Auditing standard changes put spotlight on fraudby
The complexity of businesses means that auditors must take fraud more seriously. Dudley Gould talks to Simon Kettlewell of HAT Group of Accountants, about the changes to ISA (UK) 240.
Last month we explored how ISA 315 revisions, identifying and assessing the risks of material misstatement, will require auditors to take a more holistic approach. The second part of the conversation with Simon Kettlewell, director at HAT Group of Accountants, takes into consideration ISA (UK) 240 and the auditor’s responsibilities relating to fraud.
Fraud is a hot issue in audit, particularly after recent high-profile audit failures such as Patisserie Valerie and Wirecard. Both companies were well-known listed entities with controls in place, so their failure should now make auditors increasingly aware of the risk of fraud and how it can apply to practices of all sizes and smaller companies being audited.
Patisserie Valerie and Wirecard’s audits had significant failings in the area of cash and bank accounts. So here we dig deeper to understand the changes to ISA (UK) 240, the impact of the Financial Reporting Council’s (FRC) reference to automated tools and techniques, and how medium-sized firms can leverage them to protect themselves.
Background to ISA (UK) 240 changes
Dudley Gould (DG): Why has fraud been brought to the front and centre of audit failure?
Simon Kettlewell (SK): The Grant Thornton audit of Patisserie Valerie has shown that auditors really need to be aware of fraud. This has helped put in their minds the possibility that fraudulent activity can occur in any entity.
DG: What are the headline changes to ISA (UK) 240?
SK: The new version has added some clarifications and codifications of best practice, such as the need to consider both corroborative and contradictory evidence, but the fundamentals haven’t changed. ISA (UK) 240 states that the primary responsibility for the prevention and detection of fraud rests with those charged with the governance of the entity and management (so often, the director shareholders). The auditor’s responsibility is to obtain reasonable assurance that the financial statements taken as a whole are free from material error, whether caused by fraud or error. It also refers to the fact that due to the inherent limitations of audit, there is an inherent risk that some material misstatements may not be detected, even if you plan and perform the work properly.
DG: So not much has changed other than it is more of a topic. The general public thinks auditors are responsible for fraud, but auditors are not responsible unless there is a misstatement. Has anything changed?
SK: Public perception only, I would say. There has always been an expectation gap regarding what an auditor’s responsibilities are. I think that high-profile audit failures coming to light likely means that the expectation gap is probably growing.
The next question to ask is that if someone is going to commit fraud they will want a financial reward, and where is that going to come from? It will likely be their bank account so whether that is £2,000 or £2m it has to come from the bank.
I think the approach for cash in the bank has always just been “let’s get a bank letter”. Even since the FRC withdrew Practice Note 16 and the mandatory need for a bank letter, most firms have continued to request one. Whether this is paper or electronic doesn’t matter. Auditors are just seeking to obtain confirmation of bank accounts.
However, it is now very easy for fraudsters to alter and amend bank transaction details on a paper or PDF statement. It would be quite simple to modify a statement to show an amount going to a sweep account, for example. If that fraud isn’t picked up by the auditor, there could be some serious repercussions for both the audited entity and the auditor.
The role of verified bank transactions
DG: As most fraud is likely to go through the bank, do you think that every audit should get verified bank transactions directly from the bank?
SK: I think that this would be a positive step. However, in reality, there are many auditors who have acted for their clients for the past 10 or 15 years and simply roll forward the previous year’s audit without really considering the risk.
Familiarity threats then arise; the more you know your client, the less likely you are to think they will commit fraud. Professional scepticism links in here too. Almost every FRC Final Decision Notice issued against the large audit firms makes reference to the auditor failing to apply appropriate professional scepticism. Verifying bank transactions can help to overcome this through obtaining good-quality third-party evidence, as required by ISA (UK) 500.
Manage fraud with data
DG: Businesses are now generating more data than ever. ISA (UK) 240 and ISA 315, are the first standards to refer to automation tools. How significant can technology be for managing data to highlight fraud?
SK: Forward-looking audit practices will embrace technology due to the world changing quickly. Data is more easily available, and things are getting more complex – certainly when compared to the audits that I was doing back in 2004. Sage Line 50 used to give you a bank report where you could physically tick off every reconciling item. However, you aren’t going to do this anymore. The availability of data should be the thing that is pushing people towards a more data-driven mindset.
Auditors could employ a tool to verify 100% of bank transactions, which would give them comfort over movements through the bank account that matches transactions left, right and centre. It’s not a silver bullet but it would highlight outliers for further inspection that could be indicative of fraud.
Ticking and bashing is no longer adequate
The enhanced focus on fraud, highlighted by the revision to ISA (UK) 240, signifies that ticking and bashing is no longer adequate. Increasing amounts of data and the complexity of businesses mean that auditors must take fraud more seriously.
You might also be interested in
Dudley is a Chartered Accountant formerly with KPMG and Moore Kingston Smith. He founded Audapio, a solution leveraging Open Banking to improve audit quality and efficiency before joining Circit as VP of business development.