Читать книгу Wiley Practitioner's Guide to GAAS 2017 - Flood Joanne M. - Страница 21

Description and Characteristics of Fraud

Although fraud is a broad legal concept, the auditor's interest specifically relates to fraudulent acts that cause a material misstatement of financial statements. Two types of misstatements are relevant to the auditor's consideration in a financial statement audit.

1. Misstatements arising from fraudulent financial reporting

NOTE: Fraudulent financial reporting does not need to involve a grand plan or conspiracy. Management may rationalize that a misstatement is appropriate because it is an aggressive interpretation of accounting rules, or that it is a temporary misstatement that will be corrected later.

2. Misstatements arising from misappropriation of assets

(AU-C 240.02-.03)

Fraudulent financial reporting and misappropriation of assets differ in that fraudulent financial reporting is committed, usually by management, to deceive financial statement users, whereas misappropriation of assets is committed against an entity, most often by employees.

Fraud generally involves the following three conditions:

1. A pressure or an incentive to commit fraud

2. A perceived opportunity to do so

3. Rationalization of the fraud by the individual(s) committing it

(AU-C 240.A1)

However, not all three conditions must be observed to conclude that there is an identified risk. It is particularly difficult to observe that the correct environment for rationalizing fraud is present.

The auditor should be aware that the presence of each of the three conditions may vary, and is influenced by factors such as the size, complexity, and ownership of the entity. These three conditions usually are present for both types of fraud.

The auditor should also be alert to the fact that fraudulent financial reporting often involves the override of controls, and that management's override of controls can occur in unpredictable ways. Also, fraud may be concealed through collusion, making it particularly difficult to detect.

Although fraud usually is concealed, the presence of risk factors or other conditions may alert the auditor to its possible existence.

Basic Requirement

In every audit, the auditor is obligated to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or by fraud. (AU-C 240.05)

Professional Skepticism

As defined in AU-C Section 200, professional skepticism is an attitude that includes a questioning mind and critical assessment of audit evidence. The auditor should conduct the entire engagement with an attitude of professional skepticism, recognizing that fraud could be present, regardless of past experience with the entity or beliefs about management's integrity. (AU-C 240.12) The auditor should not let his or her beliefs about management's integrity allow the auditor to be satisfied with any audit evidence that is less than persuasive. Finally, the auditor should continuously question whether information and evidence obtained suggest that material misstatement caused by fraud has occurred.

Engagement Team Discussion about Fraud (Brainstorming)

When planning the audit, members of the audit team should discuss where and how the financial statements may be susceptible to material misstatement caused by fraud. This discussion should include the following:

● Exchange ideas and brainstorm about where the financial statements are susceptible to fraud, how assets could be stolen, and how management might engage in fraudulent financial reporting.

● Emphasize the need to maintain the proper mindset throughout the audit regarding the potential for fraud. As previously discussed, the auditor should continually exercise professional skepticism and have a questioning mind when performing the audit and evaluating audit evidence. Engagement team members should thoroughly probe issues, acquire additional evidence when necessary, and consult with other team members and firm experts as needed.

● Consider known external and internal factors affecting the entity that might create incentives and opportunities to commit fraud, and indicate an environment that enables rationalizations for committing fraud.

● Consider indications of earnings management.

● Consider the risk that management might override controls.

● Consider how to respond to the susceptibility of the financial statements to material misstatement caused by fraud.

● For the purposes of this discussion, set aside any of the audit team's prior beliefs about management's honesty and integrity.

The discussion would normally include key audit team members. Other factors that should be considered when planning the discussion include:

● Whether to have multiple discussions if the audit involves more than one location

● Whether to include specialists assigned to the audit

Audit team members should continue to communicate throughout the audit about the risks of material misstatement due to fraud. (AU-C 240.15)

Obtaining Information Needed to Identify Fraud Risks

In addition to performing procedures required under Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements, the auditor should obtain information needed to identify the risks of material misstatement due to fraud by:

● Asking management and others within the entity about their views on the risk of fraud and how such risks are addressed.

● Considering unusual or unexpected relationships identified by analytical procedures performed while planning the audit.

● Considering whether any fraud risk factors exist.

● Considering other information that may be helpful in identifying fraud risk.

Inquiries of Management

Management is responsible for designing and implementing programs to prevent, deter, and detect fraud. When management and others, such as the audit committee and board of directors, set the proper tone of ethical conduct, the opportunities for fraud are significantly reduced.

The auditor should make the following inquiries of management:

● Does management or others within the entity know about actual or suspected fraud?

● Have there been any allegations of actual or suspected fraud from employees, former employees, analysts, regulators, short sellers, and others?

● Does management understand the entity's fraud risk, including any identified risk factors or account balances or classes of transactions for which a fraud risk is likely to exist?

● What programs and controls does the entity have to help prevent, deter, and detect fraud? How does management monitor such programs?

● When there are multiple locations, how are operating locations or business segments monitored? Is fraud more likely to exist at any one of the locations or business segments?

● Does management communicate its views on business practices and ethical behavior to employees, and, if so, how?

● Has management communicated to those charged with governance how the entity's internal control prevents, deters, and detects fraud?

(AU-C 240.17-.18)

When evaluating management's responses to these inquiries, auditors should remember that management is often in the best position to commit fraud. Therefore, the auditor should determine when it is necessary to corroborate those responses with other information. When responses are inconsistent, the auditor should obtain additional audit evidence.

Inquiries of Those Charged with Governance

The auditor should understand how those charged with governance oversee the entity's assessment of fraud risks and the mitigating programs and controls. (AU-C 240.20) The auditor should make the following inquiries of those charged with governance:

● What are those charged with governance's (or the audit committee's or at least the chair's) views of the risk of fraud?

● Do they know about actual, alleged, or suspected fraud in the entity?

(AU-C 240.21)

Inquiries of Internal Auditors

The auditor should make the following inquiries of appropriate individuals within the internal audit function:

● What are their views on the risk of fraud?

● Have they performed procedures to identify or detect fraud during the year?

● Has management satisfactorily responded to any finding from procedures performed to identify or detect fraud?

● Are they aware of any actual, suspected, or alleged fraud?

(AU-C 240.19)

Inquiries of Others within the Organization

The auditor should also ask others within the entity whether they are aware of actual or suspected fraud, using professional judgment to determine to whom these inquiries are made and how extensive the inquiries should be. The following are examples of people who may provide helpful information and, therefore, to whom the auditor may wish to consider directing inquiries:

1. Anyone at varying levels of authority whom the auditor deals with during the audit, such as when the auditor is obtaining an understanding of the entity's internal controls, observing inventory, performing cutoff procedures, or getting explanations for fluctuations noted during analytical procedures

2. Operating staff not directly involved in financial reporting

3. Employees involved in initiating, recording, or processing complex or unusual transactions

4. In-house legal counsel

(AU-C 240.A19)

Considering the Results of Analytical Procedures

When performing the required analytical procedures in planning the audit as discussed in Section 520, Analytical Procedures, the auditor may find unusual or unexpected relationships as a result of comparing the auditor's expectations with recorded amounts or ratios developed from such amounts. The auditor should consider those results in identifying the risk of material misstatement due to fraud. (AU-C 240.23)

The auditor should also perform analytical procedures relating to revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that may indicate a material misstatement due to fraudulent financial reporting. Examples of such procedures include:

● Comparing sales volume with production capacity (sales volume greater than production capacity might indicate fraudulent sales).

● Trend analysis of revenues by month and sales return by month shortly before and after the reporting period (the analysis may point to undisclosed side agreements with customers to return goods).

(AU-C 240.25)

Although analytical procedures performed during audit planning may be helpful in identifying the risk of material misstatement due to fraud, they may only provide a broad indication, since such procedures use data aggregated at a high level. Therefore, the results of such procedures should be considered along with other information obtained by the auditor in identifying fraud risk. (AU-C 240.26)

Considering Fraud Risk Factors

Using professional judgment, the auditor should consider whether information obtained about the entity and its environment indicates that fraud risk factors are present, and, if so, whether it should be considered when identifying and assessing the risk of material misstatement due to fraud. (AU-C 240.24)

Examples of fraud risk factors are presented in Illustrations 1 and 2 at the end of this chapter. These risk factors are classified based on the three conditions usually present when fraud exists:

1. Incentive/pressure

2. Opportunity

3. Attitude/rationalization

(AU-C 240.A30)

The auditor should not assume that all three conditions must be present or observed. In addition, the extent to which any condition is present may vary.

The size, complexity, and ownership of the entity may also affect the identification of fraud risks. (AU-C 240.A31)

In planning the audit, the auditor will most likely use a list of fraud risk factors to serve as a memory jogger. This list may be taken from the examples listed in the AU-C Illustrations at the end of this chapter, or the examples provided may be tailored to the client. The documentation of this list of fraud risk factors to be considered is not required, but represents good practice.

During the planning and performance of the audit, the auditor may identify some of the fraud risk factors from the list as being present at the client. Of those risk factors present, some will be addressed sufficiently by the planned audit procedures; others may require the auditor to extend audit procedures.

Considering Other Information

The auditor should evaluate other information that may be helpful in identifying fraud risk. The auditor should consider:

● Any information from procedures performed when deciding to accept or continue with a client

● Results of review of interim financial statements

● Identified inherent risks

● Information from the discussion among engagement team members

Identifying Fraud Risks

Fraud risk factors may come to the auditor's attention while performing procedures relating to acceptance or continuance of clients, during engagement planning or obtaining an understanding of an entity's internal control, or while conducting fieldwork. Accordingly, the assessment of the risk of material misstatement due to fraud is a cumulative process that includes a consideration of risk factors individually and in combination. As noted earlier, assessment of fraud risk factors is not a simple matter of counting the factors present and converting the result to a level of fraud risk. A few risk factors or even a single risk factor may heighten the risk of fraud significantly.

Attributes

The auditor should use professional judgment and information obtained when identifying the risks of material misstatement due to fraud. The auditor should consider the following attributes of the risk when identifying risks:

● Type (Does the risk involve fraudulent financial reporting or misappropriation of assets?)

● Significance (Could the risk lead to a material misstatement of the financial statements?)

● Likelihood (How likely is it that the risk would lead to a material misstatement of the financial statements?)

● Pervasiveness (Does the risk impact the financial statements as a whole, or does it relate to an assertion, account, or class of transactions?)

Throughout the audit, the auditor should evaluate whether identified fraud risks can be related to certain account balances or classes of transactions and related assertions, or whether they relate to the financial statements as a whole. (AU-C 240.25) Examples of accounts or classes of transactions that might be more susceptible to fraud risk include:

● Liabilities from a restructuring because of the subjectivity in estimating them

● Revenues for a software developer, because of their complexity

NOTE: The auditor should document the identified fraud risks.

Presumption about Improper Revenue Recognition as a Fraud Risk

Since fraudulent financial reporting often involves improper revenue recognition, the auditor should ordinarily presume that there is a risk of material misstatement due to fraudulent revenue recognition. (AU-C 240.26)

NOTE: The auditor should document the reasons supporting his or her conclusion when improper revenue recognition is not identified as a fraud risk. (AU-C 240.46)

Consideration of the Risk of Management Override of Controls

The auditor should also recognize that, even when other specific risks of material misstatement are not identified, there is a risk that management can override controls. (AU-C 240.31) The auditor should address this risk as discussed in the later section on “Addressing the Risk of Management Override.”

Assessing Identified Risks

As part of the understanding of internal control required by Section 319, the auditor should:

1. Evaluate whether the entity's programs and controls that address identified risks have been appropriately designed and placed in operation. Programs and controls may involve specific controls, such as those designed to prevent theft, or broad programs, such as one that promotes ethical behavior.

2. Consider whether programs and controls mitigate identified risks of material misstatement due to fraud or whether control deficiencies exacerbate risks.

3. Assess identified risks, taking into account the evaluation of programs and controls.

4. Consider this assessment when responding to the identified risks of material misstatement due to fraud.

Responding to the Results of the Assessment

The auditor responds to assessment of risk of material misstatement due to fraud by:

● Exercising professional skepticism

● Evaluating audit evidence

● Considering programs and controls to address those risks

Examples of the use of professional skepticism would include:

● Designing additional or different audit procedures to obtain more reliable evidence

● Obtaining additional corroboration of management's responses or representations

The auditor should respond to the risk of material misstatement in the following ways:

1. Evaluate the overall conduct of the audit.

2. Adjust the nature, timing, and extent of audit procedures performed in response to identified risks.

3. Perform certain procedures to address the risk that management will override controls.

NOTE: The auditor should document a description of the auditor's response to identified fraud risks.

If the auditor concludes that it is not practical to design audit procedures to sufficiently address the risks of material misstatement due to fraud, the auditor should consider withdrawing from the engagement and communicating the reason to the audit committee.

Overall Response to Risk

Judgments about the risk of material misstatements due to fraud may affect the audit in the following ways:

1. Assignment of personnel and supervision.The personnel assigned to the engagement should have the knowledge, skill, and experience necessary to address the auditor's assessment of the level of risk of the engagement. The extent of supervision should also reflect the level of risk.

2. Accounting principles.The auditor should evaluate management's selection and application of significant accounting principles, particularly those relating to subjective measurements and complex transactions. The auditor should also consider whether the collective application of the principles indicates a bias that may create a material misstatement.

3. Predictability of audit procedures.The auditor should vary procedures from year to year to create an element of unpredictability. For example, the auditor may perform unannounced procedures or use a different sampling method.

(AU-C 240.29)

Adjusting the Nature, Timing, and Extent of Audit Procedures to Address Risk

The auditor may respond to identified risks by adjusting the nature, timing, and extent of audit procedures performed. Specifically:

● The nature of procedures may need to be modified to provide more reliable and persuasive evidence, or to corroborate management's representations. For example, the auditor may need to rely more on independent sources, physical observation of assets, or computer-assisted audit techniques (CAATs).

● The timing of procedures may need to be changed. For example, the auditor may decide to perform more procedures at year-end, rather than relying on tests from an interim date.

● The extent of procedures applied should reflect the assessment of fraud risk and may need to be adjusted. For example, the auditor may increase sample sizes, perform more detailed analytical procedures, or perform more computer-assisted audit techniques.

Appendix B of AU-C 240 contains the following examples of ways to modify the nature, timing, and extent of tests in response to identified risks of material misstatement due to fraud:

● Perform unannounced or surprise procedures at locations.

● Ask that inventories be counted as closely as possible to the end of the reporting period.

● Orally confirm with major customers and suppliers in addition to sending written confirmations.

● Send confirm requests to a specific party in an organization.

● Perform substantive analytical procedures using disaggregated data, such as comparing gross profit or operating margins by location, line of business, or month to auditor-developed expectations.

● Interview personnel involved in areas where a fraud risk has been identified to get their views about the risk and how controls address the risk.

● Discuss with other independent auditors auditing other subsidiaries, divisions, or branches the extent of work that should be performed to address the risk of fraud resulting from transactions and activities among those components.

● If the work of an expert becomes particularly significant with respect to a financial statement item for which the assessed risk of misstatement due to fraud is high, perform additional procedures relating to some or all of the expert's assumptions, methods, or findings to determine that the findings are not unreasonable, or engage another expert for that purpose.

● Perform audit procedures to analyze selected opening balance sheet accounts of previously audited financial statements to assess how certain issues involving accounting estimates and judgments (for example, an allowance for sales returns) were resolved with the benefit of hindsight.

Examples of Responses to Identified Risks of Misstatements from Fraudulent Financial Reporting

The following examples are from AU-C 240 Appendix B:

Revenue recognition. The auditor may consider:

● Performing substantive analytical procedures relating to revenue using disaggregated data, such as comparing revenue reported by month or by product line or business segment during the current reporting period with comparable prior periods.

● Confirming with customers certain relevant contract terms and the absence of side agreements, because the appropriate accounting often is influenced by such terms or agreements (for example, acceptance criteria, delivery and payment terms, the absence of future or continuing vendor obligations, the right to return the product, guaranteed resale amounts, and cancellation or refund provisions often are relevant in such circumstances).

● Inquiring of the entity's sales and marketing personnel or in-house legal counsel regarding sales or shipments near the end of the period and their knowledge of any unusual terms or conditions associated with these transactions.

● Being physically present at one or more locations at period-end to observe goods being shipped or being readied for shipment (or returns processing) and performing other appropriate cutoff procedures.

● For those situations for which revenue transactions are electronically initiated, processed, and recorded, testing controls to determine whether they provide assurance that recorded revenue transactions occurred and are properly recorded.

Inventory quantities. The auditor may consider:

● Examining the entity's inventory records to identify locations or items that require specific attention during or after the physical inventory count.

● Performing additional procedures during the count, such as rigorously examining the contents of boxes, checking for hollow squares in the manner in which goods are stacked, or examining the quality of liquid substances for purity, grade, or concentration.

● Performing additional testing of count sheets, tags, or other records to reduce the possibility of subsequent alteration or inappropriate compilation.

● Performing additional procedures to test the reasonableness of quantities counted, such as comparing quantities for the current period with prior periods by class or category of inventory or location.

● Using CAATs.

Management estimates. The auditor may want to supplement the audit evidence obtained. The auditor may:

● Engage a specialist to develop an independent estimate for comparison.

● Extend inquiries to individuals outside of management and the accounting department to corroborate management's ability and intent to carry out plans that are relevant to developing the estimate.

Examples of Responses to Identified Risks of Misstatements Arising from Misappropriation of Assets

The auditor will usually direct a response to identified risks of misstatements arising from misappropriation of assets to certain account balances. The scope of the work should be linked to the specific information about the identified misappropriation risk. (AU-C 240 Appendix B) The auditor may consider some of the procedures listed in the preceding section, “Examples of Responses to Identified Risks of Misstatements Arising from Fraudulent Financial Reporting.” However, in some cases, the auditor may:

● Obtain an understanding of the controls related to preventing or detecting the misappropriation and testing of such controls.

● Physically inspect assets near the end of the period.

● Apply substantive analytical procedures, such as the development by the auditor of an expected dollar amount at a high level of precision to be compared with a recorded amount.

NOTE: Audit procedures may involve both substantive tests and tests of controls. However, since management may be able to override controls, it is unlikely that audit risk can be reduced to an appropriate level by performing only tests of controls.

Addressing the Risk of Management Override

The auditor should perform the following procedures to specifically address the risk for management's override of controls.

Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud, and testing the appropriateness and authorization of such entries. (AU-C 240.A49-.A50) The following procedures should help the auditor in addressing possible recording of inappropriate or unauthorized journal entries or making financial statement adjustments, such as consolidating adjustments, report combinations, or reclassifications not reflected in formal journal entries. The auditor should specifically:

1. Understand the financial reporting process, understand the design of controls over journal entries and other adjustments, and determine that such controls are suitably designed and placed in operation.

2. Identify and select journal entries and other adjustments for testing, while considering the following:

● What is our assessment of the risk of material misstatement due to fraud? (The auditor may identify a specific class of journal entries to examine after considering a specific fraud risk factor.)

● How effective are controls over journal entries and other adjustments? (Even if controls are implemented and operating effectively, the auditor should identify and test specific items.)

● Based on our understanding of the entity's financial reporting process, what is the nature of evidence that can be examined? (Regardless of whether journal entries are automated or processed manually, the auditor should select journal entries to be tested from the general ledger, and examine support for those items. In addition, if journal entries and adjustments are in electronic form only, the auditor may require that an information technology [IT] specialist extract the data.)

NOTE: Computer-assisted audit techniques (CAATs) such as data extraction applications frequently are the most effective and efficient means for identifying and selecting journal entries and adjustments for testing.

● What are the characteristics of fraudulent entries or adjustments, or the nature and complexity of accounts? Illustration 3 at the end of this chapter provides a worksheet to use in identifying characteristics of fraudulent journal entries or adjustments, or accounts that may be more likely to contain inappropriate journal entries or adjustments. (When audits involve multiple locations, the auditor should consider whether to select journal entries from various locations.)

● Are there any journal entries or other adjustments processed outside the normal course of business (i.e., nonstandard or nonrecurring entries)? The auditor should consider placing additional emphasis on identifying and testing items processed outside the normal course of business, because such items may not be subject to the same level of internal control as other entries.

3. Determine the timing of testing. Fraud may occur throughout a period, so the auditor should consider the need to test journal entries throughout the period under audit. However, the auditor should also consider that fraudulent journal entries are often made at the end of the reporting period and should focus on entries made during that time.

4. Ask individuals in the financial reporting process about inappropriate or unusual activity relating to journal entries and adjustments.

NOTE: The auditor should document the results of procedures performed to address the possibility that management might override controls.

Reviewing accounting estimates for biases that could result in fraud. (AU-C 240.A52-.A53) The auditor should consider whether differences between amounts supported by audit evidence and the estimates included in the financial statements, even if individually reasonable, indicate a possible bias on the part of entity's management. If so, the auditor should reconsider the estimates taken as a whole.

The auditor should retrospectively review significant accounting estimates in prior years' financial statements to determine whether there is a possible bias on the part of management. (Significant accounting estimates are those based on highly sensitive assumptions or significantly affected by management's judgment.) The review should provide information to the auditor about a possible management bias that can be helpful in evaluating the current year's estimates. If a management bias is identified, the auditor should evaluate whether the bias represents a risk for material misstatement due to fraud.

Evaluating whether the rationale for significant unusual transactions is appropriate. (AU-C 240.A54) Personnel at the entity engaged in trying to hide a theft or commit fraudulent financial reporting might use unusual or nonstandard transactions to conceal the fraud. The auditor should understand the business rationale for such transactions and whether the rationale suggests that the transactions are fraudulent. When evaluating the transactions, the auditor should consider:

● Is the transaction overly complex?

● Has management discussed the nature and accounting for the transaction with the audit committee or board of directors?

● Is management focusing more on achieving a particular accounting treatment than the underlying economics?

● Have any transactions involving special purpose entities or other unconsolidated related parties been approved by the audit committee or board of directors?

● Do transactions involve previously unidentified related parties?

● Do transactions involve parties that cannot support the transaction without the help of the audited entity?

Evaluating Audit Evidence

The auditor should:

1. Assess the risk of material misstatement due to fraud throughout the audit.

2. Evaluate whether analytical procedures performed as substantive tests or in the overall review indicate a previously unidentified fraud risk.

3. Evaluate the risk of material misstatement due to fraud at or near the completion of fieldwork.

4. Respond to misstatements that may result from fraud.

5. Consider whether identified misstatements may be indicative of fraud, and, if so, evaluate their implications.

(AU-C 240.34-.37)

Evaluating Analytical Procedures

The auditor should consider whether analytical procedures performed as substantive tests or in the overall review stage of the audit indicate a risk of material misstatement due to fraud. The auditor should perform analytical procedures relating to revenue through the end of the reporting period, either as part of the overall review of the audit or separately. If such procedures are not included during the overall review stage of the audit, the auditor should perform analytical procedures specifically related to potentially fraudulent revenue recognition.

The auditor should be alert to responses to inquiries about analytical relationships that are:

● Vague or implausible

● Inconsistent with other audit evidence

NOTE: The auditor should document other conditions or analytical relationships that result in additional procedures, and any other responses the auditor feels are necessary.

As part of the auditor's evaluation of analytical procedures performed as substantive tests or in the overall review stage of the audit, and those analytical procedures that relate to revenue through the end of the reporting period, the auditor may find it helpful to consider the following issues:

1. Are there any unusual relationships involving revenues and income at year-end, such as an unexpectedly large amount of revenue reported at the very end of the reporting period from nonstandard transactions, or income that is not consistent with cash flow trends from operations?

2. Are there other unusual or unexpected analytical relationships that should be evaluated? The guidance provides the following examples:

● An unusual relationship between net income and cash flows from operations may occur if management recorded fictitious revenues and receivables but was unable to manipulate cash.

● Inconsistent changes in inventory, accounts payable, sales, or cost of sales between the prior period and the current period may indicate a possible employee theft of inventory, because the employee was unable to manipulate all of the related accounts.

● Comparing the entity's profitability to industry trends, which management cannot manipulate, may indicate trends or differences for further consideration.

● Unexplained relationships between bad debt write-offs and comparable industry data, which employees cannot manipulate, may indicate a possible theft of cash receipts.

● Unusual relationships between sales volume taken from the accounting records and production statistics maintained by operating personnel – which may be more difficult for management to manipulate – may indicate a possible misstatement of sales.

(AU-C 240.A58)

Evaluating Fraud Risk at or Near the Completion of Fieldwork

The auditor should, at or near the end of fieldwork, evaluate whether the results of auditing procedures and observations affect the earlier assessment of the risk of material misstatement due to fraud. When making this evaluation, the auditor with final responsibility for the audit should confirm that all audit team members have been communicating information about fraud risks to each other throughout the audit.

Responding to misstatements that may result from fraud. When misstatements are identified, the auditor should consider whether they are indicative of fraud. The auditor may need to consider the impact on materiality and other related responses.

If the auditor believes that the misstatements are fraudulent or may result from fraud, but the effect is not material to the financial statements, the auditor should evaluate the implications for the rest of the audit. If the auditor determines that there are implications, such as implications about management's integrity, the auditor would reevaluate the assessment of the risk of material misstatement due to fraud and its impact on the nature, timing, and extent of substantive tests and the assessment of control risk if control risk were assessed below the maximum.

If the auditor believes that the misstatements are fraudulent or may result from fraud, and the effect is material (or if the auditor cannot evaluate the materiality of the effect), the auditor should:

1. Try to obtain additional evidence to determine whether fraud occurred and what its effect would be.

2. Consider how it affects the rest of the audit.

3. Discuss the matter and a plan for further investigation with a level of management at least one level above those involved, as well as senior management and those charged with governance (if senior management is involved, it may be appropriate for the auditor to hold the discussion with those charged with governance).

4. Consider suggesting that the client consult legal counsel.

After evaluating the risk of material misstatement, the auditor may determine that he or she should withdraw from the engagement and communicate the reason to those charged with governance. The auditor may wish to consult legal counsel when considering withdrawing from the engagement.

NOTE: Because of the wide variety of circumstances involved, it is not possible to definitively point out when the auditor should withdraw. However, the auditor may want to consider the implications of the fraud for management's integrity and the cooperation and effectiveness of management and/or the board of directors when considering whether to withdraw.

Communication about Possible Fraud to Management and Those Charged with Governance

When the auditor discovers or suspects fraud, the actions and communications required are somewhat complex, especially when an SEC client is involved. The actions/communications required by Title III of the Private Securities Litigation Reform Act of 1995, by the SEC Practice Section (SECPS) for its members, and by the SEC in Form 8-K add to the complexity.

The auditor should communicate on a timely basis any evidence that fraud may exist, even if such fraud is inconsequential, to the appropriate level of management. (AU-C 240.39)

The auditor should directly inform those charged with governance about:

● Fraud involving management

● Fraud involving employees who have significant roles in internal control

● Fraud that causes a material misstatement of the financial statements

(AU-C 240.40)

The auditor should reach an understanding with those charged with governance about the nature and extent of communications that need to be made to them about misappropriations committed by lower-level employees.

The auditor should consider whether the following are reportable conditions that should be communicated to senior management and those charged with governance:

● Identified risks of material misstatement due to fraud that have continuing control implications (whether or not transactions or adjustments that could result from fraud have been detected)

● A lack of, or deficiencies in, programs and controls to mitigate the risk of fraud

The auditor may also want to communicate other identified risks of fraud to those charged with governance, either in the overall communication of business and financial statement risks affecting the entity or in the communication about the quality of the entity's accounting principles (see Section 260).

Ordinarily, the auditor is not required to disclose possible fraud to anyone other than the client's senior management and those charged with governance, and in fact would be prevented by the duty of confidentiality from doing so. However, a duty to disclose to others outside the entity may exist when:

1. Complying with certain legal and regulatory requirements

2. Responding to a successor auditor's inquiries

3. Responding to a subpoena

4. Complying with requirements of a funding agency or other specified agency for audits that receive governmental financial assistance

(AU-C 240.A72)

The auditor may wish to consult legal counsel before discussing these matters outside the client to evaluate the auditor's ethical and legal obligations for client confidentiality. (AU-C 240.A73)

NOTE: The auditor should document these communications to management, the audit committee, and others.

When deciding on how to communicate, the best approach is to decide which of the following three situations governs, and to follow the guidance presented for the applicable situation.

Situation 1

Any Fraud Involving Senior Management for Non-SEC Clients

Auditor should:

1. Consider the implications for other aspects of the audit.

2. Reevaluate the assessment of the risk of fraud.

3. Discuss the matter and the approach to further investigation with the appropriate level of management.9

4. Obtain additional evidentiary matter, including suggesting that the client consult with legal counsel.

5. Consider whether any risk factors identified represent reportable conditions (Section 325).

6. Consider withdrawing from the engagement and communicating the reasons to those charged with governance.

7. Report the fraud to the audit committee or, in a small business, to the owner-manager.

NOTE: If the perpetrator controls the audit committee or board of directors, go directly to client's legal counsel. If the perpetrator is a general partner acting against the interests of the limited partners, obtain legal advice and consider communicating to the limited partners. If the perpetrator is the owner-manager of a small business, the auditor has little choice but to communicate with the perpetrator and has no obvious course of action but to withdraw. However, first the auditor should consult with his or her legal counsel.

8. Insist that the financial statements be revised and, if they are not, express a qualified or adverse opinion (if precluded from obtaining needed evidence, disclaim an opinion or withdraw).

Situation 2

Any Fraud Involving Senior Management for SEC Clients

Auditor should:

1. Follow the steps in the Situation 1 checklist plus additional items 2–4 below.

2. Consider Section 10A(b) of the Securities Exchange Act of 1934 (Title III, Private Securities Litigation Reform Act of 1995):

a. Matter is reported to board of directors and it does not take appropriate action.

b. Auditor concludes that failure to take remedial action is expected to cause departure from standard audit report or cause withdrawal.

c. Auditor should report conclusion in item b of this list to board of directors as soon as practicable (e.g., on Monday).

d. Client is required to notify SEC (within one business day) of auditor's conclusion described in item b (e.g., by Tuesday).

e. Client is required to furnish report to SEC in item d to auditor within one business day (e.g., by Tuesday).

f. If auditor doesn't receive report in item e, auditor notifies SEC within one business day following failure to receive (e.g., on Wednesday).

3. If the auditor withdraws or resigns from the engagement, the auditor must send a copy of resignation to the SEC within five business days.

4. Follow SEC requirements for reporting on Form 8-K:

a. Upon auditor's withdrawal, client must disclose within four business days the following information on a Form 8-K, filed with the SEC, with a copy to the auditor on the same day:

● Auditor's resignation

● Auditor's conclusion that the information coming to his or her attention has a material impact on the fairness or reliability of the client's financial statements or audit report and that this matter was not resolved to the auditor's satisfaction before resignation

b. Auditor must prepare a letter stating agreement or disagreement with client's statements after reading Form 8-K. If auditor disagrees, he or she must disclose differences of opinion in a letter to client as promptly as possible. Client must then file the letter with the SEC within ten business days after filing the Form 8-K. Notwithstanding the ten-business-day requirement, client has two business days from the date of receipt to file the letter with the SEC.

Situation 3

Any Fraud Not Involving Senior Management for All Clients (Public and Nonpublic)

Auditor should:

1. Evaluate the implications for other aspects of the audit, especially organizational positions of persons involved.

2. Bring to the attention of, and discuss with, the appropriate level of management (even if inconsequential).

3. Communicate the matter to those charged with governance unless the matter is clearly below the communication threshold previously agreed to by the auditor and those charged with governance.

4. Consider whether any risk factors identified represent reportable conditions (Section 265).

Documentation

The auditor should document:

● The engagement team's discussion, when planning the audit, about the entity's susceptibility to fraud; the documentation should include how and when the discussion occurred, audit team members participating, and the subject matter covered.

● Procedures performed to obtain the information for identifying and assessing the risks of material misstatements due to fraud.

● Specific risks of material misstatement due to fraud identified by the auditor, and a description of the auditor's response to those risks.

● If improper revenue recognition has not been identified as a risk factor, the reasons supporting such conclusion.

● The results of procedures performed that addressed the risk that management would override controls.

● Other conditions and analytical relationships that caused the auditor to believe that additional procedures or responses were required, and any other further responses to address risks or other conditions.

● The nature of communications about fraud to management, those charged with governance, and others.

(AU-C 240.43-.46)

Antifraud Programs and Controls

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework (2013) includes a discussion of expectations related to preventing and detecting fraud. The guidance in AU-C 240 is based on the presumption that entity management has both the responsibility and the means to take action to reduce the occurrence of fraud at the entity. To fulfill this responsibility, management should:

● Create and maintain a culture of honesty and high ethics.

● Evaluate the risks of fraud and implement the processes, procedures, and controls needed to mitigate the risks and reduce the opportunities for fraud.

● Develop an appropriate oversight process.

Culture of Honesty and Ethics

A culture of honesty and ethics includes these elements:

● A value system founded on integrity

● A positive workplace environment where employees have positive feelings about the entity

● Human resource policies that minimize the chance of hiring or promoting individuals with low levels of honesty, especially for positions of trust

● Training – both at the time of hire and on an ongoing basis – about the entity's values and its code of conduct

● Confirmation from employees that they understand and have complied with the entity's code of conduct and that they are not aware of any violations of the code

● Appropriate investigation and response to incidents of alleged or suspected fraud

Evaluating Antifraud Programs and Controls

The entity's risk assessment process (as described in the separate chapter on AU-C 315) should include the consideration of fraud risk. With an aim toward reducing fraud opportunities, the entity should take steps to:

● Identify and measure fraud risk.

● Mitigate fraud risk by making changes to the entity's activities and procedures.

● Implement and monitor an appropriate system of internal control.

Develop an Appropriate Oversight Process

The entity's audit committee or board of directors should take an active role in evaluating management's:

● Creation of an appropriate culture

● Identification of fraud risks

● Implementation of antifraud measures

To fulfill its oversight responsibilities, audit committee members should be financially literate, and each committee should have at least one financial expert. Additionally, the committee should consider establishing an open line of communication with members of management one or two levels below senior management to assist in identifying fraud at the highest levels of the organization or investigating any fraudulent activity that might occur.