Audit standards to ramp up anti-fraud requirements
Julia Penny looks at new requirements coming in redrafted ISA 240 to redress concerns about the widening credibility gap surrounding auditors' responsibilities.
Do auditors do enough to detect fraud and are their responsibilities clear enough? These are the questions, raised by Donald Brydon that the FRC attempted to address in its recent exposure draft (ED) of amendments to ISA (UK) 240 The auditor’s responsibilities relating to fraud in an audit of financial statements.
As well as this ED the IAASB is also starting its own review of ISA 240, but as this may take several years, the FRC wanted to press ahead with improvements while continuing to support the international review.
To Brydon’s concerns about the auditor’s responsibility for detecting fraud, the ED sets out to “obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement due to fraud…”
This sentence should make it clear that the auditor’s responsibilities for finding fraud are the same as those for finding errors. This was also previously the case, as the overall objectives of the auditor (in ISA 200) are to “obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error…’. However, ISA 240 itself did not restate this obvious conclusion.
There are also amendments to the section which explains that the risk of detecting a material misstatement due to fraud may be higher than that from error.
This statement contributed to the impression that the auditor has a “get out of jail free card” when it comes to fraud, as even the standard states that it can be hard to find fraud. The proposed revisions still acknowledge that the risk of not detecting fraud may be higher than for error, but this does not diminish the auditor’s responsibility in this respect.
The suggested amendments should ensure auditors focus more clearly on their responsibility with regard to fraud and perhaps clarify external perceptions of those responsibilities. However, only adding clarifications of existing responsibilities would be unlikely to have much of an impact.
The ED therefore also ramps up the requirements in an attempt to improve the process of identifying fraud risks and then carrying out appropriate audit work in respect of those risks. But will the changes make a difference or are auditors already doing these things? To answer the question, consider whether you and your firm are already performing the extra or amended procedures and if not, whether they will make a difference.
Key themes in requirements
If we look at some of the key themes underlying the changes, as set out below we can analyse whether any of them could make a difference:
- Better team discussions on the risks of fraud, with the application guidance suggesting that all team members including specialists (rather than just key team members), are involved in these discussions
- The potential for more use of automated tools and techniques (renamed from computer assisted audit techniques), to help enhance the audit of fraud
- An emphasis that the search for evidence should not concentrate on corroborative evidence, but must also include the search for contradictory evidence
- A requirement to determine if specialist skills or knowledge are needed to audit for the existence of fraud, for instance forensic experts.
There are also a number of enhancements to the application guidance including:
- pointers that might indicate documents are not authentic
- additional areas of discussion for the engagement team
- guidance as to when a matter might need specialised skill or knowledge in order to adequately audit for fraud
- examples of situations where the use of data analytics, AI and other automated tools and techniques could help improve the audit.
We looked in a previous article about how the engagement team discussion could be made more effective, especially in relation to the audit of fraud. The ED proposes a few extra specific requirements to:
- include an exchange of ideas among team members about fraud risk factors, incentives for fraud, how management could perpetrate and conceal fraud and how assets could be misappropriated
- for group audits, include matters to discuss with auditors of significant components;
- discuss how to investigate and respond to any allegations of fraud (Wirecard immediately springs to mind)
- determine if further discussions, later in the audit, are needed (for instance if instances of suspected fraud arise).
Think back to your last engagement team discussion. Was there an exchange of ideas, or did just one or maybe two people list out some possible fraud risks? Did the team consider all the aspects that might produce an incentive for fraud, both in management and others? For instance:
- pay, including share-based payments, or continued employment based on earnings or other KPIs
- a need to show things are better than they are to avert a going concern crisis, perhaps in an effort to save jobs or reputations (this may be particularly prevalent during the pandemic)
- a desire to reduce tax costs to increase net profitability
- the existence of apparently easy to obtain loans or grants from the government which would bolster the financial position of the business (eg Bounce-back loans, CBILs, CJRS money)
- employees feeling they are paid unfairly low wages compared with management or other benchmarks
- individuals with personal financial crises which may prompt them to look for ways to obtain more money (again this could be exacerbated by Covid-19, or may result from problems such as gambling addictions) and so on.
Having thought about the risks did the team go onto think about the ways in which fraud could occur? For example:
- weak IT controls, which allow individuals to post journals, make payments etc without proper authority
- judgements being used to bias the final results, by being more or less optimistic by choosing alternative assumptions
- contracts or other relationships with third parties (related or not) being manipulated to achieve a desired result
- year-end cut off being manipulated to produce a particular result
- cash or other assets being able to be physically removed due to weak controls, with this being covered up by false documents
- false invoices being generated to support non-existent sales or purchases and so on.
The discussions above about incentives and means to commit fraud must be specific to the audited entity and the time at which the discussions are taking place. There should be a genuine inquisitiveness to the discussions, because even if there is no fraud the audit team might highlight weaknesses in the entity’s system which could be improved. Is this what your team discussions are already achieving, or will the additional requirements improve things?
Ultimately, although many of the requirements in the ED are new, they are merely a more detailed articulation of what auditors arguably could and should already be doing.
Given the significant extra risks of fraud that have arisen in light of Covid-19, now would be a better time to consider the audit of fraud than in 2021 when the revised standard is expected to take effect. You can then ensure that your audit teams are doing all they can to thoroughly consider the risks of fraud and find appropriate evidence, whether corroborative or contradictory, to back up the findings.
You might also be interested in
Julia Penny is the principal of JS Penny Ltd which provides technical and training consulting on anti-money laundering procedures, auditing and financial reporting. Julia is a member of ICAEW Board and Council, chair of the ICAEW Ethics Advisory Committee and past chair of the ICAEW...