Firstly, ISA (UK) 315 requires that the engagement partner and other key engagement team members discuss:
- The susceptibility of the entity’s financial statements to material misstatement and
- The application of the applicable financial reporting framework to the entity’s facts and circumstances.
The engagement partner must also determine which matters are to be communicated to engagement team members not involved in the discussions (only key members are required to attend, so more junior staff may not be at the meeting).
ISA (UK) 240 requires that:
- This discussion shall place particular emphasis on how and where the entity’s financial statements may be susceptible to material misstatement due to fraud, including how fraud might occur.
- The discussion shall occur setting aside beliefs that the engagement team members may have that management and those charged with governance are honest and have integrity.
This latter point is very important, as you are being required to look at the risks absent any thoughts that those involved are honest, to help ensure you are not biased in your discussion.
Besides, ISA (UK) 550 Related parties, requires the engagement team discussion to include "specific consideration of the susceptibility of the financial statements to material misstatement due to fraud or error that could result from the entity’s related party relationships or transactions".
These team meetings are designed to allow the exchange of ideas and development of the understanding of where risks of material misstatement arise. The question though, is whether your team discussions are getting to the nub of the issue, particularly about fraud.
Getting the best out of your team discussion
The best discussions will allow all team members a voice and will not dismiss thoughts as irrelevant, obvious, or wrong. Team members need to feel free to speak and to come up with new ideas. There must be a supportive environment and the discussions should be allowed to develop a point or go off at a tangent if one idea leads to another. What the discussion shouldn’t look like is this: “Does anyone have any thoughts regarding where fraud can occur?” (Brief pause). “No, good, let’s move on”.
Understanding fraud
Let us focus on fraud risks, as one of the more difficult parts of the discussion, as you should be able to apply the principles to other risks.
Setting a framework for the discussions can be helpful, so in having a robust discussion about the potential for fraud in an audited entity, firstly think about the conditions necessary for fraud. These can be summed up as follows:
- Incentives or pressure
- Opportunities
- Attitudes or rationalisations (which create an environment in which fraud is more likely).
Incentives or pressure
During your team discussion ask each person how these factors are relevant to the entity you are auditing. For instance, the partner might tell the team there is a plan to sell the company, or that directors’ pay includes large bonuses if profit and sales targets are met. These factors would provide an incentive to commit fraud, to ensure that the desired sales price or targets were met.
But remember to look more widely than this. There may be pressures to commit fraud which aren’t as direct, for instance, a desire to keep a job, to get a promotion or to keep the company afloat. Alternatively, there may be individual pressures, such as a director or member of staff who has money problems. The point is to use the whole team’s knowledge of the client and its environment, together with the incentives for fraud, to try to identify the risks of material misstatement.
Opportunity
The second point is the opportunity to commit fraud and here the focus will be more on internal controls and the control environment of the audited entity. In your team discussion consider whether one individual can follow a transaction right through the system, so they could create a false invoice, post it, get it paid (and do it all again).
Remember that many frauds can be made possible by gaining access to online systems without authority. Easily guessed passwords, phishing scams to access information, malicious software disguised as something official or harmless, all provide the opportunity for both internal and external fraudsters to access the systems they need. So, discuss the robustness of the general IT controls and any information about attempted hacks or the susceptibility of staff to phishing scams.
Don’t forget that ISAs require the auditor to consider the risk of management override as significant and you can see why this is the case. If the boss can require other staff to carry out transactions, journal entries and make payments, for example, it doesn’t matter how good the rest of the controls appear to be, it will still leave open the possibility of management fraud.
Attitudes or rationalisations
The attitudes of staff and management can have a pivotal impact on whether or not fraud occurs. Think back, if you are old enough, to the MP’s expense scandal. Many MPs were found to have claimed for entirely inappropriate things (including infamously a duck house and porn films) in their second home expenses. Unfortunately, a culture had developed in which it was considered normal for any costs even vaguely related to the MP’s second home to be charged as expenses.
Added to this was the fact that nobody carried out robust checks on the expense claims providing an opportunity for false claims. Quite likely the incentive may have been a feeling that MPs were not paid enough salary and the expenses made up for this –which is also a rationalisation of the actions. These same risks can exist in any organisation so try to understand the culture of the organisation you are auditing.
The appendix to ISA 540 sets out risk factors about fraud, which you could use to get some ideas flowing for your team discussion. Remember to consider both manipulation of the accounts, as well as the misappropriation of assets.
Conclusions
We have focussed in this article on having a robust team discussion about the risk of fraud, but you can expand the principles to cover all aspects of your discussion. Make sure you challenge each other, that you are imaginative considering what could go wrong in terms of fraud or error. Allow all team members present to put forward their views and don’t laugh if you think something is too far-fetched – it may not be.
Finally, remember to document details of the discussion, the risks identified and the planned response to those risks and to share the information with other team members not present.