Wiley Practitioner's Guide to GAAS 2020. Joanne M. Flood
for Audit Quality Financial Executives International, the Institute of Internal Auditors, and the National Association of Corporate Directors) formed the Anti-Fraud Collaboration. The organization’s website at antifraudcollaboration.org contains resources for audits in the form of case studies, reports, videos, articles, and free CPE.
Management’s Override of Controls. The auditor should also be alert to the fact that fraudulent financial reporting often involves the override of controls, and that management’s override of controls can occur in unpredictable ways. Also, fraud may be concealed through collusion, making it particularly difficult to detect.
In recent years, one international company paid a multimillion-dollar fine to the SEC for inflating its fiscal year results to meet earnings expectations and committing other accounting-related violations over a first-year period.2 Another international company paid penalties because it was overstating revenues and assets.3 Both companies improperly accounted for write-downs under ASC 450. One company also failed to properly amortize intangible assets under ASC 350.
Responsibilities for the Prevention and Detection of Fraud. Management and those charged with governance have the primary responsibility for the prevention and detection of fraud. Management should create an atmosphere that makes fraud prevention a priority by creating a culture of ethical behavior supported by oversight. Management should consider potential inappropriate influence over the financial reporting process, such as managing earnings. Management is responsible for designing and implementing programs to prevent, deter, and detect fraud. When management and others, such as the audit committee and board of directors, set the proper tone of ethical conduct, the opportunities for fraud are significantly reduced. (AU-C 240.04)
Responsibilities of the Auditor
In every audit, the auditor is obligated to plan and perform the audit to obtain reasonable assurance about whether the financial statements as a whole are free of material misstatements, whether caused by error or by fraud. (AU-C 240.05)
Professional Skepticism
As defined in AU-C Section 200, professional skepticism is an attitude that includes a questioning mind and critical assessment of audit evidence. The auditor should conduct the entire engagement with an attitude of professional skepticism, recognizing that fraud could be present, regardless of past experience with the entity or beliefs about management’s integrity. (AU-C 240.08 and .12) The auditor should not let his or her beliefs about management’s integrity allow the auditor to be satisfied with any audit evidence that is less than persuasive. Finally, the auditor should continuously question whether information and evidence obtained suggest that material misstatement caused by fraud has occurred.
Engagement Team Discussion about Fraud (Brainstorming)
When planning the audit, members of the audit team must discuss where and how the financial statements may be susceptible to material misstatement caused by fraud. This discussion should include the following:
Exchange ideas and brainstorm about where the financial statements are susceptible to fraud, how assets could be stolen, and how management might engage in fraudulent financial reporting.
Emphasize the need to maintain the proper mind-set throughout the audit regarding the potential for fraud. As previously discussed, the auditor should continually exercise professional skepticism and have a questioning mind when performing the audit and evaluating audit evidence. Engagement team members should thoroughly probe issues, acquire additional evidence when necessary, and consult with other team members and firm experts as needed.
Consider known external and internal factors affecting the entity that might create incentives and opportunities to commit fraud, and indicate an environment that enables rationalizations for committing fraud.
Consider indications of earnings management.
Consider the risk that management might override controls.
Consider how to respond to the susceptibility of the financial statements to material misstatement caused by fraud.
For the purposes of this discussion, set aside any of the audit team’s prior beliefs about management’s honesty and integrity.
The discussion would normally include key audit team members. Other factors that should be considered when planning the discussion include:
Whether to have multiple discussions if the audit involves more than one location
Whether to include specialists assigned to the audit
Audit team members should continue to communicate throughout the audit about the risks of material misstatement due to fraud. (AU-C 240.15)
Obtaining Information Needed to Identify Fraud Risks
In addition to performing procedures required under Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements, the auditor should obtain information needed to identify the risks of material misstatement due to fraud by:
Asking management and others within the entity about their views on the risk of fraud and how such risks are addressed.
Considering unusual or unexpected relationships identified by analytical procedures performed while planning the audit.
Considering whether any fraud risk factors exist.
Considering other information that may be helpful in identifying fraud risk.
Inquiries of Management
The auditor should make the following inquiries of management:
Does management or others within the entity know about actual or suspected fraud?
Have there been any allegations of actual or suspected fraud from employees, former employees, analysts, regulators, short sellers, and others?
Does management understand the entity’s fraud risk, including any identified risk factors or account balances or classes of transactions for which a fraud risk is likely to exist? How does management identify, respond to, and monitor those risks?
What programs and controls does the entity have to help prevent, deter, and detect fraud? How does management monitor such programs?
When there are multiple locations, how are operating locations or business segments monitored? Is fraud more likely to exist at any one of the locations or business segments?
Does management communicate its views on business practices and ethical behavior to employees, and, if so, how?
Has management communicated to those charged with governance how the entity’s internal control prevents, deters, and detects fraud?
(AU-C 240.17–.19)
When evaluating management’s responses to these inquiries, auditors should remember that management is often in the best position to commit fraud. Therefore, the auditor should determine when it is necessary to corroborate those responses with other information. When responses are inconsistent, the auditor should obtain additional audit evidence.
Inquiries of Internal Auditors
The auditor should make the following inquiries of appropriate individuals within the internal audit function:
What are their views on the risk of fraud?