Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest PCAOB Audits Chapter 1 Overview 100 Background

Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest PCAOB Audits Chapter 1 Overview 100 Background 100 Background 100.1 For many years, auditors had traditionally conducted their engagements in accordance with generally accepted auditing standards developed by the American Institute of Certified Public Accountants (AICPA). Auditors of publicly traded companies have also had to follow the additional rules of the SEC. However, this changed dramatically in 2002 with the passage of the Sarbanes Oxley Act and the subsequent establishment of the Public Company Accounting Oversight Board (PCAOB). 100.2 The Sarbanes Oxley Act of 2002 (SOX) was passed in response to a growing number of financial scandals that started with Enron in the fall of 2001. These financial scandals eventually led to the collapse of some large public companies, including Enron and WorldCom (owner of telecommunications giant MCI). Their CEOs and other financial executives were convicted of criminal fraud and received prison sentences. Stockholders and creditors lost billions when these companies failed. In addition, the Enron and WorldCom collapses led to the failure of Andersen, one of the world's largest accounting firms. Congress felt compelled to act and responded with the Sarbanes Oxley Act of 2002. Sarbanes Oxley Act of 2002 100.3 The portion of SOX that has the greatest impact on public company auditors is Section 404, which deals with management's assessment of internal controls. However, there are several sections that are also important to audit firms. Exhibit 1 1 summarizes some of the more important sections of SOX. Exhibit 1 1 Highlights of the Sarbanes Oxley Act of 2002 Section 101 This section establishes the Public Company Accounting Oversight Board (PCAOB), which is the organization responsible for overseeing the audits of public companies. (Public companies are referred to

Section 102 Section 103 Section 104 Section 201 Section 202 Section 203 Section 401 Section 404 as issuers in SOX. The term issuer is defined in the SEC rules and generally refers, among other organizations, to companies whose securities are registered under the Securities Exchange Act of 1934.) This section establishes the requirement for accounting firms to register with the PCAOB in order to audit public companies. Section 103 has several important components, including the requirement that auditors keep their audit workpapers for seven years. In addition, each audit report must have a concurring review performed before it is issued. This section establishes the requirement for the PCAOB to inspect each large registered accounting firm (those with more than 100 public company audit clients) annually and each small firm (those with 100 or fewer clients) at least every three years. Section 201 defines nonaudit services that public company auditors cannot provide without impairing their independence. These services are further discussed in SEC Rule 2 01 of Regulation S X. See section 201 of this Guide for more information. This section requires preapproval of a firm's audit and nonaudit services by the client's audit committee. This section specifies partner rotation schedules for public company auditors. Generally, a lead and concurring partner can serve on a client's audit engagement team for no more than five years in a row. Partner rotation is addressed in more detail in SEC Rule 2 01 of Regulation S X. See section 201 of this Guide for more information. This section requires that financial statements reflect all material correcting adjustments proposed by the auditor. Section 404 is generally considered to be the most challenging section of SOX. It requires a company's management to assess its internal control over financial reporting, and it requires the auditor to attest to and report on management's assessment. The auditor must assess and report on management's assessment as part of the audit of the financial statements. (However, the discussion beginning at paragraph 100.4 details amendments to Section 404.)

Note: This exhibit is not a complete overview of SOX, but mentions some of the more important aspects (in the authors' opinion) from an auditor's perspective. Other Legislation Affecting Sarbanes Oxley 100.4 In recent years, several other Acts have been signed into law by the President that amend key provisions of the Sarbanes Oxley Act of 2002. In addition to the amendments of SOX, these Acts introduced other legislation that impact issuers and their auditors. 100.5 Dodd Frank Act The Dodd Frank Wall Street Reform and Consumer Protection Act (Dodd Frank Act), which became effective on July 21, 2010, exempts nonaccelerated filers from complying with Section 404(b) of the Sarbanes Oxley Act of 2002 requiring an independent auditor's attestation on the effectiveness of an entity's internal control over financial reporting. The Act also contains numerous other provisions that affect registrants and their auditors. 100.6 Some of the provisions of the Act affecting SEC rule making or studies include: Requires the SEC to conduct a study on how Sarbanes Oxley Section 404(b) compliance burdens can be reduced for companies with market capitalizations between $75 million and $250 million. Requires a nonbinding shareholder vote on compensation for named executive officers at least once every three years (say on pay). In addition, a nonbinding shareholder vote is required on compensation for named executive officers in connection with acquisitions, mergers, sales, and similar transactions unless otherwise included in the general say on pay shareholder vote. Requires public companies to have compensation committees that include only independent directors. Expands disclosures in the annual proxy statement on executive compensation, including information on the median annual total compensation for all employees and the annual compensation of the CEO, as well as a ratio of such amounts. Requires the SEC to issue rules for companies to establish policies to recover excess compensation paid to executive officers in the event of financial reporting restatements due to noncompliance with accounting standards.

Unless specific instructions are provided by the owner, prohibits brokers from voting shares for director elections, executive compensation, or other significant matters. Authorizes the SEC to issue rules that permit shareholders to nominate directors in the proxy, subject to ownership thresholds. Requires the disclosure in the proxy materials on why the company has elected to either combine or separate the roles of board chairman and CEO. Amends the Securities Act of 1933 to allow the SEC to sue a party that knowingly or recklessly provides substantial assistance to another person in violating the Securities Act or related rules and regulations. This changes the level of liability from a knowingly standard to a knowingly or recklessly standard. Recent SEC activities relating to some of these provisions are discussed in section 1003. 100.7 Section 982 of the Dodd Frank Act authorizes the PCAOB to establish standards for registered public accounting firms relating to audits of broker dealers for reports included in filings with the SEC. On July 31, 2013, the SEC issued a final rule that, among other things, requires audits of all broker dealers (including nonpublic broker dealers) to be conducted in accordance with the standards of the PCAOB. Prior to implementing the requirements set forth by the new SEC final rule, audits of nonpublic broker dealers have been performed in accordance with GAAS. The new rules also require broker dealers to file new reports with the SEC. As further discussed beginning in paragraph 100.36, in October 2013, the PCAOB approved two attestation standards that provide requirements for examining or reviewing the assertions in the broker dealer's compliance or exemption report filed in compliance with SEC reporting rules. Also, as discussed in paragraph 100.32, the PCAOB approved Auditing Std. No. 17, Auditing Supplemental Information Accompanying Audited Financial Statements, which applies whenever the auditor is engaged to audit and report on supplemental information that accompanies the audited financial statements. The supplemental information includes the supporting schedules required by the SEC's broker dealer financial reporting rule or other audited supplemental information included in SEC filings, whether required by another regulatory body or voluntarily submitted by the issuer. A comprehensive discussion of audits of brokers and dealers is beyond the scope of this Guide. PPC's Practice Aids for Audits of Broker dealers provides additional detailed information on such audits. 100.8 JOBS Act The Jumpstart Our Business Startups Act (JOBS Act), which became effective on April 5, 2012, amends Section 404(b) of the Sarbanes Oxley Act to eliminate the requirement for an

auditor's attestation on the effectiveness of an entity's internal control over financial reporting for companies defined as an emerging growth company. The JOBS Act also provides for the delay of the use of newly adopted accounting and auditing standards in certain respects, as well as additional matters, for emerging growth companies. The JOBS Act is discussed more fully beginning with paragraph 906.71. 1 PCAOB Standards 100.9 As noted in Exhibit 1 1, Section 101 of SOX established the PCAOB, which operates under the general oversight of the SEC, to regulate the audits of public companies. Among other requirements, SOX assigns the following responsibilities to the PCAOB: a. Registering public accounting firms that provide audit services to public companies. b. Establishing or adopting auditing, quality control, ethics, independence, and other standards for the audits of public companies. c. Conducting periodic inspections of registered public accounting firms to ensure that they are complying with SOX, PCAOB rules and standards, and federal securities laws. d. Conducting investigations and disciplinary proceedings, and applying sanctions, as needed. 100.10 Interim Standards To provide continuity, the PCAOB has adopted the generally accepted auditing standards of the AICPA that existed as of April 16, 2003, as interim standards for audits of public companies. PCAOB Release No. 2003 006, which establishes interim auditing and related professional practice standards, consists of the following five rules: Interim auditing standards (Rule 3200T). Interim attestation standards (Rule 3300T). Interim quality control standards (Rule 3400T). Interim ethics standards (Rule 3500T).

Interim independence standards (Rule 3600T). Accordingly, AICPA auditing standards that existed prior to April 16, 2003, are appropriate for audits of public companies until such time as the PCAOB amends or supersedes them. 100.11 Other PCAOB Standards In addition to the AICPA standards that the PCAOB has adopted as interim standards, the PCAOB has adopted 18 auditing standards, all of which have been approved by the SEC. Those additional standards are discussed in the following paragraphs. 100.12 PCAOB Auditing Standard No. 1 PCAOB Auditing Standard. No. 1, References in Auditors' Reports to the Standards of the Public Company Accounting Oversight Board, was the first standard issued by the PCAOB, and it is very narrow in scope. It requires accounting firms to state that their public company audits and reviews are conducted in accordance with the standards of the Public Company Accounting Oversight Board (United States). The auditor must also include the city and state from which the report was issued. Reporting requirements under the PCAOB standards are discussed in more detail in section 906 of this Guide. 100.13 PCAOB Auditing Standard No. 2 Section 404 of SOX requires a public company's management to assess its internal control over financial reporting and the auditor to attest to and report on management's assessment. PCAOB Auditing Standard. No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, provided detailed guidance to assist the firm in complying with Section 404 of SOX. However, Auditing Std. No. 2 was superseded by Auditing Std. No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (see discussion in paragraph 100.16). 100.14 PCAOB Auditing Standard No. 3 PCAOB Auditing Standard. No. 3, Audit Documentation, replaces SAS No. 96, Audit Documentation. Auditing Std. No. 3 establishes documentation standards for audits of financial statements and internal controls as well as reviews of interim financial statements performed in accordance with PCAOB standards. The standard covers general audit documentation requirements, documentation of specific matters (including the preparation of an engagement completion document), and document retention and subsequent changes to audit documentation. The requirements of this standard are discussed in more detail in Chapter 7. 100.15 PCAOB Auditing Standard No. 4 Auditing Standard No. 4, Reporting on Whether a Previously Reported Material Weakness Continues to Exist, provides guidance for voluntary engagements performed only at the request of management, to report on whether a material weakness previously disclosed in management's and/or the auditor's report on internal control over financial reporting continues to exist as of a date specified by management. When a material weakness has been reported, investors may be uncertain about the reliability of the financial statements until they learn that the material weakness no longer exists. If management has corrected the weakness, it may determine that communication of the correction in its quarterly disclosure will

be sufficient notification to investors. Also, management might engage the auditor to report that the weakness no longer exists before the quarterly disclosure. Chapters 5 and 9 also discuss Auditing Standard No. 4. 100.16 PCAOB Auditing Standard No. 5 Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, replaces the previous internal control auditing standard, Auditing Std. No. 2. Auditing Std. No. 5 aligns with the SEC's management guidance for management's assessment of internal control under SOX section 404. It also requires the audit of internal control over financial reporting to be integrated with the audit of the financial statements and to use a top down, risk based approach. Further, Auditing Std. No. 5 eliminated the Auditing Std. No. 2 requirement to report on management's assessment and revised the definitions of the terms material weakness and significant deficiency, as follows: Material Weakness a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. Significant Deficiency a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting. See a detailed discussion of Auditing Std. No. 5 in Chapter 5. 100.17 PCAOB Auditing Standard No. 6 Auditing Standard No. 6, Evaluating Consistency of Financial Statements, superseded AU 420, Consistency of Application of Generally Accepted Accounting Principles, and AU 9420, and made conforming amendments to the interim auditing standards in response to FASB ASC 250 and the FASB's action to move the hierarchy of GAAP from the auditing standards to the accounting standards. The standard requires auditors to evaluate the consistency of a company's financial statements and to report on any inconsistencies. Auditing Standard No. 6 is discussed in Section 906. 100.18 PCAOB Auditing Standard No. 7 Auditing Standard No. 7, Engagement Quality Review, provides a framework for an engagement quality reviewer to objectively evaluate the significant judgments made by the engagement team and the conclusions reached in forming an overall conclusion on the engagement. The standard directs an engagement quality reviewer's attention to matters that increase the likelihood of identifying and correcting significant engagement deficiencies before an audit report is issued. The standard requires an engagement quality review (EQR) for audits and for reviews of interim financial information, but not for other engagements. The standard is discussed in Chapters 2, 8, and 10 of this Guide. 100.19 PCAOB Risk Assessment Standards (Auditing Standard Nos. 8 15) In August 2010, the

PCAOB approved eight auditing standards Nos. 8 through 15 that address auditors' responsibilities for assessing and responding to the risks of material misstatement in an audit of financial statements. Those standards, often referred to as the Risk Assessment Standards, are as follows: Auditing Std. 8, Audit Risk. Auditing Std. 9, Audit Planning. Auditing Std. 10, Supervision of the Audit Engagement. Auditing Std. 11, Consideration of Materiality in Planning and Performing an Audit. Auditing Std. 12, Identifying and Assessing Risks of Material Misstatement. Auditing Std. 13, The Auditor's Responses to the Risks of Material Misstatement. Auditing Std. 14, Evaluating Audit Results. Auditing Std. 15, Audit Evidence. The standards superseded six interim auditing standards: AU 311, Planning and Supervision; AU 312, Audit Risk and Materiality in Conducting an Audit; AU 313, Substantive Tests Prior to the Balance Sheet Date; AU 319, Consideration of Internal Control in a Financial Statement Audit; AU 326, Evidential Matter; and AU 431, Adequacy of Disclosure in Financial Statements. 100.20 Paragraphs 100.21.28 summarize the principal provisions of the PCAOB's risk assessment standards. 100.21 Auditing Standard No. 8, Audit Risk. This standard describes the components of audit risk in an audit of financial statements, the auditor's considerations in assessing risk, and the auditor's responsibility to reduce risk to an appropriately low level to obtain reasonable assurance about whether the financial statements are free of material misstatement. Among other things, Auditing

Standard No. 8 requires auditors to Assess risk at the financial statement level and the assertion level. Reduce the level of the risk of not detecting material misstatement (detection risk) through the nature, timing, and extent of the substantive procedures performed. (The higher the risk of material misstatement, the lower the level of detection risk needs to be to reduce audit risk to an appropriately low level.) 100.22 Auditing Standard No. 9, Audit Planning. This standard describes the auditor's responsibilities for planning the audit, including determining matters that are important to the audit and establishing an appropriate audit strategy and developing an audit plan. Among other things, Auditing Standard No. 9 requires The engagement partner to be responsible for planning the audit. (The engagement partner may be assisted by engagement team members in fulfilling that responsibility.) Auditors to evaluate whether the following matters are important to the entity and its internal control and, if so, how they will affect the auditor's procedures: Knowledge about risks evaluated as part of client acceptance and continuance. Matters relating to entity's industry. Matters relating to the business, including the complexity of its operations and the extent of recent changes. Legal or regulatory matters. The auditor's preliminary judgments about materiality and risk. Knowledge of the entity's internal control obtained during other engagements

performed by the auditor. Preliminary judgments about and available evidence related to the effectiveness of the entity's internal control. Previously communicated control deficiencies. Public information relevant to the evaluation of the likelihood of material misstatements and internal control effectiveness. Auditors to take communications with the audit committee into account when developing the overall audit strategy. Auditors to develop and document an audit plan that includes the nature, timing, and extent of risk assessment, substantive, and other procedures required by PCAOB standards. Auditors to determine the locations or business units at which to perform audit procedures, assess the risks of material misstatement associated with the location or business unit, and correlate that assessment with the extent to which audit procedures should be performed. Auditors to determine whether specialized skill or knowledge is needed to perform appropriate risk assessments, plan or perform audit procedures, or evaluate audit results. 100.23 Auditing Standard No. 10, Supervision of the Audit Engagement. This standard describes the auditor's responsibilities for supervising the audit and the work of the engagement team. Among other things, Auditing Standard No. 10 requires The engagement partner to be responsible for supervising the audit and the work of the engagement team. (The engagement partner may be assisted by engagement team members in fulfilling that responsibility.)

Supervisory activities to include making engagement team members aware of their responsibilities, including informing supervisors of significant accounting and auditing issues that arise during the audit, and reviewing the work of engagement team members. 100.24 Auditing Standard No. 11, Consideration of Materiality in Planning and Performing an Audit. This standard describes the auditor's responsibilities for considering materiality in planning and performing an audit and determining the scope of audit procedures, including reevaluating materiality in light of circumstances or additional information that indicates a lower materiality level may be appropriate. Auditing Standard No. 11 defines materiality in an audit by reference to court decisions interpreting federal securities laws. In that context, a fact is material if there is a substantial likelihood that the... fact would have been viewed by a reasonable investor as having significantly altered the 'total mix' of information made available. Among other things, Auditing Standard No. 11 requires Auditors to consider a company's earnings and other relevant factors in determining materiality for the financial statements as a whole. Materiality to take into account both qualitative and quantitative factors. Materiality for the financial statements to be expressed as a specified amount. Auditors to evaluate whether there are certain accounts or disclosures for which a lower level of materiality is appropriate than materiality for the financial statements as a whole. Auditors to establish tolerable misstatement at the account or disclosure level and for individual locations or business units in audits of companies with operations in multi locations or business units. 2 100.25 Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement. This standard describes the auditor's responsibilities for identifying and assessing the risks of material misstatement that provide a basis for designing and implementing responses to those risks. Among other things, Auditing Standard No. 12 requires auditors to perform risk assessment procedures that are sufficient to provide a reasonable basis for identifying and assessing the risks of material misstatement and design further audit procedures tests of controls and substantive procedures to

respond to the risks. Auditing Standard No. 12 specifies the following risk assessment procedures: Obtain an understanding of the company and its environment, including evaluating whether significant changes in the company from prior periods affect the risks of material misstatement. The understanding includes understanding industry, regulatory, and other external factors; the nature of the company; the company's selection and application of accounting principles, including related disclosures; the company's objectives, strategies, and related business risks; and the company's performance measures. As part of understanding the company, auditors should consider reading public information about the company, observing or reading transcripts of earnings calls, understanding the compensation arrangements with senior management, and obtaining information about trading activity and holdings in the company's securities by significant holders. As part of understanding the company's selection and application of accounting principles, including related disclosures, auditors are required to develop expectations about the disclosures that are necessary for the company's financial statements to be fairly presented and assess the risks of material misstatement related to omitted, incomplete, or inaccurate disclosures. Obtain an understanding of internal control and evaluate whether control deficiencies identified, if any, are indicative of fraud risk factors. The understanding of internal control includes the company's control environment, risk assessment process, information system relevant to financial reporting, process of communicating financial reporting roles and responsibilities and other significant matters, control activities, and monitoring controls. As part of understanding the company's information system relevant to financial reporting, auditors are required to obtain an understanding of how IT affects the flow of transactions. Consider information from the client acceptance and retention evaluation, audit planning activities, past audits, and other engagements performed for the company, including information obtained during reviews of interim financial information. Auditors should evaluate whether information from past audits remains relevant and reliable if they plan to rely on that information to limit the nature, timing, or extent of risk assessment procedures.

Perform analytical procedures. Conduct a discussion among all key engagement team members, including the engagement partner, regarding the risks of material misstatement, including fraud risks. Make specified inquiries of the audit committee, management, and others within the company about the risks of material misstatement, including fraud risks. After performing risk assessment procedures, Auditing Std. No.12 requires auditors to evaluate how risks at the financial statement level could affect risks of material misstatement at the assertion level and whether fraud risk factors are present that should be taken into account in identifying and assessing fraud risks. The auditor's evaluation of fraud risk factors should (a) include evaluation of how fraud could be perpetrated or concealed by presenting incomplete or inaccurate disclosures or by omitting disclosures, (b) presume there is a fraud risk involving improper revenue recognition, and (c) consider the risk of management override of controls. 100.26 Auditing Standard No. 13, The Auditor's Responses to the Risks of Material Misstatement. This standard describes the auditor's responsibilities for designing and implementing both overall responses and responses involving the nature, timing, and extent of auditing procedures to address the risks of material misstatement. Among other things, Auditing Standard No. 13 requires auditors to Implement overall responses to address the risks of material misstatement due to both error and fraud, including appropriately assigning engagement responsibilities to the engagement team and providing appropriate supervision, incorporating elements of unpredictability in performing audit procedures, and evaluating the appropriateness of the entity's significant accounting principles. Consider the types, likelihood, and magnitude of potential misstatements, and obtain more persuasive audit evidence the higher the auditor's assessment of risk. Perform substantive procedures, including tests of details, to respond to significant risks, including fraud risks. Perform tests of controls if the auditor plans to assess control risk at less than the maximum

by relying on controls and for each relevant assertion for which substantive procedures alone cannot provide sufficient appropriate audit evidence. Obtain more persuasive audit evidence from tests of controls the greater the reliance the auditor places on the effectiveness of a control and for each relevant assertion for which the audit approach consists primarily of tests of controls. When testing the operating effectiveness of controls, include procedures to determine whether the person performing the control possesses the necessary authority and competence to perform the control effectively. When auditors plan to rely on controls tested in past audits, obtain audit evidence in the current audit about the design and operating effectiveness of the controls. Assess control risk for relevant assertions. Perform substantive procedures for each relevant assertion of each significant account and disclosure, regardless of the assessed level of control risk, including procedures related to the period end financial reporting process. When substantive procedures are performed at an interim date, perform substantive procedures or substantive procedures together with tests of controls that provide a basis to extend the interim conclusions to the period end. 100.27 Auditing Standard No. 14, Evaluating Audit Results. This standard describes the auditor's responsibilities to evaluate whether the audit evidence obtained is sufficient to support the auditor's opinion on the financial statements. Among other things, Auditing Standard No. 14 requires auditors to Perform analytical procedures in the overall review of the financial statements, including analytical procedures relating to revenue through the end of the period, and evaluate whether they indicate a previously undisclosed risk of material misstatement.

Evaluate whether differences between estimates best supported by the audit evidence and estimates included in the financial statements, which are individually reasonable, indicate possible bias on the part of the company's management. Accumulate misstatements identified during the audit, other than those that are clearly trivial. Misstatements that are clearly trivial will be of a smaller magnitude than the materiality level established in accordance with Auditing Std. No. 11 and will be inconsequential, whether taken individually or in the aggregate, and whether judged by any criteria of size, nature, or consequence. Evaluate the effect of uncorrected misstatements, including the effects of uncorrected misstatements detected in prior years and misstatements detected in the current year that relate to prior years. Communicate accumulated misstatements to management and evaluate whether management has properly corrected them and whether uncorrected misstatements, if any, are material. Evaluate whether identified misstatements might be indicative of fraud. If so, auditors are required to obtain additional evidence to determine whether fraud has, or is likely to have, occurred and, in that case, determine the effect on the financial statements and the auditor's report. Evaluate the qualitative aspects of the company's accounting policies, including potential bias in management's judgments and estimates, and determine whether the effects of any bias, together with any uncorrected misstatements, materially misstate the financial statements. If management identifies adjusting entries that offset misstatements accumulated by the auditor, perform procedures to determine why the misstatements were not previously identified and evaluate the implications on management integrity and the auditor's risk assessments. Consider the form, arrangement, and content of the financial statements and accompanying notes, including the terminology used, the amount of detail given, and classification of items in the financial statements, and the basis of amounts presented to evaluate whether the financial

statements are fairly presented. 100.28 Auditing Standard No. 15, Audit Evidence. This standard describes the principles for determining the sufficiency and appropriateness of audit evidence, how the characteristics of audit evidence affect the procedures necessary to obtain sufficient appropriate evidence to support the auditor's opinion, specific types of audit procedures, and alternative means of selecting items for testing. Auditing Standard No. 15 requires auditors to When using information produced by the company as audit evidence, test the accuracy and completeness of the information and evaluate whether it is sufficiently precise and detailed for the auditor's purposes. Determine the appropriate means of selecting items for testing (selecting all items, selecting specific items, or audit sampling) depending on the nature of the audit procedure, the characteristics of the control or items being tested, and the evidence necessary to meet the objective of the audit procedure. 3 100.29 PCAOB Auditing Standard No. 16 PCAOB Auditing Standard No. 16, Communications with Audit Committees, which superseded AU 380, Communications with Audit Committees, and AU 310, Appointment of the Independent Auditor, and amended certain other PCAOB standards, carried forward substantially all of the required communications in the PCAOB's prior interim standards and significantly expands required communications and audit procedures aimed at enhancing communications between auditors and audit committees. Some of the required communications are to take place during the planning phase of the audit, others are required on an ongoing basis throughout the audit, and several would take place during the concluding phase of the audit. The standard requires that communications occur in a timely manner. The timing of a particular communication, unless otherwise specified, depends on factors such as the significance of the matter and corrective or follow up action needed. The communication can be made with the audit committee chair to facilitate timely communication during the audit. All communications are required to be made annually prior to the issuance of the auditor's report, or in the case of interim reviews, before the interim financial statements are filed. Unless otherwise specified, the communications can be in writing or made orally. Regardless of whether the communications are oral or written, they should be documented in sufficient detail to allow an experienced auditor having no previous connection with the engagement to understand the communications made. 100.30 The most significant provisions in the standard, in addition to previously existing requirements, require the auditor to communicate: The terms of the engagement, on an annual basis, upon establishing an understanding specifically with the audit committee and documented in a written engagement letter provided to

the audit committee. In addition, if the engagement letter is executed by an appropriate party other than the audit committee or its chair, the auditor should determine that the audit committee acknowledged and agreed to the terms. Significant issues the auditor discussed with management in connection with appointment or retention, including significant discussions about the application of accounting principles and auditing standards. An overview of the audit strategy, including a discussion of the significant risks identified by the auditor, and the timing of the audit, including the following: Nature and extent of specialized skill or knowledge needed to perform appropriate risk assessments, plan or perform audit procedures, or evaluate audit results. Planned use of the company's internal audit function in both the financial statement and internal control audits. For audits of internal control over financial reporting, the extent to which the auditor plans use other company personnel and third parties working under the direction of management. Names, locations, and planned responsibilities of other public accounting firms and other persons, including affiliated firms, participating in the audit. Basis for the auditor's determination that the firm can serve as principal auditor. Any significant changes to the planned audit strategy or the significant risks initially identified and the reasons for the changes.

Significant accounting policies and practices, including (a) management's initial selection of or changes in significant accounting policies and practices in the current period and (b) the effect on financial statements or disclosures of significant accounting policies in controversial areas or areas for which there is a lack of authoritative guidance or consensus or diversity in practice. Critical accounting policies and practices, including (a) the reasons certain policies are considered critical and (b) how current and anticipated future events might affect the determination of whether certain policies and practices are considered critical. Critical accounting estimates, including (a) a description of the process management uses to develop critical accounting estimates, any changes management made to those processes, their reasons for the changes, and the effect on the financial statements, and (b) management's assumptions used in critical accounting estimates that have a high degree of subjectivity. Significant unusual transactions that are outside the normal course of business or that otherwise are unusual due to their timing, size, or nature and the policies and practices management used to account for significant unusual transactions. Quality of the company's financial reporting including the following: Evaluation of and conclusion about the qualitative aspects of the company's significant accounting policies and practices, including bias in management's judgments reflected in the financial statements and disclosures. Auditing Std. No. 14 provides the following examples of management bias: (1) the selective correction of misstatements brought to management's attention during the audit, (2) the identification by management of additional adjusting entries that offset misstatements accumulated by the auditor, (3) bias in the selection and application of accounting principles, and (4) bias in accounting estimates. Evaluation of the differences between estimates best supported by the audit evidence and estimates included in the financial statements that indicate possible management bias. Assessment of management's disclosures related to the company's critical

accounting policies and any changes to those disclosures proposed by the auditors that management did not make. Auditor's understanding of the business rationale for significant unusual transactions. Basis for the auditor's conclusions regarding the reasonableness of the company's critical accounting estimates. Evaluation of whether the presentation of the financial statements and the related disclosures are in conformity with GAAP. Concern regarding management's anticipated application of accounting pronouncements that have been issued but are not yet effective and might have a significant effect on future financial reporting. (For example, for financial statements that are prepared on the basis of accounting principles that are acceptable at the financial statement date but that will not be acceptable in the future, AU 9410 requires the auditor to consider whether disclosures regarding the impending change in principle and effects that may result on the required future adoption of accounting principle are adequate.) All alternative treatments permissible under the applicable financial reporting framework for policies and practices related to material items that have been discussed with management, including the ramifications of the use of such alternative disclosures and treatments and the treatment preferred by the auditor. Matters that are difficult or contentious for which the auditor has consulted outside the engagement team when relevant to the audit committee's oversight of the financial reporting process. Significant auditing or accounting matters about which management has consulted other accountants when the auditor has concerns about such matters.

The fact that uncorrected misstatements or matters underlying them could potentially cause future period financial statements to be materially misstated even if the auditor has concluded that the uncorrected misstatements are immaterial to the financial statements and, if management has not already done so, the basis for the determination that the uncorrected misstatements were immaterial, including the qualitative factors considered. When the auditor has concerns about the company's ability to continue as a going concern: (a) conditions and events that indicate there is substantial doubt about the company's ability to continue as a going concern for a reasonable period of time, (b) if substantial doubt is alleviated after consideration of management's plans, the basis for the auditor's conclusion, and (c) if substantial doubt remains after consideration of management's plans, the effects on the financial statements, including the adequacy of disclosure, and the auditor's report. When the auditor expects to modify the opinion in the auditor's report or include an explanatory paragraph, the reasons for the modification or explanatory paragraph, and the proposed wording of the modification or explanatory paragraph. Other material written communications between the auditor and management. Auditor's responsibilities with respect to other information in documents containing audited financial statements, including the auditor's procedures and the results of those procedures. Disagreements with management about matters, whether or not satisfactorily resolved, that could be significant to the company's financial statements or the auditor's report. Difficulties encountered in performing the audit. 100.31 In addition to the above communications requirements, the standard also requires the auditor to: Provide the audit committee with a schedule of (a) uncorrected misstatements and (b) corrected misstatements, other than those that are clearly trivial, that, in the auditor's judgment,

may not have been detected except through the auditor's procedures. Make inquiries of the audit committee (or its chair) about whether they are aware of other matters that may be relevant to the audit, including knowledge of violations or possible violations of laws or regulations. 100.32 PCAOB Auditing Standard No. 17 PCAOB Auditing Standard No. 17, Auditing Supplemental Information Accompanying Audited Financial Statements, applies when the auditor is engaged to audit and report on whether supplemental information is fairly stated, in all material respects, in relation to the financial statements as a whole. Auditing Std. No. 17 superseded AU 551, Reporting on Information Accompanying the Basic Financial Statements in Auditor Submitted Documents. The standard applies whenever the auditor is engaged to audit and report on supplemental information that accompanies the audited financial statements. The supplemental information includes the supporting schedules required by the SEC's broker dealer financial reporting rule or other audited supplemental information included in SEC filings, whether required by another regulatory body or voluntarily submitted by the issuer. The standard retains the language in the auditor's report previously required by AU 551, stating that the opinion on the supplemental information is fairly stated in relation to the financial statements as a whole. Existing PCAOB standards, however, have been enhanced by Auditing Std. No. 17 by (a) requiring procedures to test and evaluate supplemental information and (b) promoting coordination between the work on the supplemental information and on the financial statement audit, as well as other engagements, such as the compliance attestation engagement for brokers and dealers. Auditing Std. No. 17 is discussed further in section 908. 100.33 PCAOB Auditing Standard No. 18 On June 10, 2014, the PCAOB adopted Auditing Std. No. 18, Related Parties, along with amendments to certain PCAOB auditing standards regarding significant unusual transactions and other amendments to PCAOB auditing standards. The standard and included amendments are a response to past financial reporting frauds that involved relationships and transactions with related parties, significant unusual transactions, and certain transactions and relationships with executive officers. The standard also considers the Board's inspection activities, comments from the PCAOB's Standing Advisory Group (SAG), and international developments. The resulting auditing standard and related amendments are intended to strengthen existing procedures for identifying, assessing, and responding to risks of material misstatement pertaining to related party and significant unusual transactions. 100.34 Auditing Standard No. 18 complements and builds upon the existing risk assessment standards. It supersedes the existing PCAOB interim auditing standard, AU 334, Related Parties, and also amends a number of PCAOB interim standards, including AU 316, Consideration of Fraud in a Financial Statement Audit, as well as certain provisions of several PCAOB auditing standards, including Auditing Std. No. 12, Identifying and Assessing Risks of Material Misstatement, and Auditing Std. No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An

Audit of Financial Statements. Auditing Std. No. 18, which is effective for audits of financial statements for fiscal years and interim periods beginning on or after December 15, 2014, has been fully integrated in this edition of the Guide and is discussed further in section 804. SEC Rules and PCAOB Standards for Broker dealers 100.35 On July 31, 2013, the SEC issued a final rule that, among other things, requires audits of all broker dealers (including nonpublic broker dealers) be conducted in accordance with PCAOB standards. The Dodd Frank Wall Street Reform and Consumer Protection Act had previously given oversight authority to the PCAOB for audits of broker dealers. The rules also require broker dealers to file new reports with the SEC. A comprehensive discussion of audits of broker dealers is beyond the scope of this Guide. PPC's Practice Aids for Audits of Broker dealers provides detailed information on performing such audits. 100.36 PCAOB Attestation Standard No. 1 and No. 2 The Dodd Frank Wall Street Reform and Consumer Protection Act amended the Sarbanes Oxley Act to give the PCAOB oversight authority with respect to audits of broker dealers that are registered with the SEC. Thus, the PCAOB now has responsibility for standard setting, inspections, investigations, and disciplinary proceedings for registered accounting firms' audits of broker dealers, including broker dealers that are nonissuers. (See paragraph 101.4.) In October 2013, the PCAOB approved two attestation standards that provide requirements for examining or reviewing the assertions in the broker dealer's compliance report or exemption report, respectively, as indicated in the SEC's amendments to Rule 17a 5 of the Securities Exchange Act of 1934. The following is a summary of the adopted standards: Examination Engagements Regarding Compliance Reports of Broker dealers. The attestation standard requires auditors to obtain evidence to express an opinion on the assertions of the broker dealer in the compliance report. In addition, it provides requirements for a risk based approach for the examination. The requirements are designed to be scalable for the size and complexity of the broker dealer. In addition, the requirements coordinate the examination engagement with the audit of the financial statements and supplemental information. The standard includes requirements for the auditor's report, as well as an illustrative report. Review Engagements Regarding Exemption Reports of Broker dealers. The attestation standard provides requirements for making inquiries and performing other procedures directed to the auditor's responsibility to obtain moderate assurance that the broker dealer meets the identified conditions for an exemption from Exchange Act Rule 15c3 3. The procedures allow the auditor to scale the engagement based on the size and complexity of the broker dealer. As part of the procedures, the auditor evaluates relevant evidence obtained from the audit of the financial statements and supplemental information. The standard includes reporting requirements and an illustrative report. The attestation standards were effective for examination and review engagements for fiscal years

ending on or after June 1, 2014. A comprehensive discussion of audits of brokers and dealers is beyond the scope of this Guide. PPC's Practice Aids for Audits of Broker dealers provides detailed information on such audits. Proposed PCAOB Standards 100.37 Confirmation On July 13, 2010, the PCAOB issued a proposed auditing standard, Confirmation, which would supersede AU 330, The Confirmation Process, and amend certain other PCAOB standards. The proposed standard carries forward some of the requirements in the PCAOB's interim standard regarding confirmations and augments others. In addition, the proposed standard expands the auditor's existing responsibilities to perform confirmation procedures in certain areas, has been updated to reflect technology advances, proposes additional auditor responsibilities for confirmation procedures, provides guidance regarding designing confirmation requests and determining the types of confirmation requests to send, and expands the auditors' responsibilities for evaluating confirmation responses, including electronic confirmation responses, responses that represent exceptions, and responses that include disclaimers and restrictive language. 100.38 The most significant changes in the proposed standard would Require auditors to perform confirmation procedures for Receivables that arise from credit sales, loans, or other transactions, including purchased loans, accounts receivable, royalty receivables, lease receivables, and notes receivables. Cash, including, when appropriate, cash accounts with an immaterial or zero balance, and other relationships with financial institutions (such as lines of credit, other debt, compensating balance arrangements, and contingent liabilities, including guarantees). The purpose of responding to significant risks relating to relevant assertions that can be adequately addressed by confirmation procedures. Not carry forward from the interim standard the exceptions for not confirming receivables when (a) accounts receivable are immaterial, (b) the use of confirmations would be ineffective, or (c) the auditor's combined assessed level of inherent and control risk is low, and that assessed level together with other substantive tests is sufficient to reduce audit risk to an acceptably low