# 8. AUDITORS RESPONSIBILITY TO CONSIDER FRAUD
(INCORPORATING ISA 240)
# 8.1 Introduction
The auditor, in the conduct of an audit, is required to obtain reasonable assurance that the financial statements taken as a whole are free from material misstatements. Misstatements in the financial statement could arise as a result of fraud or error. The distinguishing factor between fraud and error is whether the underlying action that results in the misstatement is intentional (fraud) or unintentional (error).
Error refers to an unintentional misstatement in the financial statements, including the omission of an amount or a disclosure, which could include:
- .A mistake in gathering or processing data from which financial statements are prepared.
- .An incorrect accounting estimate arising from oversight or misinterpretation of facts.
- .A mistake in the application of accounting polices relating to measurement, recognition, classification, presentation or disclosure.
Fraud refers to an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Though fraud is a broad legal concept, the auditor is just concerned with fraud that causes a material misstatement in the financial statements. In carrying out an audit, we are not required to make legal determination of whether the fraud has actually occurred. The two types of fraud relevant to in the conduct of an audit are:
- .Misstatements resulting from fraudulent financial activities.
- .Misstatements resulting from misappropriation of assets.
Fraud involving one or more members of management or those charged with governance is referred to as "management fraud"; while fraud involving only employees of the entity is referred to as "employee fraud". In either case, there may be collusion with third parties outside the entity.
While the general audit procedures that the engagement team is required to follow to detect misstatements are covered in the other sections of the manual, this chapter provides additional considerations that the team should take into account in designing the audit procedures to enable them to have reasonable expectations to detecting misstatements arising from fraud. Owing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements of the financial statements will not be detected, even though the audit is properly planned and performed in accordance with the ISA's. An audit does not guarantee all material misstatements will be detected because of such factors as the use of judgment, the use of testing, the inherent limitations of internal control and the fact that much of the evidence available to the auditor is persuasive rather than conclusive in nature. For these reasons, one can only obtain reasonable assurance that material misstatements in the financial statements will be detected. The fact that an audit is carried out may act as a deterrent, but the auditor is not and cannot be held responsible for the prevention of fraud and error.
# 8.2 Characteristics of Fraud
The following are some of the ways in which fraud can be perpetrated within an entity:
.Fraudulent financial reporting involving intentional misstatements including omissions of amounts or disclosures in financial statements to deceive financial statement users. Fraudulent financial reporting may be accomplished by:
.Manipulation, falsification (including forgery), or alteration of accounting records or supporting documents from which the financial statements are prepared.
.Misrepresentation in, or intentional omission from, the financial statements of events, transactions or other significant information.
.Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure.
.Management override of controls that otherwise may appear to be operating effectively using such techniques as:
.Recording fictitious journal entries, particularly close to the end of an accounting period, to manipulate operating results or achieve other objectives.
.In appropriately adjusting assumptions and changing judgements used to estimate account balances.
.Omitting, advancing or delaying recognition in the financial statements of events and transactions that have occurred during the reporting period.
.Concealing, or not disclosing, facts that could affect the amounts recorded in the financial statements.
.Engaging in complex transactions that are structures to misrepresent the financial position or financial performance of the entity.
.Altering records and terms related to significant and unusual transactions.
.Managing earnings in order to deceive financial statement users by influencing their perception as to the entity's performance and profitability. Such situations could occur where the management wants to maximise performance based compensation, inflating earnings to secure a bank loan or to minimise the tax liabilities.
.Misappropriation of assets involving the theft of an entity's assets. Misappropriation of assets can be accomplished in a variety of ways including embezzling receipts, stealing physical or intangible assets, or causing an entity to pay for goods and services not received. It is often accompanied by false or misleading records or documents in order to conceal the fact that the assets are missing.
.Incentives or pressures from sources from within or outside to commit a fraud. A perceived opportunity for fraudulent financial reporting or misappropriation of asset may exist when an individual believes that internal controls may be overridden. Even honest individuals can commit fraud in an environment that imposes sufficient pressures on them.
Fraud is usually concealed making it difficult to detect. Nevertheless, by obtaining an understanding of the entity and its environment, including internal controls, the engagement team may identify events or conditions that indicate an incentive or pressures to commit fraud or to provide an opportunity to commit fraud. Such events and conditions are referred to as "fraud risk factors". While fraud risk factors may not necessarily indicate the existence of fraud, they are often present circumstances where fraud has occurred, and would therefore affect the engagement team's assessment of the risks of material misstatements. Such factors could include:
- .The need to meet expectations of third parties to obtain additional equity financing.
- .The granting of significant bonuses if unrealistic profit targets are met.
- .An ineffective control environment.
Appendix 1 - Examples of Fraud Risk Factors provides examples of such factors that may be faced by auditors in a broad range of situations. It should be noted that not all the situations identified may be relevant in all entities and some may be of greater significance in entities of different sizes, ownership structures or circumstances.
# 8.3 Professional Scepticism
The primary responsibility for the prevention and detection of fraud rests with those charged with the governance of the entity and with the management.
- . Governance: It is the responsibility of those charged with governance of an entity to ensure, through oversight of management, that the entity establishes and maintains internal control to provide reasonable assurance with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.
- . Management: It is the responsibility of management to place a strong control on fraud prevention, which may reduce opportunities from fraud to take place, and fraud deterrence, which could persuade individuals to persuade individuals not to commit fraud because of the likelihood of detection or punishment. This involves creating a culture of honesty and ethical behaviour. It is also the responsibility of the management to establish a control environment and maintain policies and procedures to assist in achieving the objective of ensuring, as far as possible, the orderly and efficient conduct of the entity's business.
Professional scepticism is an attitude of that includes a questioning mind and a critical assessment of audit evidence. Professional scepticism requires an ongoing questioning of whether the information and audit evidence obtained suggests that a material misstatement due to fraud may exist.
The engagement team is required to obtain reasonable assurance that the financial statements taken as a whole are free from material misstatement whether caused by fraud or error. When obtaining reasonable assurance, the team maintains an attitude of professional scepticism throughout the audit, considers the potential for management override of controls and recognises the fact that the audit procedures that are effective for detecting errors may not be appropriate in the context of an identified risk of material misstatement due to fraud. The engagement team should maintain professional scepticism throughout the audit, recognising the possibility that a material misstatement due to fraud may exist, notwithstanding the firm's past experience with the entity about the honesty and integrity of the management and those charged with governance.
Although the engagement team cannot fully disregard past experience of the entity with respect to the honesty and the integrity of management and those charged with governance, the maintenance of an attitude of professional scepticism becomes important as there may have been changes in circumstances. When carrying out other audit procedures, the engagement team should not be satisfied with less-than-persuasive evidence that the management and those charged with governance are honest and have integrity. In respect to those charged with governance, the engagement team should carefully consider the reasonableness of responses to inquiries and other information obtained from them in light of all other evidence obtained during the audit.
An audit rarely involves the authentication of documents, nor is an auditor trained as or expected to be an expert in such authentication. Unless the auditor has reason to believe to the contrary, the auditor ordinarily accepts records and documents as genuine. Where conditions exist causing the engagement team to believe that the documents may not be authenticated or have been modified, the engagement team should undertake further investigation e.g. by direct third party confirmation or by using the work of an expert.
# 8.4 Audit Procedures in Relation to Fraud
# 8.4.1 Preliminary Engagement Activates
The audit engagement letter should clearly spell out that the responsibility for the prevention and detection of fraud rests with the management. It should also state that while the audit will be planned to have a reasonable expectation to detect material misstatements arsing from fraud, due to the inherent nature of the audit, an audit should not be relied upon to detect all misstatements that may exist. If a special examination of potential misstatements arising from fraud is required by the client, this should be specified and agreed in the engagement letter, quite separately from the audit scope.
This is covered in the specimen Engagement Letter set out in Appendix 1 of Section 5 of the Manual.
# 8.4.2 Audit Planning
- .Discussion Among the Engagement Team
The engagement team should discuss the susceptibility of the entity's financial statements to material misstatement due to fraud. The engagement partner should use his professional judgement, prior experience with the entity to determine which members of the team should be included in the discussions. Ordinarily this would involve key members. The engagement partner should also consider which matters are to be communicated to members of the engagement team not involved in the discussions. The discussion would include:
.Identification of areas where the entity's financial statements would be susceptible to material misstatement due to fraud, how the management could perpetrate and conceal fraudulent financial reporting and how the assets of the entity could be misappropriated.
.Practices followed by management to manage earnings that could lead to fraudulent financial reporting.
.External and internal factors that may create an incentive or pressure for management and others to commit fraud.
.Management's involvement in overseeing employees with access to cash and assets susceptible to misappropriation.
.Unusual or unexplained changes in behaviour or lifestyle of management or employees.
.An emphasis on maintaining a proper state of mind throughout the audit regarding the potential material misstatement due to fraud and consideration of types of circumstances that, if encountered, might indicate the possibility of fraud.
.Consideration of the risk of management override of controls.
.Considerations of the audit procedures to be adopted in response to the susceptibility of the entity's financial statements to material misstatements due to fraud and how an element of unpredictability will be incorporated into the nature, timing and extent of the audit procedures to be performed.
.To determine how any allegations of fraud that come to the attention of the engagement team will be dealt with.
.Risk Assessment Procedures
When obtaining a general understanding of the entity and its control environment, the engagement team should ascertain the following:
- .How those charged with governance exercise oversight of the management's process for identifying and responding to the risks of fraud and the internal controls that management has established to prevent and detect risks.
- .Management's process of identifying and responding to the risks of fraud including and specific risk that the management has identified or account balances, classes of transactions or disclosures for which a risk of fraud is likely to exist.
- .Management's communications if any, to those charged with governance regarding the processes for identifying and responding to the risks of fraud.
- .Management's communication, if any, to employees regarding its view on business practices and ethical behaviour.
- .Whether there have been any actual, suspected or alleged frauds by making inquiries of management, internal audit and any other appropriate person within the entity. It should be noted that while such inquiries may provide useful information concerning material misstatements in the financial statements resulting from employee fraud, they will not provide useful information regarding the risk of material misstatements arising from management fraud.
- .The attitude of the internal audit, where it exists, towards the risk of fraud, and whether during the year, internal audit has performed audits to detect fraud and whether the management has satisfactorily responded to the findings arising from such audits.
While the management's approach to risk assessment will vary between entities, the fact that the management has not made an assessment of the risk of fraud may in some circumstances be indicative of the lack of importance that the management places on internal controls. In owner-managed entities, the management may have a more effective oversight than in larger entities, thereby compensating for the generally more limited opportunities for segregation of duties. On the other hand, the owner-manager may be more able to override controls. This needs to be considered by the engagement team at the risk assessment stage.
Based on the above the engagement team should:
- .Consider whether one or more fraud risk factors are present.
- .Consider any unusual or unexpected relationships that have been identified when performing the preliminary analytical review.
- .Document the fraud risk factors identified as being present during the engagement team's assessment process and document the response to any such factors.
The fraud risk factors identified should be recorded in Form 5.11 - Assessment of Fraud Risk in Part E of the Manual. The key issues identified should also be summarised in Form 5.01 - Audit Plan.
# 8.4.3 Execution
As the assessed risks due to fraud are significant risks, the engagement team should, to the extent not done so, evaluate the design of the entity's related controls, including relevant control activates, and determine whether they have been implemented. The team uses professional judgement to:
- .Identify classes of transactions, account balances and disclosures in the financial statements that may be susceptible to fraud.
- .Relate the identified risks of fraud to what can go wrong at the assertion level.
- .Consider the likely magnitude of the potential misstatement including the possibility that the risk might give rise to multiple misstatements and the likelihood of the risk occurring.
Based on this, the team should determine the overall response to address the assessed risk of material misstatement at the financial statement level, and design substantive procedures whose nature, timing and extent, reduce to an acceptably low level, the risk from misstatements resulting from fraud. The engagement team also incorporates an element of unpredictability in the selection of the nature, extent and timing of audit procedures to be performed. This can be achieved by:
- .Performing substantive procedures on selected account balances and assertions not otherwise tested due to materiality or risk.
- .Adjusting the timing of audit procedures from that otherwise expected.
- .Using different sampling methods.
- .Performing audit procedures at different locations or at locations on an unannounced basis.
If during the performance of the audit, fraud risk factors are identified that cause the engagement team to believe that additional audit procedures are necessary, the team should document the presence of such risk factors and the response to them.
The knowledge, skill, and ability of the individuals assigned significant engagement responsibilities should be commensurate with the engagement partner's assessment of the risk. This could include assigning additional individuals with specialised skill and knowledge or by assigning more experienced individuals to the engagement.
Audit Procedures Responsive to Risks of Material Misstatements Due to Fraud
The audit procedures at the assertion level may include changing the nature, timing and the extent of audit procedures to obtain audit evidence that is more reliable and relevant or by obtaining more corroborative information. This can be achieved by:
- .Physical observation or inspection of certain assets.
- .Use of computer assisted audit techniques to gather more evidence about data contained in significant accounts or electronic transaction files.
- .Obtaining additional corroborative evidence e.g. between high earnings and cut-off errors in the recording of sales.
- .Extended use of external confirmation to also confirm the terms of trade.
- .Modifying the timing of substantive procedures e.g. applying substantive procedures at or near the period end where cut-off errors are more likely, or applying them to transactions occurring earlier in or throughout the reporting period.
- .Increasing the sample size or performing analytical procedures to at a more detailed level.
Appendix II: Audit Procedures to Address the Risk of Material Misstatement Due to Fraud provides examples of responses to the auditor's assessment of the risk of material misstatement resulting from both fraudulent financial reporting and misappropriation of assets.
Audit Procedures Responsive to Management Override of Controls
The engagement team should design and perform audit procedures to:
- .Test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of financial statements (covered in the 06.02 - Trial Balance Audit Programme in Part E of the Manual).
- .Review accounting estimates for biases that could result in material misstatements due to fraud.
- .Obtain an understanding of the business rationale of significant transactions that the engagement team becomes aware of that are outside of the normal course of business for the entity, or that otherwise appear to be unusual given the team's understanding of the entity and its environment.
The audit procedures to be adopted in response to the identified fraud risk factors should be recorded in Form 5.11 - Assessment of Fraud Risk in Part E of the Manual. Summarise the key responses in Form 5.01 - Audit Plan.
# 8.5 Evaluation of Audit Evidence
The engagement team, based on the audit procedures performed and the audit evidence obtained, should evaluate whether the assessment of the risks of material misstatements at the assertion level remains appropriate. This evaluation is primarily a qualitative matter based on judgement. Such an evaluation may provide further insight about the risks of material misstatements due to fraud and whether there is a need to perform additional or different audit procedures. The engagement partner should also considers if there has been appropriate communication with other engagement team members throughout the audit regarding information or conditions indicative of material misstatement due to fraud.
Appendix III: Circumstances That Indicate Possibility of Fraud gives situations that may indicate the possibility of fraud.
In forming an opinion on the financial statements, the engagement partner should consider:
- .Whether analytical procedures that are performed at or near the end of the audit when forming an overall conclusion as to whether the financial statements as a whole are consistent with the firm's knowledge of the business indicate a previously unrecognised risk of material misstatement due to fraud.
- .Whether misstatements identified may be indicative of fraud, and if there is such an indication, the engagement team should consider the implications of the misstatement in relation to other aspects of the audit, particularly the reliability of management representations.
Written representations should obtain from the management that:
- .It acknowledges its responsibility for the design and implementation of internal control to prevent and detect fraud.
- .It has disclosed to the auditor the results of its assessment of the risk that the financial statements may be materially misstated as a result of fraud.
- .It has disclosed to the auditor its knowledge of fraud or suspected fraud affecting the entity and involving management, employees who have significant roles in internal control or others where the fraud could have a material effect on the financial statements.
- .It has disclosed to the auditor of its knowledge of any allegations of fraud or suspected fraud affecting the entity's financial statements communicated by employees, former employees, analysts, regulators or others.
The representations are covered in the specimen Letter of Representation set out as From 02.03 in Part E of the Manual.
# 8.6 Reporting
Where the engagement team confirms that, is unable to conclude whether, the financial statements are materially misstated as a result of fraud, the engagement partner should consider the implications on the audit report. (See Section 26.2 and 26.3)
Communicating with Management and Those Charged with Governance
Where the engagement team identifies a fraud or has obtained information that indicates that a fraud may exist, this should be communicated as soon as practicable to the appropriate level of management, even if the matter might be considered inconsequential. The determination of the level of management on which the communication is to take place is a matter of professional judgement and would ordinarily involve at least one level above the person who appears to be involved with the suspected fraud.
Where the fraud involves the management, employees who have significant role in internal control or others where the fraud has resulted in a material misstatement, the reporting should be done to those charged with governance.
The engagement partner should also communicate at the appropriate level of responsibility, material weaknesses in the design or implementation of internal controls to prevent and detect fraud which may have come to the engagement team's attention and also consider whether any other matters related to fraud need to be discussed with governance of the entity including:
- .Concerns about the nature, extent and frequency of management's assessment of the controls in place to prevent and detect fraud and of the risk that the financial statements may be misstated.
- .A failure by management to appropriately address identified material weaknesses in internal control.
- .A failure by management to appropriately respond to an identified fraud.
- .The auditor's evaluation of the entity's environment including questions regarding the competence and integrity of management.
- .Actions by management that may be indicative of fraudulent financial reporting.
- .Concerns about the adequacy and completeness of the authorisation of transactions that appear to be outside the normal course of business.
See Section 27.3 and 27.4 on the procedures to be adopted when communicating with management and those charged with governance.
Communications with Regulatory and Enforcement Authorities
The auditor's professional duty to maintain confidentiality of client information generally precludes reporting of fraud to a party outside the entity. However, where such requirements are enshrined in law, the engagement partner should consider obtaining legal advice on the appropriate course of action.
Withdrawal from the Engagement
If as a result of a misstatement resulting from fraud or suspected fraud the engagement team encounters exceptional circumstances that bring into question the firm's ability to continue performing the audit, the engagement partner should
.Consider the professional and legal responsibilities applicable in the circumstances, including whether there is a requirement for the firm to report to the person or persons who made the audit appointment or, in some cases, to regulatory authorities;
.Consider the possibility of withdrawing from the engagement; and
.If the firm withdraws:
.Discuss with the appropriate level of management and those charged with governance the firm's withdrawal from the engagement and the reasons for the withdrawal; and
.Consider whether there is a professional or legal requirement to report to the person or persons who made the audit appointment or, in some cases, to regulatory authorities, the withdrawal from the engagement and the reasons for the withdrawal.
APPENDIX I - EXAMPLES OF FRAUD RISK FACTORS
Although the fraud risk factors given here cover a broad range of situations, they are only examples and, accordingly, the auditor may identify additional or different risk factors. The order of the examples provided does not reflect their relative importance or frequency of occurrence.
Risk Factors Relating to Misstatements Arising from Fraudulent Financial Reporting
Incentives / Pressures
.Financial stability or profitability is threatened by economic, industry, or entity operating conditions such as:
.High degree of competition or market saturation, accompanied by declining margins.
.High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates.
.Significant declines in customer demand and increasing business failures either within the industry or overall economy.
.Operating losses making the threat of bankruptcy, foreclosure, or hostile takeover imminent.
.Recurring negative cash flows from operations or an inability to generate cash flows from operations while reporting earnings and earnings growth.
.Rapid growth or unusual profitability especially compared to that of other companies in the same industry.
.New accounting, statutory, or regulatory requirements.
.Excessive pressure on management to meet the requirements or expectations of third parties due to the following:
.Unduly aggressive or unrealistic profitability or trend level expectations of investment analysts, institutional investors, significant creditors, or other external parties, including expectations created by management in, for example, overly optimistic press releases or annual report messages.
.Need to obtain additional debt or equity financing to stay competitive, including financing of major research and development or capital expenditures.
.Marginal ability to meet exchange listing requirements or debt repayment or other debt covenant requirements.
.Perceived or real adverse effects of reporting poor financial results on significant pending transactions, such as business combinations or contract awards.
- .Information available indicates that the personal financial situation of management or those charged with governance is threatened by the entity's financial performance arising from:
.Significant financial interests in the entity.
.Significant portions of their compensation (for example, bonuses) being contingent upon achieving aggressive targets for share price, operating results, financial position, or cash flow.
.Personal guarantees of debts of the company.
.Excessive pressure on management or operating personnel to meet financial targets established by those charged with governance, including sales or profitability incentive goals.
- .The nature of the industry or the entity's operations e.g.:
- .Significant related party transactions not in the ordinary course of business or with related entities that are not audited or are audited by another firm.
- .A strong financial presence or the ability to dominate a certain industry sector that allows the entity to dictate terms or conditions to suppliers or customers that may result in inappropriate or non-arm's length transactions.
- .Assets, liabilities, revenues, or expenses based on significant estimates involving subjective judgments or uncertainties that are difficult to corroborate.
- .Significant, unusual, or highly complex transactions, especially those close to the period end that raise difficult 'substance over form' questions.
- .Significant operations located or conducted across international borders in jurisdictions where differing business environments and cultures exist.
- .Use of business intermediaries for which there appears to be no clear business justification.
- .Significant bank accounts or subsidiary or branch operations in tax haven jurisdictions for which there appears to be no clear business justification.
- .Ineffective monitoring of management as a result of:
- .Domination of management by a singe person or small group without compensating controls.
- .Ineffective oversight by those charged with governance over the financial reporting process and internal control.
- .Complex or unstable organisational structure, as evidenced by:
- .Difficulty in determining the organisation or individuals that have controlling interest in the entity.
- .Overly complex organisational structure involving unusual legal entities or managerial lines of authority.
- .High turnover of senior management, legal counsel, or those charged with governance.
- .Internal control components are deficient as a result of:
- .Inadequate monitoring of controls, including automated controls and controls over interim financial reporting (where external reporting is required).
- .High turnover rates or employment of ineffective accounting, internal audit, or information technology staff.
- .Ineffective accounting and information systems, including situations involving material weaknesses in internal control.
Attitudes / Rationalisations
.Ineffective communication, implementation, support, or enforcement of the entity's values or ethical standards by management or the communication of inappropriate values or ethical standards.
.Non-financial management's excessive participation in or preoccupation with the selection of accounting policies or the determination of significant estimates.
.Known history of violations of stock market laws or other laws and regulations, or claims against the entity, its senior management, or those charged with governance alleging fraud or violations of laws and regulations.
.Excessive interest by management in maintaining or increasing the entity's share price or earnings trend.
.Practice by management of committing to analysts, creditors, and other third parties to achieve aggressive or unrealistic forecasts.
.Management failing to correct known material weaknesses in internal control on a timely basis.
.An interest by management in employing inappropriate means to minimize reported earnings for tax-motivated reasons.
.Low morale among senior management.
.The owner-manager makes no distinction between personal and business transactions.
.Dispute between shareholders in a closely held entity.
.Recurring attempts by management to justify marginal or inappropriate accounting on the basis of materiality.
.The relationship between management and the current or predecessor auditor is strained, as exhibited by the following:
.Frequent disputes with the current or predecessor auditor on accounting, auditing, or reporting matters.
.Unreasonable demands on the auditor, such as unreasonable time constraints regarding the completion of the audit or the issuance of the auditor's report.
.Formal or informal restrictions on the auditor that inappropriately limit access to people or information or the ability to communicate effectively with those charged with governance.
.Domineering management behaviour in dealing with the auditor, especially involving attempts to influence the scope of the auditor's work or the selection or continuance of personnel assigned to or consulted on the audit engagement.
Risk Factors Arising from Misstatements Arising from Misappropriation of Assets
Incentives / Pressures
- .Personal financial pressures on management or employees with access to cash or other assets susceptible to fraud.
- .Adverse relationships between the entity and employees with access to cash or other assets susceptible to theft. For example, adverse relationships may be created by the following:
- .Known or anticipated future employee layoffs.
- .Recent or anticipated changes to employee compensation or benefit plans.
- .Promotions, compensation, or other rewards inconsistent with expectations.
.Certain characteristics and circumstances increase the susceptibility of assets to misappropriation. For example:
- .Large amounts of cash on hand.
- .Inventory items that are small in size, of high value, and in high demand.
- .Easily convertible assets such as bearer bonds.
- .Property, plant and equipment items that are small in size, marketable, or lacking observable identification of ownership.
.Inadequate internal control over assets. For example:
- .Inadequate segregation of duties or independent checks.
- .Inadequate oversight of senior management expenditure, such as travel and other re-imbursements.
- .Inadequate management oversight of employees responsible for assets, e.g. inadequate supervision or monitoring of remote locations.
- .Inadequate job applicant screening.
- .Inadequate record keeping with respect to assets.
- .Inadequate system of authorisation and approval of transactions.
- .Inadequate physical safeguards over cash, inventory or property, plant and equipment.
- .Lack of complete and timely reconciliations of assets.
- .Lack of timely and appropriate documentation of transactions, e.g. credits for return of goods.
- .Lack of mandatory leave for employees performing key control functions.
- .Inadequate management understanding of information technology (IT), which enables IT personnel to perpetrate a misappropriation.
- .Inadequate access controls over automated records, including controls over and review of computer systems event logs.
Attitudes / Rationalisations
- .Disregard for the need for monitoring or reducing risks related to misappropriation of assets.
- .Disregard for the need for internal controls related to the misappropriation of assets by overriding existing controls or by failing to correct known internal control deficiencies.
- .Behaviour indicating displeasure or dissatisfaction with the entity or its treatment of the employees.
- .Changes in behaviour or lifestyle that may indicate that assets have been misappropriated.
- .Tolerance of petty theft.
APPENDIX II - AUDIT PROCEDURES TO ADDRESS THE ASSESSED RISK OF FRAUD
Although the audit procedures given here cover a broad range of situations, they are only examples and, accordingly, they may not be the most appropriate nor necessary in each circumstance. Also the order of procedures given is not intended to reflect their relative importance.
Consideration at the Assertion Level
- .Visiting certain locations or performing certain tests on a surprise or unannounced basis. E.g., observing inventory count or counting cash at a particular date on a surprise basis.
- .Requesting that inventories be counted at the end of the reporting period or on a date closer to period end to minimize the risk of manipulation of balances in the period between the date of completion of the count and the end of the reporting period.
- .Altering the audit approach in the current year. E.g., contacting major customers and suppliers orally in addition to sending written confirmation, sending confirmation requests to a specific party within an organization, or seeking more or different information.
- .Performing a detailed review of the entity's quarter-end or year-end adjusting entries and investigating any that appear unusual as to nature or amount.
- .For significant and unusual transactions, particularly those occurring at or near year-end, investigating the possibility of related parties and the sources of financial resources supporting the transactions.
- .Performing substantive analytical procedures using disaggregated data. For example, comparing sales and cost of sales by location, line of business or month to expectations developed by the auditor.
- .Conducting interviews of personnel involved in areas where a risk of material misstatement due to fraud has been identified, to obtain their insights about the risk and whether, or how, controls address the risk.
- .When other independent auditors are auditing the financial statements of one or more subsidiaries, divisions or branches, discussing with them the extent of work necessary to be performed to address the risk of material misstatement due to fraud resulting from transactions and activities among these components.
- .If the work of an expert becomes particularly significant with respect to a financial statement item for which the risk of misstatement due to fraud is high, performing additional procedures relating to some or all of the expert's assumptions, methods or findings to determine that the findings are not unreasonable, or engaging another expert for that purpose.
- .Performing audit procedures to analyse selected opening balance sheet accounts of previously audited financial statements to assess how certain issues involving accounting estimates and judgments, for example an allowance for sales returns, were resolved with the benefit of hindsight.
- .Performing procedures on account or other reconciliations prepared by the entity, including considering reconciliations performed at interim periods.
- .Performing computer-assisted techniques, such as data mining to test for anomalies in a population.
- .Testing the integrity of computer-produced records and transactions.
- .Seeking additional audit evidence from sources outside of the entity being audited.
Specific Responses - Misstatement Resulting From Fraudulent Financial Reporting
- .Performing substantive analytical procedures relating to revenue using disaggregated data, for example, comparing revenue reported by month and by product line or business segment during the current reporting period with comparable prior periods. Computer-assisted audit techniques may be useful in identifying unusual or unexpected revenue relationships or transactions.
- .Confirming with customers certain relevant contract terms and the absence of side agreements, because the appropriate accounting often is influenced by such terms or agreements and basis for rebates or the period to which they relate are often poorly documented. For example, acceptance criteria, delivery and payment terms, the absence of future or continuing vendor obligations, the right to return the product, guaranteed resale amounts, and cancellation or refund provisions often are relevant in such circumstances.
- .Inquiring of the entity's sales and marketing personnel or in-house legal counsel regarding sales or shipments near the end of the period and their knowledge of any unusual terms or conditions associated with these transactions.
- .Being physically present at one or more locations at period end to observe goods being shipped or being readied for shipment (or returns awaiting processing) and performing other appropriate sales and inventory cut-off procedures.
- .For those situations for which revenue transactions are electronically initiated, processed, and recorded, testing controls to determine whether they provide assurance that recorded revenue transactions occurred and are properly recorded.
- .Examining the entity's inventory records to identify locations or items that require specific attention during or after the physical inventory count.
- .Observing inventory counts at certain locations on an unannounced basis or conducting inventory counts at all locations on the same date.
- .Conducting inventory counts at or near the end of the reporting period to minimize the risk of inappropriate manipulation during the period between the count and the end of the reporting period.
- .Performing additional procedures during the observation of the count, for example, more rigorously examining the contents of boxed items, the manner in which the goods are stacked or labelled, and the quality (that is, purity, grade, or concentration) of liquid substances such as perfumes or specialty chemicals. Using the work of an expert may be helpful in this regard.
- .Comparing the quantities for the current period with prior periods by class or category of inventory, location or other criteria, or comparison of quantities counted with perpetual records.
- .Using CAATs to further test the compilation of the physical inventory counts - for example, sorting by tag number to test tag controls or by item serial number to test the possibility of item omission or duplication.
- .Using an expert to develop an independent estimate for comparison to management's estimate.
- .Extending inquiries to individuals outside of management and the accounting department to corroborate management's ability and intent to carry out plans that are relevant to developing the estimate.
Specific Responses - Misstatements Due to Misappropriation of Assets
- .Counting cash or inventories at or near year-end.
- .Confirming directly with customers the account activity (including credit memo and sales return activity as well as dates payments were made) for the period under audit.
- .Analyzing recoveries of written-off accounts.
- .Analysing inventory shortages by location or product type.
- .Comparing key inventory ratios to the industry norm.
- .Reviewing supporting documentation for reductions to the perpetual inventory records.
- .Performing a computerized match of the vendor list with a list of employees to identify matches of addresses or phone numbers.
- .Performing a computerized search of payroll records to identify duplicate addresses, employee identification or taxing authority numbers or bank accounts.
- .Reviewing personnel files for those that contain little or no evidence of activity, for example, lack of performance evaluations.
- .Analysing sales discounts and returns for unusual patterns or trends.
- .Confirming specific terms of contracts with third parties.
- .Obtaining evidence that contracts are being carried out in accordance with their terms.
- .Reviewing the propriety of large and unusual expenses.
- .Reviewing the authorisation and carrying value of senior management and related party loans.
- .Reviewing the level and propriety of expense reports submitted by senior management.
APPENDIX III - CIRCUMSTANCES THAT INDICATE POSSIBILITY OF FRAUD
.Discrepancies in the accounting records, including: - .Transactions that are not recorded in a complete or timely manner or are improperly recorded as to amount, accounting period, classification, or entity policy. - .Unsupported or unauthorised balances or transactions. - .Last-minute adjustments that significantly affect financial results. - .Evidence of employees' access to systems and records inconsistent with that necessary to perform their authorised duties. - .Tips or complaints to the auditor about alleged fraud.
.Conflicting or missing evidence such as: - .Missing documents. - .Documents that appear to be altered. - .Unavailability of original documentation, i.e. documents available are photocopies or electronically transmitted. - .Significant unexplained items on reconciliations. - .Unusual balance sheet changes, or changes in trends or important financial statement ratios or relationships, e.g., receivables growing faster than revenues. - .Inconsistent, vague or implausible responses from management or employees arising from inquiries or analytical procedures. - .Unusual discrepancies between the entity's records and confirmation replies. - .Large number of credit entries and other adjustments made to the accounts receivable records. - .Unexplained or inadequately explained differences between the accounts receivable ledgers and control account, or between the customers' statements and the accounts receivable ledgers. - .Missing or non-existent cancelled cheques. - .Missing inventory or other tangible assets of significant magnitude. - .Unavailable or missing electronic evidence, inconsistent with the entity's record retention practices or policies. - .Fewer responses to confirmations than anticipated or a greater number of responses than anticipated. - .Inability to produce evidence of key systems development and program change testing and implementation activities for current-year system changes and deployments.
.Problematic or unusual relationships between the auditor and management, including the following: - .Denial of access to records, facilities, certain employees, customers, vendors, or others from whom audit evidence might be sought. - .Undue time pressures from management to resolve complex or contentious issues. - .Complaints by management about the conduct of the audit or management intimidation of engagement team members, particularly in connection with the auditor's critical assessment of audit evidence or in the resolution of potential disagreements with management. - .Unusual delays by the entity in providing requested information. - .Unwillingness to facilitate auditor access to key electronic files for testing through the use of CAATs. - .Denial of access to key IT operations staff and facilities, including security, operations, and systems development personnel. - .Unwillingness to add or revise disclosures in the financial statements to make them more complete and understandable. - .Unwillingness to address identified weaknesses in internal control on a timely basis. - .Unwillingness of management to permit the auditor to meet privately with those charged with governance.
.Others: - .Accounting policies that are not in line with industry norms. - .Frequent changes in accounting estimates that do not appear to result from changes in circumstances. - .Tolerance of violations of the entity's code of conduct.