This article lays down the ideal approach to be followed by Auditors for identification of fraud and assessment of its Impact on making an opinion on the financial statements audited.
Specifically, how SA 315 & SA 330 can be applied to fulfil the objective of this standard is also touched upon in this write.
SA 240 deals with the auditor’s responsibilities towards frauds in the financial statement audits. It explains how the material misstatements in the financials due to fraud can be identified, assessed and appropriate procedures to detect can be implemented.
Auditor’s objectives with respect to the financial statements misstatements are as follows:
1. Management – For the purposes of this SA, references to “management” should be read hereafter as “management and, where appropriate, those charged with governance”.
2. Fraud Risk Factors – Events or conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud
Eg: Grant of significant bonus when profit targets are not met for a year or Presence of Significant bank accounts in tax-haven countries.
Financial statement misstatements arise from either fraud or error. The difference between fraud and error is that the underlying action in the former is intentional.
The auditor can suspect or identify but does not make legal determinations of whether the fraud has actually occurred.
What are Auditor’s Responsibilities?
Following are the Auditor’s responsibilities here:
- Obtain reasonable assurance that the financial statements are free from material misstatements
- Maintain professional skepticism throughout the audit
- Should know that Risk of non-detection of management fraud is greater than of employee fraud
- Must be aware Risk of non-detection of fraudulent material misstatement is higher than the misstatement due to error.
Is Auditor responsible for the Prevention and Detection of Fraud?
No, Management has the Primary responsibility for the prevention and detection of fraud and not the auditor. Management should take all necessary steps for fraud prevention and deterrence through implementing policies and controls.
Requirements of Auditor: Collection & Evaluation of Audit Evidence
- Professional Skepticism –The auditor should maintain professional skepticism while performing an audit, and identify any possible material misstatement due to fraud that could exist despite the auditor’s past experience of Management’s honesty and integrity.
- The auditor can accept the records and documents as genuine unless there is a reason to believe the contrary and investigate if required.
- Investigate the inconsistent responses from the management related to the inquiries.
- SA 315 which covers the Auditor’s response to assessed risks, requires discussion among the engagement team members and the engagement partner on those matters which are to be communicated to other team members not involved in the discussion.
Risk Assessment Procedures
Following are the Risk assessment procedures to be followed:
1. To obtain information which is used for risk identification, auditors shall:
2. Auditor to inquire the management, internal audit team and those charged with governance whether any instance of actual or alleged fraud has occurred in the past and obtain their respective views on the risk of fraud.
3. Consider whether any other information obtained indicates the risk of fraud.
4. Evaluate any fraud risk factors are present form the information obtained from the assessment.
5. Identify Unusual or unexpected relationship while performing analytical procedure and evaluate them to assess the risk of material misstatement due to fraud
6. Presume that there will be risks in revenue recognition based on that evaluate transactions
A. To the Risk of Material Misstatement due to fraud
Response to the Assessed Risk of Material Misstatement Due to Fraud
Per SA 330, the auditor to determine overall responses to address the assessed risk through:
- Assign and supervise personnel taking significant engagement responsibilities
- Evaluate accounting policies to be indicative of fraudulent financial reporting
- Incorporate audit procedures to be executed to include an element of unpredictability
- Presume fraud risk in revenue recognition and management override of controls
B. To the Risk related to Management Overrides of Control
Audit Procedure Responsive to Risk Related to Management Overrides of Control :
In order to mitigate the risk of management override of controls, auditor to design and perform the following Audit procedures:
Evaluation of Audit Evidence
Auditor to follow these with respect to audit evidence
- Analytical procedure performed indicates a previously unrecognised risk of material misstatement due to fraud
- On identification of a misstatement, auditor to evaluate whether it is indicative of fraud
- In case of fraudulent misstatement where auditor believes management is involved, then re-evaluate the response to the assessed risk
- If unable to conclude if the financials are fraudulently misstated, then the auditor to evaluate the implications for the audit
If the fraudulent misstatement encounters auditor from continuing the audit, then the auditor shall withdraw from the audit if appropriate and report to the person who made audit appointment.
- On identification of fraud or suspecting of fraud existence, then auditor has to communicate to the appropriate level of management on timely basis
- Communicate as appropriate to those charged with governance if the suspected fraud involves management, employee performing internal control or any others.
- Determine if the information about the fraud has to be communicated to a party outside the entity. Here the auditor’s legal responsibility overrides the duty of confidentiality
- Significant decisions taken w.r.t susceptibility of material misstatement in financial due to fraud
- Identified and assessed risk of material misstatement due to fraud at the financial statements level and at the assertion level
- Overall responses to the addressed risk mentioned above
- Audit procedures conclusion including those designed for management override of controls
- To document communications made about the fraud to the management and others
With regard to SA 240 which list the auditor’s responsibility related to a fraudulent financial statement, reference to Satyam Computer which came to light in 2008 is a good case to analyse. In this case, even cash balances on the financials were not real and income was inflated at a very high rate. If the audit procedures along with professional judgment were properly followed, the manipulated financial statements could have been identified at a much earlier stage. The lesson from this case is the importance to adhere to auditing standards and guidelines.
Effective date: SA 240 is applicable for Audits of financial statements for the period beginning on or after April 1, 2009.