The Auditor and Fraud
Fraud has become a major issue within the accountancy profession over recent years and the accounting and audit profession has suffered a significant amount of embarrassment because of the failings whereby audit firms have either overlooked or ‘turned a blind eye’ to fraud.
This article considers the technical aspects of ISA 240 ‘The Auditor’s Responsibility to Consider Fraud in an Audit of Financial Statements’. The article is written from the perspective of a smaller audit client and aims to outline what smaller audit firms need to consider when looking at fraud issues and what they have to do if they discover a fraud. Further on in the article there is an illustration of a fraud committed at an audit client and considers other ISAs which may need to be considered in the area of fraud.
Prior to international standards, fraud was dealt with in SAS 110 ‘Fraud and Error’. The international regime has dropped ‘error’ in the title of the standard and ‘fraud’ is dealt with in ISA 240. At the outset it is important to understand what determines ‘fraud’ and what gives rise to ‘error’.
ISA 240 defines fraud as:
“an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage”.
Error, on the other hand is defined as:
“an unintentional misstatement in the financial statements including the omission of an amount or disclosure”.
Misstatements within the financial statements can therefore be derived from either ‘fraud’ or ‘error’ and the auditor needs to be extremely careful to ensure that the misstatement is correctly classified.
In terms of audit, fraud is sub-divided into two further categories. There is ‘management fraud’ which refers to fraud involving one or more members of management, or those charged with governance and there is ‘employee fraud’ where the level of fraud is committed by non-management. In addition, there is also what is termed ‘manipulation of the financial statements’. This is where the financial statements are deliberately amended to achieve a higher or lower earnings level than has actually occurred or maybe to reduce gearing levels in order to comply with loan covenants imposed by financiers.
In terms of management fraud, this involves (primarily) overriding internal controls. The actual amounts involved could be substantial and auditors need to consider this carefully. Conversely, employee fraud (primarily) involves the misappropriation of company assets whether it is stock or cash. In contrast to management fraud, whereby managementoverride the internal controls, employees will exploit weaknesses in the internal control environment. The amounts involved in employee fraud can be anything from small to substantial.
ISA 240 states that auditors need to suspect fraud at the planning stage and essentially confirm that fraud has not been committed by virtue of their audit work. From a smaller audit perspective, how can this be achieved? In essence, ISA 240 states that auditors must:
- discuss fraud risk and incidence with management and those charged with governance (auditors need to document this discussion on the file as part of the planning);
- discuss with the engagement team how the financial statements may be susceptible to material misstatement whether caused by fraud or error;
- consider whether one or more fraud risk factors are present;
- perform audit procedures to test the appropriateness of journal entries, test the risk of management override of internal controls, review accounting estimates and their appropriateness (see also ISA 540 ‘Auditing Accounting Estimates’) and understand the business rationale for significant transactions outside the normal course of business;
- obtain specific representations from management including its assessment of the risk of fraud; and
- consider the implications under the Money Laundering Regulations.
Prior to the international regime of auditing, under SAS 110 ‘Fraud and Error’ if our audit work revealed discrepancies then we would increase our substantive testing accordingly. ISA 240 works on the basis that we have to suspect fraud at the outset of the audit and reduce that expectation, by virtue of our audit work, to an acceptable level. The term ‘guilty until proven innocent’ is what the ISA is suggesting. It is important to point out that the auditor’s responsibility is not to detect fraud – the responsibility of preventing and detecting a fraud rests with the client.
Audits are not designed to confirm to the user of the financial statements that the accounts are 100% accurate – this is simply not possible. Fraud, by its very nature, can be extremely difficult to detect and it could be the case that the audit may not reveal a fraud. Clients can sometimes be under the illusion that if an unqualified opinion is issued on the financial statements, then this means they are 100% accurate and their systems are totally robust – this is not necessarily the case. Firms should therefore ensure that their letters of engagement emphasises that the nature of the audit is such that a material misstatement may not be revealed during the audit. However, this is not designed as a ‘get out of jail’ card for not doing appropriate audit testing in terms of fraud. Audit firms must ensure that their audit work supports the opinion they give on the financial statements and an efficient audit would normally detect a material misstatement whether caused by fraud or error.
The following illustration will help illustrate what the auditor has to do in terms of ISA 240 and the instance of fraud.
Illustration
We are undertaking the audit of Company A Limited for the year ended 31 March 2008. Company A operates a highly successful retail clothing business in a very busy town centre location and is largely cash-based. The audit firm have audited the client for the last five years and the client has relatively simple internal controls which have always operated effectively. The integrity of the management has never been brought into question. Cash is reconciled on a daily basis and passed to the accounts office cashier for subsequent recording in the bookkeeping system and banking. One person is employed in the accounts department whereas in previous years two have always been employed.
The audit senior is undertaking the audit of the cash takings for the year which contribute significantly to the company’s turnover for the year. During the course of reperforming the cash reconciliation in the sample, it transpired that there was a significant difference between the cash that has been taken from till sales against the cash that has been banked in the same sample. The senior has therefore increased the sample accordingly and has confirmed that in the increased sample, discrepancies in the region of £25,000 have been discovered. The senior has also discovered that the cash sheets have been amended by the cashier and the explanations she has given are “they are ‘over rings’ on the till”. The planning section of the audit file (which is up to date) suggests that any ‘over rings’ on the till are corrected and reviewed by a Director. There is no evidence that this authorisation/review has been sought and this suggests that the apparent ‘over rings’ have not, in fact, occurred.
The audit senior also noticed that the cashier drives a brand new Porsche. Having undertaken the wages audit, the cashier’s annual salary is £20,000 per annum and she has been telling the audit senior about her forthcoming three-week cruise around the Caribbean and how much she is looking forward to it as she has recently redecorated her (recently purchased) three-bedroom detached house. The audit senior has questioned the marital status of the cashier and it turns out that she is single and not in a relationship.
Further investigation by the senior and the audit manager strongly suggests that a fraud has been committed. It appears the cashier has been stealing cash from the takings on a daily basis and amending the cash sheets to read what has been banked, as opposed to the actual takings in an attempt to cover up the fraud. It would appear she has committed this fraud to finance her lavish lifestyle. The fact that she is single and is not in a relationship immediately eradicates the question of whether her husband/partner has a high income level, which would support that sort of lifestyle.
Under ISA 260 ‘Communication of Audit Matters to those Charged with Governance’ the auditor must go to the directors/those charged with governance and inform them of the situation as soon as is reasonably practical. The auditor must also consider the appropriate means of communicating the fraud to the directors – either orally or in writing. Firms at the smaller end of the scale may find it more appropriate to confirm both orally and in writing. If the firm communicates orally, then they should document this discussion in the audit file.
The auditor must be absolutely certain that a fraud has been committed. If it was a genuine error or multiple errors throughout the year, then this may not be a fraud – it could just be weaknesses in internal controls which should be notified to those charged with governance in the form of a management letter. Therefore, the correct classification of ‘fraud’ or ‘error’ is crucial.
In the example above there is a mix of issues. The first is clearly the fraud. The audit senior had noticed that the lifestyle of the cashier is far too extravagant and that her annual salary would not normally allow for such a lifestyle. The senior was right to question her lifestyle and her marital status because this has made the senior ask the question “how can she afford a brand new Porsche, a new house and an expensive holiday?” This is a clear indication that fraud may be being committed. The difficulty arises because we are not auditing the employee, we are auditing the company and employee’s financial circumstances are not normally questioned – in this example, however, the audit senior was right to question the employee’s personal financial circumstances. It could be that in the illustration above, the employee may have received a windfall of cash, or inherited a rich Aunt’ fortune which would have allowed for such a lifestyle – however for the purposes of this article, we shall assume that the only income the cashier has is her annual salary.
Secondly there has been a failing in the internal controls. The cashier has identified and exploited a weakness in the internal controls – the weakness being a lack of segregation of duties in terms of the banking arrangements of the company. Ideally, one person should be reconciling the cash taken on a daily basis, another person should have been recording the cash in the company’s books and another individual should have been banking the cash. The fact that one individual records and banks the cash is thus a failing in the company’s internal controls and the audit firm needs to raise this issue by way of management letter.
If the fraud in the example above had been committed by a Director – this would have given rise to (a) management override of internal controls and, maybe, (b) a weakness within the internal controls. If the integrity of an audit client’s management is brought into question (i.e. a management fraud has been committed), then auditors need to tread very carefully.
Firstly, the auditor must seek legal advice to determine the most appropriate course of action. If, as a result of exceptional circumstances, the auditor is forced to consider their ability to continue performing the audit, ISA 240 states that the auditor must:
- consider the professional and legal responsibilities applicable in the circumstances, including whether there is a requirement for the auditor to report the person(s) who made the audit appointment to regulatory authorities;
- consider the possibility of withdrawing from the engagement; and
- if the auditor withdraws from the engagement they must discuss their reasons with management and those charged with governance and consider whether there is a professional obligation to report the person(s) who made the engagement to regulatory authorities.
In terms of actual audit work to address the risk of fraud, then the auditor should look at ISA 330 ‘The Auditor’s Procedures in Response to Assessed Risks’. This ISA states that the auditor should:
- consider the assignment and supervision of personnel;
- consider the accounting policies used by the entity; and
- incorporate an element of unpredictability in the nature, timing and extent of audit procedures.
There are lots of ways in which fraud can be committed at both management level and employee level and auditors sometimes need to think like a fraudster! Some common indicators of fraud are as follows:
- employees not taking holidays;
- external pressures from outside entities, for example, the bank may have loan covenants and the audit client is struggling to prevent breaches of the covenants;
- threatening or intimidating management;
- a history of dishonesty with those charged with governance;
- management override of internal controls. Examples of these are fictitious journals (especially towards the year end), inappropriately adjusting assumptions and judgements and omitting or delaying events that have occurred during the accounting period;
- a high standard of living (as in the example above) where a salary or package would not normally allow such a high standard of living;
- unusual characteristics within the financial statements (the use of analytical review may identify such characteristics); and
- a lack of segregation of duties (as in the example above).
Those are just some of the most common indicators of fraud. There are others and auditors should use their judgements accordingly.
Applicable Auditing Standards that link to Fraud
- ISA 240 The Auditor’s Responsibility to Consider Fraud in an Audit of Financial Statements.
- ISA 260 Communication of Audit Matters to those Charged with Governance.
- ISA 315 Obtaining an Understanding of the Entity and the Environment in which it Operates.
- ISA 330 The Auditor’s Procedures in Response to Assessed Risk.
- ISA 520 Analytical Procedures.
- ISA 540 Auditing Accounting Estimates.
Conclusion
Fraud is a subject that is often ‘brushed under the carpet’ because auditors do not like discussing such issues with their client. It can be very awkward discussing fraudulent activity with clients and, in some circumstances, clients can take offence! However, ISA 240 does stipulate that professional scepticism must be adopted in all audits, whether the firm has acted for the client for ten years or has just been appointed.
In the event that auditors discover a fraud, then they should (in all circumstances) consult the provisions of ISA 240 and ISA 260. Where the integrity of those charged with governance is brought into doubt the auditor should seek legal advice.
Steve Collings is Audit Manager at Leavitt Walmsley Associates
No comments:
Post a Comment