240

THE AUDITOR’S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS– ISA240

1. Introduction

Scope:

Consider the risk of fraud in financial statements: in planning and performing the audit to reduce risk to acceptably low level

Characteristics of Fraud:Error : Unintentional

Mistake in gathering or processing data Incorrect accounting estimate Mistake in the application of accounting principles

Fraud : Intentional Fraud involves the use of deception to obtain an unjust or illegal advantage. Auditor is concerned with fraud which results in misstatement in financial statements.3 Areas:

Accounting records or supporting documentation Events, transactions or other significant information Accounting principles

Management fraud: involving one or more member of managementEmployee fraud: involving only employeesIntentional misstatements: relevant for auditor are misstatements from: financial reporting misappropriation of assets

Fraudulent financial reporting often involves management override of controls that appear to be operating effectively and it may be accomplished by the following:

Manipulation, falsification (including forgery), or alteration Misrepresentation in, or intentional omission from, the financial statements of events, transactions or other

significant information Intentional misapplication of accounting principles

Techniques may include: fictitious journal entries change in estimation omitting, advancing or delaying recognition of events concealing facts to be disclosed engaging in complex transactions altering records

Misappropriation of assets can be made in any of the following ways: embezzling receipts stealing physical assets or intellectual property causing entity to pay for goods or services not to be received using entity’s assets for personal useFraud involves: incentive or pressure to commit fraud (e.g. persons living beyond their means, performance pressures) perceived opportunity (when internal controls can be overridden, an individual is in a position of trust of has

knowledge of weakness)

of 8


rationalization (good reason / explanation) of the actResponsibility for the Prevention and Detection of FraudPrimary responsibility for prevention and detection rests with both TCWG and with management.

Strong emphasis on fraud prevention and deterrence may be placed through culture of honesty and ethical behavior

Responsibilities of the Auditor

Risk of not detecting a fraud is higher than that of error because fraud may involve sophisticated and carefully organized schemes to conceal it. Collusion may cause the auditor to believe that evidence is persuasive when in fact it is false.

It is difficult to distinguish between fraud or error in case of misstatement in accounting estimates.Risk of non detection of management fraud is higher than employee fraud.Subsequent discovery of financial material misstatement does not itself indicate a failure to comply with ISAs.Remain skeptic, consider the potential of management override, Recognize that procedures effective for error may not be effective for fraud.

2. Objectives

(a) To identify and assess the risks of material misstatement of the financial statements due to fraud;(b) To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and(c) To respond appropriately to fraud or suspected fraud identified during the audit.

Consider Risk Respond Design Procedures

3. DefinitionsFraud – An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage.

4. Requirements

4.1 Professional Skepticism:Auditor should maintain an attitude of professional skepticism irrespective (although it can not be disregarded fully) of auditor’s past experience about the honesty and integrity of management and TCWG.

Authentication/Completeness of evidence Generally accept as genuine

Reason to believe of the contrary Investigate, further procedures

4.2 Discussion Among the Engagement Team:Members of the team should discuss the susceptibility of the fraud. Discussion includes the engagement partner who uses professional judgment, past experience and knowledge of current developments.

Ordinarily, discussion involves the key members. Engagement partner should consider which matters are to be communicated to members of the members not involved in the discussion.

Opportunity to share insight Enables consider responses and responsibilities

Permits planning of sharing results and dealing with fraud allegations Discussion ordinarily includes:

1. exchange of ideas about how financial statements may be susceptible to fraud, how management could perpetrate and conceal fraud

of 8


2. consideration of circumstances indicative of fraud3. consideration of internal and external factors4. consideration of management’s involvement5. consideration of unusual or unexplained changes in behavior or lifestyles6. An emphasis on maintaining professional state of mind7. consideration of type of circumstances8. consideration of element of unpredictability in audit procedures9. consideration of audit procedures in response to risks10. consideration of allegations of fraud11. consideration of risk of override of controls

After the initial discussion team members should continue to communicate and share information obtained that may affect the assessment of fraud.

4.3 Risk Assessment Procedures and related activities:

To obtain an understanding of the entity and its environment including internal control, the auditor performs risk assessment procedures. Following procedures are used to identify the risk of fraud;

a) management and others within the entityb) TCWGc) consider any unusual or unexpected relationshipsd) consider other informatione) consider fraud risk factors

(a) management and others within the entity:

When obtaining an understanding of the entity and its environment including internal control, auditor should make inquiries of management regarding: Management’s assessment of the fraud risk Management’s process for identifying and responding to fraud risk including specific risks that management

has identified Management’s communication to TCWG regarding its process for identifying and responding to the risks Management’s communication to employees regarding its views on business practices and ethical behavior

Nature, extent and frequency of management’s assessment are relevant to the auditor’s understanding of control environment. Auditor inquires about process to respond to internal and external allegations of fraud. For entities with multiple locations, auditor inquires about particular operating locations with more risk of fraud.Auditor should make inquiries of the following (within the entity) to determine whether they have knowledge of any actual, suspected or alleged fraud: Management internal audit others within the entity (identified through professional judgment)

Discussion with internal audit personnel involves: whether they have performed any procedures to identify fraud whether management has made satisfactory response to the findingsOthers within the entity may include: operating personnel not involved in reporting employees with different level of authority employees dealing with complex transactions in-house legal department Chief ethics officer persons charged with dealing with fraud

of 8


(b) Those Charged With Governance

Auditor should obtain an understanding of how TCWG exercise oversight of management’s process for identifying and responding to the risks of fraud and internal control that management has established.

The auditor should make inquiries of those charged with governance to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity.

Understanding of may be obtained by: attending meetings where such discussions take place reading the minutes from such meetings making inquiries

(c) Unusual or unexpected relationship identified:When performing analytical procedures the auditor should consider unusual or unexpected relationships that may indicate risk of fraud, including those related to revenue accounts.

(d) Other information:When obtaining an understanding, auditor should consider whether other information obtained indicates risks of fraud. Other information may come from client acceptance and retention process, experience gained on other engagements performed for the entity.

(e) Evaluation of Fraud Risk Factors (FRF):When obtaining an understanding of the entity and its environment, auditor should consider whether information obtained indicates one or more FRF are present.FRFs may not necessarily indicate the risk of fraud infact they have often been present in circumstances where frauds have occurred.These illustrative risk factors are classified based on the three conditions that are generally present when fraud exists

• An incentive or pressure to commit fraud;• A perceived opportunity to commit fraud; and

• An ability to rationalize the fraudulent action.FRFs can not be ranked in order of importance. Auditor exercises professional judgment in determining whether a FRF is present and whether it is to be considered in assessing the risks of material misstatement. The size, complexity and ownership characteristics of the entity have a significant influence on the consideration of relevant FRFs. For example, in case of a large entity, the auditor considers factors that generally constrain improper conduct by the management such as effectiveness of TCWG and internal audit, existence and enforcement of formal code of conduct.

Please refer Appendix 1 for fraud risk factors

4.4 Identification and Assessment of the Risks of Material Misstatement Due to Fraud:

When identifying and assessing the risks of material misstatement at the financial statement level and at the assertion level, the auditor should identify and assess the risks of fraud.

Risks of Fraud in Revenue Recognition: Auditor ordinarily presumes that there are risks of fraud in revenue recognition. If the auditor has not identified revenue recognition as a risk of fraud, the auditor documents the reasons supporting the auditor’s conclusion.Premature revenue recognition, recording fictitious revenues or shifting revenues to a later period. Higher risk in listed entities, cash revenue entities.

of 8


It is important for the auditor to obtain an understanding of the controls that management has designed and implement to prevent and detect fraud because in designing and implementing such controls, management may make informed judgments on the nature and extent of the controls it chooses to assume. Management may consciously choose to accept the risk by not implementing a control.

4.5 Responses to the Risks of Material Misstatement Due to Fraud:Auditor should determine overall response to address the assessed risks of fraud at the financial statement level and perform further audit procedures whose nature, timing and extent are responsive to the assessed risks at the assertion level. Auditor’s responds in the following way: response that has an overall effect response to identified risks at assertion level response to identified risks involving management override of controlsResponse to address the assessed risks may affect the auditor’s professional skepticism in the following ways:

Overall Response: increased sensitivity in selection of nature, timing and extent of documentation to be examined in support of

material transaction increased recognition of the need to corroborate management explanations or representation concerning

material matters

In determining overall response the auditor should: consider the assignment and supervision of personnel (knowledge, skill and ability of the personnel are

considered. Even such as forensic and IT experts may assigned) consider the accounting policies used by the entity (consider selection and application of the policies particularly

those related to subjective measurement and complex transactions) incorporate an element of unpredictability in the selection of the nature, timing and extent of the audit

procedures

Audit Procedures Responsive to Risks of Material Misstatement Due to Fraud at the Assertion LevelSuch response may include changing the nature, timing and extent of audit procedures in the following ways: Nature of audit procedures may need to be changed to obtain evidence that is more reliable and relevant or to

obtain additional corroborative information. This may affect both type and combination of the procedures. Timing of substantive procedures may need to be modified Extent of the procedures reflects the assessment of the risk of fraud (e.g. increasing sample sizes or performing

analytical procedures at a more detailed level.(Examples of procedures in Appendix 2)

Audit Procedures Responsive to Management Override of ControlsTo respond to risk of override of controls, the auditor should design and perform audit procedures to: Test the appropriateness of journal entries and other adjustments Review accounting estimates for biases Obtain an understanding of the business rationale of significant transactions that the auditor becomes aware of

that outside of the normal course of the business or otherwise appear to be an unusuala. Journal Entries and Other AdjustmentsIn designing and performing audit procedures to test the appropriateness of journal entries and other adjustments made, the auditor:

making inquiries of individuals involved in financial reporting process about inappropriate or unusual activity relating to processing of journal entries and other adjustments

of 8


select journal entries at the end of the reporting period Consider the need to test journal entries and other adjustments throughout the period.

For the purpose of identifying and selecting journal entries and other adjustments for testing and determining the appropriate method of examining the underlying support, the auditor considers the following: The assessment of fraud – the presence of FRF and other information obtained may assist to identify specific class

of journal entries and other adjustments Controls that have been implemented over journal entries and other adjustments – effective controls may reduce

the extent of substantive testing necessary The entity’s financial reporting process and nature of evidence that can be obtained – when IT is used in the

financial reporting process, journal entries and other adjustments may exist only in electronic form The characteristics of fraudulent entries or other adjustments – inappropriate journal entries normally have

following characteristics:O made to unrelated, unusual or seldom used accountsO made by individuals who typically do not made these entriesO recorded at the end of the period or post closing entries having little or no explanation or descriptionO made either before or during the preparation of financial statements that do not have account numbersO containing round numbers or consistent ending numbers

The nature and complexity of the accounts – inappropriate journal entries or adjustments may be applied to the accounts that:o contain complex or unusual transactionso contain significant estimates or prior year adjustmentso have been prone to misstatements in the pasto have not been reconciled on a timely basis or contain un reconciled differenceso contain inter company transactionso are otherwise associated with an identified risk

Journal entries or adjustments outside the normal course of the business – non standard journal entries may not be subject to the same level of internal control

b. Accounting EstimatesIn reviewing accounting estimates for biases, the auditor: considers whether differences between estimates best supported by audit evidence and the estimates reported

indicate a possible bias on the part of management performs a retrospective review of management judgments and assumptions related to significant estimates

reported last year (also required by ISA 540)If the auditor identifies possible bias, the auditor evaluates whether the circumstances producing such a bias represent a risk of fraud.

c. Business Rationale for Significant TransactionsAuditor obtains an understanding of the business rationale of business rationale for significant transactions that are outside the normal course of the business or that otherwise appear to be unusual. In gaining such understanding the auditor considers the following: whether the form of the transaction appears overly complex whether there is adequate documentation whether management has discussed the nature and accounting treatment with TCWG whether management is placing more emphasis on need for particular treatment whether the transaction that involve non-consolidated related parties have been approved by TCWG whether the transaction involves previously unidentified related parties that do not have substance or financial

strength to support transaction without assistance of the entity

of 8


4.6 Evaluation of Audit Evidence:Based on the audit procedures performed and the audit evidence obtained, the auditor evaluates whether the assessment of the risks at the assertion level remain appropriate.

Auditor should consider whether analytical procedures that are performed at or near the end of the audit when forming an overall conclusion, indicate a previously unrecognized risk due to fraud. Determining which particular trend or relationship indicates the risk of fraud, requires professional judgment.

When the auditor identifies a misstatement, the auditor should consider whether such may be indicative of fraud and if there is such an indication, the auditor should consider implication to other aspects of the audit, particularly reliability of management’s representation.

Auditor can not assume that the instance of fraud is an isolated occurrence. If the auditor believes that a misstatement is or may be the result of fraud, but the effect of misstatement is

not material, the auditor evaluates the implications, especially those dealing with the organizational position of the individuals involved.

When the auditor confirms that, or is unable to conclude whether, the financial statements are materially misstated as a result of fraud, the auditor should consider the implications for the audit.

4.7 Auditor Unable to Continue to Engagement:If as a result of misstatement resulting from fraud, the auditors encounters exceptional circumstances that bring into question the auditor’s ability to continue performing the audit the auditor should: consider the professional and legal responsibilities applicable whether there is a requirement for auditor to

report to persons who made the appointment or to regulatory authorities. consider the possibility of withdrawing if the auditor withdraws:

o discuss with appropriate level of management and TCWG the reasons of withdrawalo consider whether there is a professional or legal requirement to report to persons who made the

appointment or to regulatory authorities

Exceptional circumstances: management doesn’t take action, risk of material and pervasive fraud, significant concern about the competence or integrity.

Auditor may consider it appropriate to seek legal advice.4.8 Written Representations:Auditor should obtain written representation from management that: they acknowledge their responsibility for the design and implementation of the internal control they have disclosed to auditor (as a result of assessment) that financial statements may be materially misstated

as a result of fraud they have disclosed to the auditor its knowledge of fraud or suspected fraud affecting the entity involving:

o managemento employees (having significant roles in internal control)o others (where fraud could have material effect)

they have disclosed to auditor its knowledge of any allegations of fraud or suspected fraud communicated by current or former employees, analysts, regulators or others.

4.9 Communication with Management and TCWG:If the auditor has identified a fraud or has obtained information that indicates a fraud may exist, the auditor should communicate these matters as soon as practicable to the appropriate level of management. This is so even if the matter might be considered inconsequential (e.g. minor defalcation by an employee at lower level).

of 8


The determination of which level of management to communicate is the appropriate one is a matter of professional judgment and is affected by factors such as: likelihood of collusion nature and magnitude of suspected fraudIf the auditor has identified fraud involving: management employees (having significant roles in internal control) others (where fraud could have material effect)the auditor should communicate these matters to TCWG as soon as practicable. Such communication may be made orally or in writing depending on the significance.If the integrity or honesty of the management or TCWG is doubted, the auditor considers seeking legal advice.

The auditor should make TCWG and management aware, as soon as practicable, and at the appropriate level of responsibility, of material weaknesses in the design or implementation of internal control which may have come to the auditor’s attention.Auditor should consider whether there are any other matters to be discussed with the TCWG. (Controls over frauds, management’s inadequate responses, control environment, management’s actions indicative of fraud, authorizations of unusual transactions)

4.10 Communication Regulatory and Enforcement Authorities:Auditor’s professional duty to maintain confidentiality may preclude reporting fraud to a party outside the client entity. The auditor considers obtaining legal advice to determine the appropriate course of action.

4.11 Documentation:Documentation of the auditor’s understanding and the assessment of the risks of fraud should include: significant decisions reached during the discussion among the team regarding susceptibility of financial

statements to fraud identified and assessed risks of fraud at the financial statement level and at assertion level

Documentation of the auditor’s responses to the assessed risks of material misstatement should include: overall response to the assessed risks at financial statement level and the nature, timing and extent of audit

procedures, and the linkage of those procedures with the assessed risks at the assertion level Results of the audit procedures, including those designed to address the risk of management override of controlsThe auditor should document communication about fraud to management, TCWG, regulators and others.When the auditor has concluded that the presumption that there is a risk of fraud related to revenue recognition is not applicable, the auditor should document the reasons for that conclusion.

of 8

240

Documents

Transcript of 240