ISA 240 (REDRAFTED) AUDITORS AND FRAUD

MARCH 2009
RELEVANT TO ACCA QUALIFICATION PAPERs f8 an d p7
Fraud is a highly controversial area, and the extent
of auditor responsibility for the prevention and
detection of fraud has generated considerable
discussion in recent years. This article aims
to summarise the current extent of auditor
responsibilities for fraud, as per the requirements
of ISA 240 (Redrafted), The Auditor’s
Responsibilities Relating to Fraud in an Audit of
Financial Statements. ISA 240 (Redrafted) was
issued in December 2006 and is effective for
audits of financial statements for periods beginning
on or after 15 December 2008. The International
Auditing and Assurance Standards Board (IAASB)
Clarity Project was launched in 2004 in order
to encourage greater use of its standards and to
facilitate the process of translation of standards
into other languages. ISA 240 is described by
the IAASB Handbook (reference 1) as ‘redrafted’
because it has been revised in the past few years
and is not in need of further revision by the Clarity
Project. As a result, the ‘clarified’ version of ISA
240 is the same as the redrafted version. See the
IAASB Handbook, and the section ‘Background
Information on the Clarity Project of the IAASB’ for
further details (reference 2).
BACKGROUND
The traditional ‘passive philosophy’ towards
auditor responsibility for fraud detection is well
summarised by the Lord Justice Lopes’ ruling, in
the UK, given in the 1896 Kingston Cotton Mill
case (re Kingston Cotton Mill Company (No.2)):
‘An auditor is not bound to be a detective, or
… to approach his work with suspicion, or with
a foregone conclusion that there is something
wrong. He is a watchdog, not a bloodhound.’
(Reference 3). Watchdogs and Bloodhounds
(below) gives formal definitions of a ‘watchdog’
and a ‘bloodhound’.
Clearly, auditing has changed considerably
since 1896, although auditor responsibility for
fraud detection has remained a low priority. We
now consider the requirements of the recently
revised audit standard regarding the role of the
auditor and fraud detection, and then form a
conclusion about the current extent of auditor
responsibility for fraud detection.
THE DIFFERENCE BETWEEN FRAUD
AND ERROR
The key distinguishing factor between fraud
and error is whether the underlying action
that results in a misstatement of the financial
statements is intentional or unintentional. The
term ‘fraud’ is a broad legal concept, but the
auditor is concerned with fraud that causes
a material misstatement in the financial
statements. ISA 240 (Redrafted) defines
fraud as: ‘An intentional act by one or more
individuals among management, those charged
with governance, employees, or third parties,
involving the use of deception to obtain an
unjust or illegal advantage.’ ISA 240 (Redrafted),
paragraph 11.
This article examines the definitions given by International Standard on Auditing (ISA) 240 (Redrafted)
of fraud and error, and the historical expectations of the audit role. It also defines the extent of auditor
responsibilities for the prevention and detection of fraud, including the need for professional skepticism
and discussion among the engagement team. The article then summarises the key risk assessment
procedures required of auditors by ISA 240 (Redrafted), and concludes that the traditional ‘watchdog
not bloodhound’ philosophy regarding the extent of auditor responsibilities for fraud detection is no
longer valid in the context of the requirements of the redrafted ISA.
The two types of fraud most relevant to the
auditor, according to ISA 240 (Redrafted), are
misstatements arising from fraudulent financial
reporting, and misstatements arising from the
misappropriation of assets. By way of contrast to
fraud, the term ‘error’ refers to an unintentional
misstatement in financial statements, including
the omission of an amount or a disclosure.
ISA 240 (Redrafted) says: ‘The distinguishing
factor between fraud and error is whether the
underlying action that results in the misstatement
of the financial statements is intentional or
unintentional.’ ISA 240 (Redrafted), paragraph 2.
The emphasis of this article is on fraud,
because fraud responsibilities are more
controversial than error. Fraud may involve
sophisticated and carefully organised schemes,
designed to conceal fraudulent activity, such
isa 240 (re drafte d),
au ditor s an d frau d –
AND THE END OF WATCHDOGS AND BLOODHOUNDS
WATCHDOGS AND BLOODHOUNDS
The Oxford English Dictionary gives the
following definitions (Reference 4).
A watchdog is defined as ‘A dog kept to guard
private property’, and ‘a person or group that
monitors the practices of companies providing
a particular service or utility’.
A bloodhound is defined as ‘A large hound with
a very keen sense of smell, used in tracking’.
technical
page 51
as forgery,
deliberate failure
to record transactions, or
intentional misrepresentations being
made to the auditor. However, in order to better
understand error, more consideration of internal
control effectiveness is required.
ISA 240 (REDRAFTED) AND RESPONSIBILITIES
FOR FRAUD
ISA 240 (Redrafted) makes it clear who has
the main responsibility for the prevention and
detection of fraud: ‘The primary responsibility
for the prevention and detection of fraud rests
with both those charged with governance of the
entity and management.’ ISA 240 (Redrafted)
paragraph 4.
ISA 240 (Redrafted) also goes on to state,
however, that: ‘An auditor conducting an audit
in accordance with ISAs is responsible for
obtaining reasonable assurance that the financial
statements as a whole are free from material
misstatement, whether caused by fraud or error.’
ISA 240 (Redrafted), paragraph 5.
Hence, both the entity itself and the auditors
have responsibilities for fraud and error. It could
be said that management, and those charged
with governance, have the primary responsibility
for fraud and error, whereas the auditor has a
secondary responsibility. It is important, however,
to ensure that the extent of these secondary
responsibilities are clearly understood, which is the
THIN KIN G PER?
PERFORMANCE OBJECTIVEs 17 AND 18 ARE lin ked TO PAPER f8
area discussed in the rest of
this article.
PROFESSIONAL Skepticism
ISA 200 (Revised and Redrafted), Overall
Objective of the Independent Auditor and the
Conduct of an Audit in Accordance with ISAs,
requires the auditor to maintain an attitude
of professional skepticism: ‘The auditor shall
plan and perform an audit with professional
skepticism, recognising that circumstances
may exist that cause the financial statements to
be materially misstated.’ ISA 200 (Revised and
Redrafted), paragraph 15.
ISA 200 (Revised and Redrafted) describes
professional skepticism as: ‘An attitude that
includes a questioning mind, being alert
to conditions which may indicate possible
misstatement due to error or fraud, and a critical
assessment of audit evidence.’ ISA 200 (Revised
and Redrafted), paragraph 13 (l).
ISA 240 (Redrafted) further requires that: ‘The
auditor is responsible for maintaining an attitude
of professional skepticism throughout the audit.’
ISA 240 (Redrafted), paragraph 8.
Professional skepticism is of key importance
to the audit, for example requiring auditors to be
alert to:
audit evidence contradicting other
evidence
information questioning evidence reliability
conditions that may indicate possible fraud
circumstances that suggest the need for audit
procedures in addition to those required by
the ISAs.
DISCUSSION AMONG THE ENGAGEMENT TEAM
ISA 240 (Redrafted) refers to the requirement in
ISA 315 (Redrafted), Identifying and Assessing
the Risks of Material Misstatement Through
Understanding the Entity and its Environment,
that members of the engagement team discuss the
susceptibility of the entity’s financial statements
to material misstatement due to fraud. ISA 240
(Redrafted) requires that: ‘This discussion shall
place particular emphasis on how and where the
entity’s financial statements may be susceptible
to material misstatement due to fraud, including
how fraud might occur.’ ISA 240 (Redrafted),
paragraph 15.
Ordinarily, the key members of the engagement
team should be involved in the discussion, and the
engagement partner should then consider which
matters are to be communicated to those in the
team not involved in the discussion. Discussion is
expected to occur with a questioning mind, setting
aside any beliefs held by the engagement team
members that the management and those charged
with governance are honest and have integrity.
Interestingly, this discussion is also expected
to include a consideration of how an element
of unpredictability will be incorporated into the
nature, timing, and extent of the audit procedures
to be performed.
technical
page 52
student accountANT
MARCH 2009
ISA 240 (REDRAFTED) RISK
ASSESSMENT PROCEDURES
ISA 240 (Redrafted) requires that the auditor
performs risk assessment procedures to
obtain information for use in identifying the
risks of material misstatement due to fraud.
Paragraphs 17 to 24 of ISA 240 (Redrafted)
outline the required risk assessment
procedures, which are summarised in the
Risk Assessment Procedures box (left).
CONCLUSION
The redrafting of ISA 240 has allowed for
a timely review of audit responsibilities
relating to fraud. It should be noted, however,
that there are minor differences of emphasis
between the requirements of ISA 240 (Redrafted)
and the current requirements of ISA (UK and
Ireland) 240 The Auditor’s Responsibility
to Consider Fraud in an Audit of Financial
Statements, which became effective for periods
commencing on or after 15 December 2004.
According to ISA 240 (Redrafted) the difference
between fraud and error depends upon whether
deception has been used, and the distinction
between the responsibilities of those charged
with governance and auditors for fraud prevention
can be described respectively as primary and
secondary responsibilities. Auditors are required,
however, to maintain an attitude of professional
skepticism throughout the audit, and members
of the audit engagement team are required to
discuss the susceptibility of the entity’s financial
statements to material misstatement due to fraud.
ISA 240 (Redrafted) requires auditors to
perform risk assessment procedures to obtain
information for use in identifying the risks of
material misstatement due to fraud.
Finally, it can be concluded that to describe
the audit role as that of a ‘watchdog, not a
bloodhound‘ is no longer valid in the context of
the requirements of the redrafted and revised
ISAs; these negate the traditional ‘passive
philosophy’ towards auditor responsibility
for fraud detection, marking a significant shift
away from a ‘monitoring’ role and towards the
requirement for a very keen ‘sense of smell’.
REFERENCES
1 Handbook of International Auditing, Assurance,
and Ethics Pronouncements, Part II, IAASB,
2008 Edition.
2 Background Information on the Clarity Project of
the International Auditing and Assurance Standard
Board, 2008 Edition, pages 1 to 4, in Part II of
Handbook of International Auditing, Assurance,
and Ethics Pronouncements, IAASB, 2008 Edition.
3 Lord Justice Lopes, The Law Times, Volume LXXIV,
Court of Appeal, 11 July 1896, quoted in Sarup
D, Watchdog or Bloodhound? The Push and Pull
Towards a New Audit Model, Information Systems
Control Journal, Volume 1, 2004.
4 Oxford English Dictionary, www.askoxford.com
Martyn Jones is assessor for Paper F8
RISK ASSESSMENT PROCEDURES
Paragraphs 17 to 24 of ISA 240
(Redrafted) detail the required
audit risk assessment procedures
and related activities, summarised
as follows:
1 Enquiries
(i) The auditor should inquire
about management’s own
assessments of the risks of fraud,
the process used for identifying
and responding to the risks
of fraud, and management’s
communication to those charged
with governance regarding its
processes for identifying and
responding to the risks of fraud.
(ii) The auditor should also make
inquiries of management to
determine whether they have any
knowledge of fraud.
(iii) The auditor should also make
inquiries of internal audit (where
there exists an internal function)
to determine whether it has any
knowledge of fraud.
2 Oversight role of those charged
with governance
The auditor should obtain an
understanding of how those charged
with governance exercise oversight
of the management process for
identifying and responding to the
risks of fraud, and whether those
charged with governance have
any knowledge of fraud affecting
the entity.
3 Evaluate unusual or
unexpected relationships
The auditor should evaluate whether
unusual or unexpected relationships
identified when performing analytical
procedures may indicate risks of
material misstatement due to fraud.
4 Consider other information
The auditor should consider whether
other information obtained potentially
indicates risks of fraud.
5 Evaluation of other risk
assessment procedures
The auditor should evaluate whether
the information obtained from the
other risk assessment procedures and
related activities performed indicates
that one or more fraud risk factors
are present.