Fraud is something of a hot topic in the audit realm at present, although an argument could be made it should always be a hot topic.
It should be no surprise then, that the International Standard on Auditing covering the auditor’s responsibilities relating to fraud was revised two years ago.
This change is actually relevant right now, because the amended standard only came into force for audits of financial statements where the period commenced 15 December 2021 or later. Ignoring short periods, the earliest financial statements where the new standard is relevant are therefore those covering the year ended 31 December 2022.
Background – types of fraud
The term “fraud” itself can mean a variety of different actions in practice, but fundamentally it means a deliberate action which results in an entity’s financial statements being misstated.
In an auditing context there are two main types of fraud – fraudulent financial reporting and misappropriation of assets.
Both types of fraud can occur with or without collusion. Generally, although not always, fraud involving collusion is harder to detect.
Looking in more detail into the types of fraud which can occur, these can be further divided into two categories, being fraud perpetrated by people outside the business and fraud involving deliberate acts by people inside the business.
Fraud leading to business failure or significant losses tends to be orchestrated by people working within the business.
For example manipulating revenue recognition policies in order to inflate results, or using off-balance sheet entities which are not consolidated into a business and obscure the true cash position by hiding debts.
At a lower level internally, fraud can involve simple theft, such as employees removing stock and selling it themselves, or creating fake invoices or fake employees and transferring funds to themselves.
Another type of fraud, which is on the rise, involves third parties duping staff into making incorrect bank transfers.
How fraud occurs
Generally, fraud can be said to occur due to a lack of appropriate controls, or a failure in existing controls being exploited.
The importance of appropriate controls (and indeed strong corporate governance) cannot be overstated when it comes to tackling fraud.
It is very easy for a lax control environment to arise if, for example, a business goes through a period of sudden growth and the control environment is not upgraded to keep up with the increased volume and/or complexity of transactions.
The attitude to controls within a business can also give rise to an environment where fraud is enabled; this is generally where a failure of existing controls can occur.
The most common situations where this happens are where either the control involves “checking” and the person carrying out the check does not actually do it or does so in a cursory fashion, or where a trusted employee is allowed to override controls repeatedly.
The auditor’s responsibilities relating to fraud
So where does the auditor stand when it comes to combatting fraud? It is important to note that it is not the auditor’s function to prevent or detect fraud (that is the Directors’ responsibility).
The auditor’s responsibility in relation to fraud is to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement due to fraud, including identifying and assessing risks of material misstatement and obtaining sufficient appropriate audit evidence.
Changes included in the new standard
According to the Institute of Chartered Accountants in England and Wales (ICAEW), the focus of the changes to the standard is on the “mindset” of the auditor, regarding scepticism and judgement.
There is a new requirement to consider what specialist knowledge they may need in order to carry out an effective risk assessment, particularly if there are indicators of fraud in an audit.
There are now specific provisions stating that an auditor must design and perform further audit procedures in a manner that is not biased towards obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory.
In common with other recent changes to auditing standards (see our article on ISA 315 risk assessments) there is now also a “stand back” requirement, in this case to evaluate whether sufficient appropriate audit evidence has been obtained, regarding the assessed risks of material misstatement due to fraud and whether the financial statements are materially misstated as a result of fraud.
The revisions to ISA 240 tie in with the amendments to ISA 700 in recent years, which requires the audit report to explain the extent to which the audit was considered capable of detecting irregularities including fraud.
Whilst there are some new requirements in the auditing standard (the stand back provision, for example, is new) the main thrust of the changes is a renewed focus on professional scepticism, and the auditor’s mindset, rather than widening the scope of the standard.