the classes of transactions, account balances, and disclosures may assist us in identifying the risks of material misstatement,
relating these risks to the relevant assertions, and in designing more effective and efficient procedures to respond to those risks. This means that we think about those
things that could go wrong of sufficient likelihood to lead to material misstatement and does not mean that we have to contemplate all possible things that could go wrong
regardless of their likelihood. [U.S. AAM 13150.5/PCAOB AAM 13150.5, emphasis added.]
A risk of material misstatement is a risk that the financial statements are materially misstated prior to audit. This consists of two components, described as follows at the
assertion level:
- Inherent risk: The susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or
when aggregated with other misstatements, before consideration of any related controls.
- Control risk: The risk that a misstatement could occur in an assertion about a class of transaction, account balance, or disclosure that could be material, either
individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity's internal control. [U.S. AAM
and PCAOB AAM Glossary]
A risk of material misstatement may relate to one or more relevant assertions. Further, one or more risks of material misstatement may exist for a relevant assertion.
Refer to U.S. AAM 13150 and 12200 or PCAOB AAM 13150 and 12200 for further guidance.
Note 4 Significant Findings or Issues
Significant findings or issues represent matters of importance to the engagement partner or Engagement Quality Control (EQC) Reviewer in planning, supervising, and
reviewing our audit. We categorize these items as significant findings or issues to draw the attention of engagement leaders to them and to designate them as matters for
which the engagement partner is required to perform a primary review in addition to that of the manager. While a significant risk gives rise to an audit response that is
incremental to that required for a normal risk, a significant finding or issue may not result in changes to the nature, timing, or extent of audit testing. However, we
separately identify significant findings or issues in our audit documentation (including our planning and summary memoranda) and subject our related work to more
detailed review by the engagement partner and EQC Reviewer.
Risks of material misstatement related to significant findings or issues, identified during planning and which affect the audit procedures performed, may result in
customization of one or all of the related risks of material misstatement, control activities, and/or the related substantive procedures described in this template.
Significant findings or issues for planning purposes include, but are not limited to, the following:
- Risks of material misstatement that are determined to be significant risks and the results of the auditing procedures performed in response to those risks
- Matters that are significant involving the selection, application, and consistency of accounting principles, including related disclosures (e.g., new accounting
pronouncements)
- Accounting for complex or unusual transactions
- Accounting estimates highly dependent upon judgment
- Significant uncertainties
- Matters that led to the classification of engagement risk as greater than normal or much greater than normal
- Circumstances that cause us significant difficulty in applying necessary audit procedures. [Derived from U.S. AAM 00200.16-16a/PCAOB AAM 00200.23-23a.]
Refer to U.S AAM 00200.16-16a/PCAOB AAM 00200.23-23a for additional guidance.
Note 5
Classification of Inherent Risk
As part of the risk assessment, we are required to determine whether any of the risks identified are, in our judgment, a significant risk. In exercising this judgment, we
are required to exclude the effects of identified controls related to the risk. [U.S. AAM 13150.52/PCAOB AAM 13150.3 and 27]
A significant risk is an identified and assessed risk of material misstatement that, in the auditor's judgment, requires special auditor consideration. [U.S. AAM and PCAOB
AAM Glossary]
Risks of material misstatement related to significant risks may result in customization of one or all of the related risks of material misstatement, control activities, and/or
related substantive procedures described in this template.
In exercising judgment as to which risks are significant risks, we are required to consider at least the following:
- Whether the risk is a risk of fraud
- Whether the risk is related to recent significant economic, accounting, or other developments and, therefore, requires special attention
- The complexity of transactions
- Whether the risk involves significant transactions with related parties
- The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement
uncertainty
- Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. [U.S. AAM
13150.53/PCAOB AAM 13150.28]
Presumed Significant Risks — Revenue Recognition and Management Override of Controls

When identifying and assessing the risks of material misstatement due to fraud, we are required to, based on a presumption that there are risks of fraud in revenue
recognition, evaluate which types of revenue, revenue transactions, or assertions give rise to such risks. [Excerpted from U.S. AAM 13150.46/PCAOB AAM
13150.18.]
Due to the unpredictable way in which management override of controls could occur, it is a risk of material misstatement due to fraud and thus a significant risk.
[Excerpted from U.S. AAM 13350.4/PCAOB AAM 13350.2.]
Note 6 Risk of Material Misstatement Due to Fraud?

We use professional judgment to determine whether a fraud risk factor is present and whether it is to be considered in assessing the risks of material misstatement of the
financial statements due to fraud. [Derived from U.S. AAM 13150.37/PCAOB AAM 13150.14.]
We are required to treat those assessed risks of material misstatement due to fraud as significant risks and accordingly, to the extent not already done so, we are required
to obtain an understanding of the entity’s related controls, including control activities, relevant to such risks, and evaluate whether such controls have been suitably
designed and implemented to mitigate such fraud risks. [U.S. AAM 13150.42/PCAOB AAM 13150.33]
Identifying potential fraud schemes may facilitate the evaluation of the design of relevant controls and the development of effective audit procedures. [U.S. AAM
13300.49a/PCAOB AAM 13300.70b]
Note 7
Risk Associated with the Control – For Audits Performed in Accordance with the Standards of the PCAOB and for Integrated Audits Performed in
Accordance with the Standards of the AICPA
The risk associated with a control consists of the risk that the control might not be effective and, if not effective, the risk that a material weakness would result.
[Excerpted from U.S. AAM 23001-I.71/PCAOB AAM 23001.20.]
The risk associated with a control may be assessed as either “higher” or “not higher,” based on the factors in PCAOB AS 5.47 and PCAOB AS 5.48 (PCAOB AS 13.31). See
Deloitte Guidance (Q&A) 3-1, Risk Associated with the Control — Relationship to Inherent Risk, for additional information.
It is not necessary to separately document our consideration of each factor in PCAOB AS 5.47 and PCAOB AS 5.48 (PCAOB AS 13.31); it may be possible to document our
considerations on a collective basis (e.g., for groups of controls with similar characteristics where the risk associated with the control is similar).
If the risk of material misstatement associated with the related account(s) or assertions(s) is a significant risk, the risk associated with the control is higher. [Excerpt
from U.S. AAM 23001-I.73/PCAOB AAM 23001.21a.]
Note 8 Identification and Documentation of Relevant Control Activities
Integrated Audits
If we are performing an integrated audit, control activities that are relevant to the audit include those that address the assessed risks of material misstatement for each
relevant assertion. [U.S. PCAOB AAM 12200.85]
Nonintegrated Audits
We are required to obtain an understanding of control activities relevant to the audit, being those we judge it necessary to understand in order to assess the risks of
material misstatement at the assertion level and design further audit procedures responsive to assessed risks. [Excerpt from U.S. AAM 12200.99/PCAOB AAM
12200.78.]
We are required to obtain an understanding of the process for reconciling detailed records to the general ledger for material classes of transactions and account balances.
[U.S. AAM 12200.99a/PCAOB AAM 12200.79a]
Control activities that are relevant to the audit are:

- Those that are required to be treated as such, being control activities that relate to significant risks and those that relate to risks for which substantive procedures alone
do not provide sufficient appropriate audit evidence; or
- Those that are in our judgment considered to be relevant. [U.S. AAM 12200.100/PCAOB AAM 12200.81]
Relevant controls include:

- Controls that address significant risks
- Controls that address risks for which substantive procedures alone are not sufficient
- Controls we plan to rely upon to reduce substantive testing
- Controls over journal entries
- Controls we believe it is necessary to understand in order to plan substantive procedures as part of our further audit procedures to obtain sufficient appropriate audit
evidence
- Reconciliations of detailed records to the general ledger for material classes of transactions and account balances.
When obtaining an understanding of controls that are relevant to the audit, we are required to evaluate the design of those controls and determine whether they have
been implemented, by performing procedures in addition to inquiry of the entity’s personnel. [U.S. AAM 12200.30/PCAOB AAM 12200.35]
Refer to U.S. AAM 12200/PCAOB AAM 12200 for further guidance.
Note 9 Conclusion — Design, Implementation, Operating Effectiveness of Controls

Was a deviation or exception identified? Does a deficiency exist? If yes, evaluate the deficiency individually and in combination with other deficiencies. Determine if the
deficiency is a deficiency, a significant deficiency, or a material weakness. Communicate the deficiency, as appropriate.
Determine whether we have a basis for relying on those controls and whether we are able to perform our planned extent of substantive procedures. If an integrated audit,
evaluate the effect on the ICFR opinion.
Refer to U.S. AAM 23001/PCAOB AAM 23001 for further guidance. Consider using Form 2342S, Evaluation of Deficiencies in Internal Control, and Form 2343S, Evaluation
of an Individual Deficiency in Internal Control, to assist in the evaluation.
Note 10 Substantive Procedures Planned
Irrespective of the assessed risks of material misstatement, we are required to design and perform substantive procedures for each relevant assertion related to each
material class of transactions, account balance, and disclosure [significant account and disclosure]. [U.S. AAM 13300.22/PCAOB AAM 13300.48]
The nature, timing, and extent of planned procedures may vary in response to the assessed risk of material misstatement at the assertion level.
A substantive procedure may address more than one risk. We may consider the audit procedures and risks which they address when planning and performing substantive
procedures so that the substantive procedures performed are effective and efficient. [U.S. AAM 23002-1.34]
Nature and Extent of Substantive Procedures

Depending on the circumstances, we may determine that:
- Performing only substantive analytical procedures will be sufficient to reduce audit risk to an acceptably low level (e.g., where our assessment of risk is supported by
audit evidence from tests of controls)
- Only tests of details are appropriate
- A combination of substantive analytical procedures and tests of details are most responsive to the assessed risks [U.S. AAM 23002-1.5/PCAOB AAM 23002-1.11]
NOTE: For audits performed in accordance with the standards of the PCAOB, for significant risks, we are required to perform substantive procedures, including tests of
details, that are specifically responsive to the assessed risks. Therefore, for audits performed in accordance with the standards of the PCAOB, regardless of whether we are
relying on controls, our substantive procedures responsive to a significant risk will either comprise tests of details alone or tests of details performed in combination with
substantive analytical procedures. [U.S. PCAOB AAM 13300.65]
Because the assessment of the risk of material misstatement takes account of internal control, the extent of substantive procedures may need to be increased when the
results from tests of controls are unsatisfactory. However, increasing the extent of an audit procedure is appropriate only if the audit procedure itself is relevant to the
specific risk. [U.S. AAM 23002-1.8/PCAOB AAM 23002-1.13]
In designing tests of details, the extent of testing is ordinarily thought of in terms of the sample size. However, other matters are also relevant, including whether it is
more effective to use other selective means of testing. [U.S. AAM 23002-1.9/PCAOB AAM 23002-1.15]
Corollary Testing
Depending on the classes of transactions, account balances, and disclosures being audited and the audit procedures performed, corollary testing may provide audit
evidence related to the risks of material misstatement identified.
Note 11
Control Operating Effectiveness Testing Strategy

If we are performing a nonintegrated audit and we plan to rely on controls over a risk that we have determined to be a significant risk, we are required to test those
controls in the current period. [U.S. AAM 23001.17/PCAOB AAM 31100.53, emphasis added.]
If we are performing an integrated audit, we are required to test those controls that are important to our conclusion about whether the company’s controls sufficiently
address the assessed risk of misstatement to each relevant assertion. We must test those entity-level controls that are important to our conclusion about whether the
company has effective internal control over financial reporting. [U.S. AAM 23001-I.36 and 62/PCAOB AAM 13300.34 and 38]
For audits performed in accordance with the standards of the PCAOB, or for integrated audits performed in accordance with the standards of the AICPA, we should only use
the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 for those controls where we have assessed the risk associated with
the control as lower than in the initial year (or the year when we last tested the control using at least the normal extent of testing set forth in U.S. AAM Figure 23001-I.1
or U.S. PCAOB AAM Figure 23001.1). Use of the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 is never required. [U.S.
AAM 23001-I.94/PCAOB AAM 23001.56]
If we are using the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 to test a relevant control, we are required to have (1)
assessed the risk associated with the control as "not higher"; (2) tested the operating effectiveness of the control in one of the prior two audits, using at least the sample
sizes in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 for a normal extent of testing, and have concluded that the control was effective; (3) confirmed
that there have been no changes in the control or the process in which it operates since the prior audit; and (4) based on consideration of (1), (2), and (3), have
concluded that the risk associated with the control is lower than in the initial year (or the year when we last tested the control using at least the normal extent of testing
set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1), such that the use of the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S.
PCAOB AAM Figure 23001.1 is considered appropriate. [U.S. AAM 23001-I.95/PCAOB AAM 23001.57]
If we are performing a nonintegrated audit in accordance with the standards of the PCAOB, we should obtain evidence during the current year about the design and
operating effectiveness of controls upon which we rely. [Excerpt from U.S. PCAOB AAM 23001.19]
Refer to U.S. AAM 23001 and 23001-I or PCAOB AAM 13300 and 23001 for further guidance. In addition, refer to Chapter 3, "Testing Operating Effectiveness," within the
Internal Control Guide.
NOTE: For nonintegrated audits performed in accordance with the standards of the AICPA, refer to
the guidance at U.S. AAM 23001.7-11.
Note 12 Control Year Last Tested — For Audits Performed in Accordance with the Standards of the PCAOB and for Integrated Audits Performed in Accordance with
the Standards of the AICPA
The "Control Year Last Tested" represents the last year the relevant control was tested using a normal extent of testing.
Note 13 Operating Frequency
For audits performed in accordance with the standards of the PCAOB or for integrated audits performed in accordance with the standards of the AICPA, refer to U.S. AAM
Figure 23001-I.1 or PCAOB AAM Figure 23001.1 for suggested sample sizes for inspection of documentation to support our inquiries for the purpose of testing the
operating effectiveness of controls.
Depending on the circumstances, we may use professional judgment to determine that larger sample sizes may be appropriate, for example, when we are performing tests
of controls that address one or more significant risks. [U.S. AAM 23001.40/PCAOB AAM 23001.51]
When testing the operating effectiveness of a control that operates less frequently than many times per day, depending on the nature of the control, the risk associated
with the control, and the number of times that it is applied when it operates, we may make additional selections to test its operating effectiveness. [Excerpted from U.S.
AAM 23001.40a/PCAOB AAM 23001.54.]
Refer to U.S. AAM 23001.28-42 or 23001-I.82-99/PCAOB AAM 23001.44-64 for additional guidance regarding determination of the sample size. Also, see Deloitte
Guidance Q&A IC 3-9, Determining the Frequency of a Control, for additional information.
Note 14 Information Produced by the Entity (IPE)
Types of IPE may include, but are not limited to:
- Standard "out of the box" reports as shipped with the system that have not been modified and do not allow for customization of inputs/outputs
- Parameter-driven reports generated by the entity's application system that allow for user selection of inputs (fields/parameters) to generate the report output
- Custom-developed reports that are not standard to the application and are defined and generated by user-operated tools such as scripts, report writers, programming
language, and query tools
- Spreadsheets that include relevant information (e.g., data (1) obtained from an outside source, (2) manually entered into a spreadsheet, (3) summarized or analyzed
using spreadsheet formulas or data exported from ledger system into an MS Access Database, and (4) then manipulated and summarized)
- Client-prepared analyses and schedules that are manually prepared by entity personnel either from information generated from the entity's system or from other internal
or external sources.
Internal Controls IPE in the Context of Internal Controls

IPE in the context of internal controls may include the following:
- Information that we rely upon to test a relevant control

- Information that entity personnel rely upon to perform a relevant control
Substantive Procedures
IPE in the Context of Substantive Audit Procedures
IPE in the context of substantive audit procedures includes information that we rely upon when performing our substantive audit procedures. If the information is the
starting point or subject of our substantive audit procedures, our planned substantive audit procedures will typically address the accuracy and completeness of the
information, and no additional procedures may therefore be necessary. In other cases, our substantive audit procedures may rely on a report that is not the subject of our
substantive audit procedures and/or tests of relevant controls, and it may be necessary to perform additional procedures to address the completeness and accuracy of the
report.
NOTE: The requirement to obtain audit evidence about the accuracy and completeness of IPE also applies when we are using the work of others. If IPE has not been
appropriately tested by those whose work we are using, we may either request that they perform the necessary procedures or we may perform the procedures ourselves.
Refer to U.S. AAM 22500-1/PCAOB AAM 22500-1 and the Information Produced by the Entity Guide for further guidance.
Note 15 Application System
Document the names of relevant application systems.
Identifying the relevant application system within this template allows us to establish the linkage between the risks of material misstatement to which the relevant
application systems and IT infrastructure relate, the relevant IT risks related to these application systems and IT infrastructure, and the general IT controls that address
such risks. IT risks and general IT controls may be documented in the IT Risk Worksheet — General Information Technology (Form 18**S-GITC) or other supporting
working papers.
General IT controls may be relevant to the audit if:

- The entity relies on an application system or data warehouse to process or maintain data (e.g., transactions or other relevant data) related to (i) significant accounts and
disclosures or (ii) reports used in the operation of a relevant control.
- The entity relies upon the application system to perform certain automated functions that we determine are relevant to the audit, such as:
- Automated Input, Processing, and Output Controls: This includes the automation of controls related to financial reporting (e.g. a three-way match of the purchase
order, receiver, and invoice prior to payment); the automated approval of payment following an approved delegation of authority; or the automation of the interface
between two systems.
- Automated Calculations: This includes the automation of financial calculations underlying amounts that support or are related to account balances, classes of
transaction, or disclosures in the financial statements (e.g., the extension of sales price times quantity to generate sales invoices, the calculation of outstanding balance on
a loan portfolio, or the calculation of depreciation expense).
- Automated Application Access: This includes the automation of access to financial reporting transactions, including logical segregation of duties (e.g., access
restrictions to updates to inventory quantities or the systematic segregation of duties between front-office and back-office transactions for derivatives processing).
- The entity relies upon an application, data warehouse query, or report writer to generate a report that is used in the operation of relevant controls. The automation of the
report logic (which is viewed as akin to an automated control) includes the extraction criteria and algorithms (e.g., such as those found in an A/R aging report, an
exception report of goods shipped but not invoiced, or monthly financial statements).
- We have judged that it is not possible or practicable for us to obtain sufficient appropriate audit evidence to address certain risks of material misstatement by performing
only substantive procedures and the relevant controls that we have identified over such risks are automated controls or controls that rely on general IT-controls (see
Section 13300 of U.S. AAM and U.S. PCAOB AAM). [U.S. AAM 12200.95a/PCAOB AAM 12200B.11A]
IT risks and general IT controls may be documented in the IT Risk Worksheet — General Information Technology (Form 18**S-GITC) or other supporting working papers.
Note 16 Planned Procedures to Obtain Audit Evidence of Accuracy and Completeness of IPE
Reference to where IPE testing is performed.
NOTE: Procedures to obtain audit evidence about the accuracy and completeness of IPE may be addressed within the documentation of the planned response to test the
control or substantive procedure or aggregated and documented individually in a separate IPE workbook (Form 18**S-IPE).
For nonintegrated audits performed in accordance with the standards of the AICPA, when using information produced by the entity we are required to evaluate whether the
information is sufficiently reliable for our purposes, including as necessary in the circumstances:
• Obtaining audit evidence about the accuracy and completeness of the information
• Evaluating whether the information is sufficiently precise and detailed for our purposes. [U.S. AAM 22500-1.3]
For audits performed in accordance with the standards of the PCAOB (for integrated audits, see also U.S. AAM 22500-1.3), when using information produced by the entity
as audit evidence, we are required to evaluate whether the information is sufficient and appropriate for purposes of the audit by performing procedures to:
• Test the accuracy and completeness of the information, or test the controls over the accuracy and completeness of that information
• Evaluate whether the information is sufficiently precise and detailed for purposes of the audit. [U.S. PCAOB AAM 22500-1.2]
For audits performed in accordance with the standards of the PCAOB, when testing a relevant control that is dependent upon information produced by the entity (and the
effectiveness of the control is therefore dependent upon the accuracy and completeness of such information), we are required to (1) identify controls that address the
accuracy and completeness of such information produced by the entity and (2) test the design and operating effectiveness of such controls (see U.S. PCAOB AAM
13300.22). [U.S. AAM 22500-1.3]
Obtaining audit evidence about the accuracy and completeness of information produced by the entity includes procedures to address:
• The accuracy and completeness of the source data
• The creation and modification of the applicable report logic and parameters. [U.S. AAM 22500-1.5a/PCAOB AAM 22500-1.5a]
Refer to U.S. AAM 22500-1 or PCAOB AAM 22500-1 and the Information Produced by the Entity Guide for further guidance.
Note 17 Testing Reference — General IT Controls

Include tickmark or cross-reference (as specific as possible) to the IT Risk Worksheet — General Information Technology (Form 18**S-GITC) or other supporting working
papers where testing is documented (e.g., See working paper 4410.1, [Testing] tab).
Note 18 Reference to Evaluation of D&I

Include a tickmark or cross-reference to where the evaluation of design and implementation is documented. The evaluation of design and implementation of relevant
control activities may be documented in a separate working paper or within a tab inserted within this template.
Evaluation of Design and Implementation

Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or
detecting and correcting, material misstatements. [U.S. AAM 12200.31/PCAOB AAM 12200.35]
Implementation of a control means that the control exists and that the entity is using it.
Refer to U.S. AAM 12200.30-40/PCAOB AAM 12200.35-38 for additional guidance regarding the evaluation of design and determination of implementation for relevant
controls.
The evaluation of the design of controls documentation may include consideration of the (1) the nature and significance of the risks of material misstatement addressed by
the control, (2) the characteristics or details of the control, and (3) the following factors to determine whether the control is appropriately designed (i.e., the precision of a
control) to address the identified risk.
Factors to Consider When Determining Whether Control Is Appropriately Designed

- Appropriateness of the purpose of the control and its correlation to the risk/assertion
- Appropriateness of the control considering the nature and significance of the risk
- Competence and authority of the person(s) performing the control
- Frequency and consistency with which the control is performed
- Level of aggregation and predictability
- Criteria for investigation and process for follow-up
- Dependency on other controls or information.
For more information regarding these factors, see the Internal Control Guide, Chapter 2, "Understanding Likely Sources of Misstatement and Testing Design Effectiveness
for Controls That Address Risk of Material Misstatement."
The extent of documentation may vary depending upon the nature of the control and the level of subjectivity involved.
For example: Management reviews and other higher level controls (e.g., direct and precise entity-level controls) would typically require more extensive documentation
than an attribute-based control.
NOTE: In an integrated audit, the purpose of a test of design effectiveness is not to determine whether the control has been implemented. We do not need to separately
test implementation if we are also testing operating effectiveness. However, the procedures performed to test design and to determine implementation may be similar.
Note 19 Planned Nature, Timing, and Extent of Procedures to Evaluate Operating Effectiveness of Controls
Consider nature, timing, and extent of our tests when planning procedures to evaluate operating effectiveness of controls.
Nature of Tests of Controls
Nature of tests of controls includes inspection of documentation supporting our inquiries, reperformance supporting our inquiries, and observation supporting our inquiries.
Extent of Tests of Controls

When more persuasive audit evidence is needed regarding the effectiveness of a control, it may be appropriate to increase the extent of testing of the control. As well as
the degree of reliance on controls, matters we may consider in determining the extent of tests of controls include the following:
- The frequency of the performance of the control by the entity during the period
- The length of time during the audit period that we are relying on the operating effectiveness of the control
- The expected rate of deviation from a control
- The relevance and reliability of the audit evidence to be obtained regarding the operating effectiveness of the control at the assertion level
- The extent to which audit evidence is obtained from tests of other controls related to the assertion. [U.S. AAM 23001.28/PCAOB AAM 23001.42-43]
In addition, for PCAOB audits matters we may also consider in determining the extent of tests of controls include the following:
- The nature of the control, including, in particular, whether it is a manual control or an automated control
- For an automated control, the effectiveness of relevant general IT controls. [Excerpted from U.S. PCAOB AAM 23001.43]
Timing of Tests of Controls

We are required to test controls for the particular time, or throughout the period, for which we intend to rely on those controls, in order to provide an appropriate basis for
our intended reliance. [U.S. AAM 23001.45/PCAOB AAM 13300.19]
Refer to U.S. AAM 23001 and 23001-I or U.S. PCAOB AAM 23001 for further guidance.
NOTE: For audits performed in accordance with the standards of the PCAOB or for integrated audits performed in accordance with the standards of the AICPA, for each
control selected for testing, the evidence necessary to persuade the auditor that the control is effective depends upon the risk associated with the control. The risk
associated with a control consists of the risk that the control might not be effective and, if not effective, the risk that a material weakness would result. As the risk
associated with the control being tested increases, the evidence that the auditor should obtain also increases.
[Derived from U.S. AAM 23001-I.71/PCAOB AAM 23001.20.]
Note 20 Testing Reference

Include tickmark or cross-reference (as specific as possible) to supporting working papers where testing is documented (e.g., See working paper 4311.1, [Testing] tab).
Include reference, if applicable, to use of the work of others, use of specialists, and rollforward procedures if tested at an interim date.
Note 21 Findings and Observations
Include a tickmark or cross-reference to supporting working papers for documentation supporting the finding or observation.
NOTE: When evaluating the operating effectiveness of relevant controls, we are required to evaluate whether misstatements that have been detected by substantive
procedures indicate that controls are not operating effectively. The absence of misstatements detected by substantive procedures, however, does not provide audit
evidence that controls related to the assertion being tested are effective. [U.S. AAM 23001.50/PCAOB AAM 23001.84] The identification by us of a material
misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control is
an indicator of a material weakness. [U.S. AAM 23001.51/PCAOB AAM 23001.110]
In an audit of internal control over financial reporting, the auditor should evaluate the effect of the findings of the substantive auditing procedures performed in the audit of
financial statements on the effectiveness of internal control over financial reporting. This evaluation should include, at a minimum—
• The auditor’s risk assessments in connection with the selection and application of substantive procedures, especially those related to fraud.
• Findings with respect to illegal acts and related party transactions.
• Indications of management bias in making accounting estimates and in selecting accounting principles.
• Misstatements detected by substantive procedures. The extent of such misstatements might alter the auditor’s judgment about the effectiveness of controls. [U.S. AAM
23001-I.196/PCAOB AAM 23001.117]
Note 22 Planned Extent of Substantive Testing

A substantive procedure may address more than one risk of material misstatement. The planned extent of substantive testing would equate to the most extensive planned
extent of substantive testing for all risks of material misstatement to which the procedure has been linked (e.g., if a substantive procedure is addressing multiple material
misstatements and only one is a significant risk, the substantive procedure would be performed to address the extent of testing necessary to address the significant risk).
Substantive Analytical Procedures

In using our professional judgment to determine thresholds, we may refer to U.S. AAM Figure 23002-1.1 or U.S. PCAOB AAM Figure 23002-1.1.
Tests of Details
If we use audit sampling, our sample sizes may be determined using U.S. AAM Figure 23002-4.1 or U.S. PCAOB AAM Figure 23002-4.1.
Low Extent of Testing

In situations where we have identified a risk of material misstatement that is not significant and we are able to rely on the operating effectiveness of controls related to the
risk of material misstatement being tested, we may set the extent of testing as either normal or low for the purposes of determining the appropriate thresholds or
determining the appropriate sample size using U.S. AAM Figure 23002-1.1 or U.S. PCAOB AAM Figure 23002-1.1 (Determination of Threshold Table) and U.S. AAM Figure
23002-4.1 or U.S. PCAOB AAM Figure 23002-4.1 (Audit Sampling Sample Size Table), based on (1) the nature of the risk, (2) the likelihood of the occurrence of the risk,
and (3) the likely magnitude of any resulting misstatements. [Derived from U.S. AAM 23002-2.42 and 23002-4.31/PCAOB AAM 23002-2.44 and 23002-4.28.]
Form 18**SDI.4, Recourse Liabilities Assertions
Assertions used by us to consider the different types of potential misstatements that may occur (i.e., "what could go wrong") fall into the following three
categories and may take the following forms:
Note: The table below provides the linkage between the current Deloitte Touche Tohmatsu Limited (DTTL) Audit Approach Manual (DTTL AAM) terminology
(which is consistent with the ISAs) and PCAOB assertions.
Assertions about classes of transactions (income The following are examples of potential Misstatements relating to the assertions PCAOB Assertions
statement accounts) and events for the period under below. These examples are neither exhaustive nor always applicable as facts
audit: and circumstance may vary from one entity to the next.
Occurrence Transactions and events that have Potential Misstatements relating to the Assertion occurrence, for income statement Existence or occurrence
been recorded have occurred and account balances, may result from:
pertain to the entity. - Fictitious or unauthorized transactions are entered on source documents or directly into
the application system (input)
- Transactions are duplicated when input
- Invalid input is captured in the subsidiary ledgers.
Completeness All transactions and events that Potential Misstatements relating to the Assertion completeness, for income statement Completeness
should have been recorded have account balances, may result from:
been recorded. - Transactions or events that are not identified and therefore are not entered on a source
document or directly into the application system (input)
- Input is not captured into the subsidiary ledgers
- Input that is rejected is not resubmitted for capture in the subsidiary ledger.
Accuracy Amounts and other data relating to Potential Misstatements relating to the Assertion accuracy, for income statement account Valuation or allocation
recorded transactions and events balances, may result from:
have been recorded appropriately. - Input is inaccurately captured into the subsidiary ledgers
- Input or subsequent processing reflects amounts in excess or less than appropriate
amounts
- Processing of transactions is inaccurate (i.e., summarizing, calculating, and posting)
- Inaccurate adjustments are made to the subsidiary ledgers or general ledger.
Cutoff Transactions and events have been Potential Misstatements relating to the Assertion cutoff, for income statement account Valuation or allocation
recorded in the correct accounting balances, may result from:
period. - Transactions or events that have occurred or will occur are recorded too early (i.e., they
are recorded in a period prior to when they should have been recorded)
- Transactions or events that have occurred are recorded too late (i.e., they are recorded
in a period after the period in which they should have been recorded).
Classification Transactions and events have been Potential Misstatements relating to the Assertion classification, for income statement Valuation or allocation
recorded in the proper accounts. account balances, may result from:
- Input is recorded in the incorrect subsidiary ledger or general ledger account
- Subsequent processing of a transaction results in it being reflected in the incorrect
subsidiary ledger or general ledger account.
Assertions about account balances (balance sheet

accounts) at the period-end:
Existence Assets, liabilities, and equity interests Potential Misstatements relating to the Existence assertion, for balance sheet account Existence or occurrence
exist. balances, may result from:
- A balance sheet account balance that was previously correctly recorded no longer exists
and the sale/adjustment has not been recorded
- Sale of an asset with no recording of the sale
- Theft of an asset with no recording of the loss.
Rights and The entity holds or controls the rights Potential Misstatements relating to the Assertion rights and obligations, for balance sheet Rights and obligations
obligations to assets, and liabilities are the account balances, may result from:
obligations of the entity. - The entity no longer having the right to an asset that was previously correctly recorded
- The entity no longer having an obligation to settle a liability that was previously
correctly recorded.
Completeness All assets, liabilities, and equity Potential Misstatements relating to the Assertion completeness, for balance sheet account Completeness
interests that should have been balances, may result from:
recorded have been recorded. - A liability that should have been recorded has not been recorded (e.g., no accrual at
period-end for certain liabilities).
Valuation and Assets, liabilities, and equity interests Potential Misstatements relating to the Assertion valuation and allocation, for balance Valuation or allocation
allocation are included in the financial sheet account balances, may result from:
statements at appropriate amounts - Impairments of assets that are not identified and properly recorded
and any resulting valuation or - Inaccurate adjustments that are made to a balance sheet account balance that
allocation adjustments are inappropriately adjust the value of that balance sheet account balance
appropriately recorded. - Assets which are amortized over the incorrect period resulting in the remaining asset
balance being incorrectly valued
- Fair value adjustments that are not identified and properly recorded.
Assertions about presentation and disclosure:

Occurrence and Disclosed events, transactions, and Potential Misstatements relating to the presentation and disclosure assertions may result Presentation and disclosure
rights and other matters have occurred and from:
obligations pertain to the entity. - Fictitious or unauthorized disclosures are included in the Financial Statements
- Disclosures of contingent liabilities for which the entity no longer has an obligation for
- Disclosures that are intentionally omitted from the Financial Statements
Completeness All disclosures that should have been
- The captions in the Financial Statements result in amounts being presented in a
included in the financial statements
misleading way
have been included.
- Input is inaccurately captured into the Financial Statements
- Input into the Financial Statements reflects amounts in excess or less than appropriate
Classification and Financial information is appropriately amounts.
understandability presented and described, and
disclosures are clearly expressed.
Accuracy and Financial and other information are

valuation disclosed fairly and at appropriate
amounts.
Form 18**SDI.4, Recourse Liabilities Tickmarks
Tickmarks
{a} For most "what could go wrongs" listed within the "ROMM Overview" tab, multiple control activities have
been listed to possibly address the related risk. Engagement teams are encouraged to use professional
judgment in assessing which control or controls properly address the specific risk at their financial institution.
More than one control may apply and need to be tested to adequately address the related risk. Additionally,
dual-purpose testing may be appropriate with certain controls and substantive procedures. Therefore,
engagement teams are encouraged to consider both controls and substantive procedures when determining
the audit plan for the Recourse Liabilities.

Form 18 Sdi 4 - Recourse Liabilities - Risk of Material Misstatement (Romm) Worksheet

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Form 18 Sdi 4 - Recourse Liabilities - Risk of Material Misstatement (Romm) Worksheet

Uploaded by

Copyright:

Available Formats

Form 18**SDI.

4, Recourse Liabilities Overview

Risk of Material Misstatement Worksheet — Overview

ROMM Overview Tab

Risks of Material Misstatement Related to Presentation and Disclosure

CUSTOMIZATION OF RISKS OF MATERIAL MISSTATEMENT, CONTROL ACTIVITIES, AND RELATED PROCEDURES

Developing Independent Expectation of Recourse Liabilities

Performing Retrospective Review of Significant Accounting Estimates

Identify and Test for Disputed Claims

Identify and Test for Disputed Claims

Developing Independent Expectation of Recourse Liabilities

Performing Retrospective Review of Significant Accounting Estimates

Developing Independent Expectation of Recourse Liabilities

Developing Independent Expectation of Recourse Liabilities

Performing Retrospective Review of Significant Accounting Estimates

Perform Tests of Unrecorded Liabilities

1. The methodology used to estimate the reserves related to recourse

2. Level and types of repurchase claims the entity is receiving

3. Level of allowance established related to the repurchase

4. Method of settling claims; success rate in avoiding claims

5. Time limit of recourse obligation and trends by loan vintage

6. Rollforward of reserves for periods presented

Such meetings might include discussion of the following topics:

Finance personnel prepare a journal entry and supporting documentation, which is

Transaction documents for sales of loans are reviewed by finance personnel to

Recourse liabilities are valued based on an analysis performed by qualified personnel

1) Historical trend analysis over an appropriate period

2) Expected future repurchase/claims activity

3) Quality of loan underwriting during the periods of analysis

4) Regular discussions with legal counsel on pending or threatening litigation related

5) Investor repurchase demand

6) Appeal success rates

8) Loans subject to possible future claims

Management’s methodology is reviewed by a third party or internal audit.

Data used in the calculation is reconciled to the entity’s records.

On a monthly basis, finance personnel reconcile recorded recourse liabilities to

Information Produced by the Entity

Note 10 Note 22 Note 14 Note 15 Note 16 Note 20 Note 21

B Identify and Test for Disputed Claims

C Perform Tests of Unrecorded Liabilities

E Developing Independent Expectation of Recourse Liabilities

Information Produced by the Entity

Note 10 Note 22 Note 14 Note 15 Note 16 Note 20 Note 21

F Performing Retrospective Review of Significant Accounting Estimates

H Test Presentation and Disclosures on Recourse Liabilities and Repurchase Reserves

D. Determine that the following disclosures are made by the entity:

Note 1 Account Balance/Class of Transactions/Disclosure

Note 3 Risk of Material Misstatement

Refer to U.S AAM 00200.16-16a/PCAOB AAM 00200.23-23a for additional guidance.

Presumed Significant Risks — Revenue Recognition and Management Override of Controls

Note 6 Risk of Material Misstatement Due to Fraud?

Note 8 Identification and Documentation of Relevant Control Activities

Control activities that are relevant to the audit are:

Relevant controls include:

Refer to U.S. AAM 12200/PCAOB AAM 12200 for further guidance.

Note 9 Conclusion — Design, Implementation, Operating Effectiveness of Controls

Nature and Extent of Substantive Procedures

Control Operating Effectiveness Testing Strategy

Note 13 Operating Frequency

Note 14 Information Produced by the Entity (IPE)

Types of IPE may include, but are not limited to:

Internal Controls IPE in the Context of Internal Controls

- Information that we rely upon to test a relevant control