Identifying Fraud Risks
The auditor should use professional judgment and information obtained when identifying the risks of material misstatement due to fraud. The auditor should consider the following attributes of the risk when identifying risks:
- Type (Does the risk involve fraudulent financial reporting or misappropriation of assets?)
- Significance (Could the risk lead to a material misstatement of the financial statements?)
- Likelihood (How likely is it that the risk would lead to a material misstatement of the financial statements?)
- Pervasiveness (Does the risk impact the financial statements as a whole or does it relate to an assertion, account, or class of transactions?)
The auditor should evaluate whether identified fraud risks can be related to certain account balances or classes of transactions and related assertions, or whether they relate to the financial statements as a whole. Examples of accounts or classes of transactions that might be more susceptible to fraud risk include:
- Liabilities from a restructuring because of the subjectivity in estimating them.
- Revenues for a software developer, because of their complexity.
Note: The auditor should document the identified fraud risks. Presumption about Improper Revenue Recognition as a Fraud Risk Since fraudulent financial reporting often involves improper revenue recognition, the auditor should ordinarily presume that there is a risk of material misstatement due to fraudulent revenue recognition. The auditor should also document the reasons supporting his or her conclusion when improper revenue recognition is not identified as a fraud risk.
Consideration of the Risk of Management Override of Controls – The auditor should also recognize that, even when other specific risks of material misstatement are not identified, there is a risk that management can override controls. The auditor should address this risk as discussed in the next section “Addressing the Risk of Management Override”
Assessing Identified Risks – As part of the understanding of internal control required, the auditor should:
- Evaluate whether the entity’s programs and controls that address identified risks have been appropriately designed and placed in operation. Programs and controls may involve specific controls, such as those designed to prevent theft, or broad programs, such as one which promotes ethical behavior.
- Consider whether programs and controls mitigate identified risks of material misstatement due to fraud or whether control deficiencies exacerbate risks.
- Assess identified risks, taking into account the evaluation of programs and controls.
- Consider this assessment when responding to the identified risks of material misstatement due to fraud.
Responding To The Results Of The Assessment – The auditor responds to assessment of risk of material misstatement due to fraud by:
- Exercising professional skepticism.
- Evaluating audit evidence.
- Considering programs and controls to address those risks.\
Examples of the use of professional skepticism would include
- Designing additional or different audit procedures to obtain more reliable evidence.
- Obtaining additional corroboration of management’s responses or representations.
The auditor should respond to the risk of material misstatement in the following ways:
- Evaluate the overall conduct of the audit.
- Adjust the nature, timing, and extent of audit procedures performed in response to identified risks.
- Perform certain procedures to address the risk that management will override controls.
Note: The auditor should document a description of the auditor’s response to identified fraud risks. If the auditor concludes that it is not practical to design audit procedures to sufficiently address the risks of material misstatement due to fraud, the auditor should consider withdrawing from the engagement and communicating the reason to the audit committee.
Overall Response to Risk – Judgments about the risk of material misstatements due to fraud may affect the audit in the following ways:
- Assignment of personnel and supervision. The personnel assigned to the engagement should have the knowledge, skill, and experience necessary to address the auditor’s assessment of the level of risk of the engagement. The extent of supervision should also reflect the level of risk.
- Accounting principles. The auditor should evaluate management’s selection and application of significant accounting principles, particularly those relating to subjective measurements and complex transactions. The auditor should also consider whether the collective application of the principles indicates a bias that may create a material misstatement.
- Predictability of audit procedures. The auditor should vary procedures from year to year to create an element of unpredictability. For example, the auditor may perform unannounced procedures or use a different sampling method.
Adjusting Audit Procedures – The auditor may respond to identified risks by adjusting the nature, timing, and extent of audit procedures performed. Specifically:
- The nature of procedures may need to be modified to provide more reliable and persuasive evidence, or to corroborate management’s representations. For example, the auditor may need to rely more on independent sources, physical observation of assets, or computer-assisted audit techniques.
- The timing of procedures may need to be changed. For example, the auditor may decide to perform more procedures at year-end, rather than relying on tests from an interim date.
- The extent of procedures applied should reflect the assessment of fraud risk and may need to be adjusted. For example, the auditor may increase sample sizes, perform more detailed analytical procedures, or perform more computer-assisted audit techniques.
Additional examples of ways to modify the nature, timing, and extent of tests to respond to the fraud risk assessment, examples of responses to identified risks arising from fraudulent financial reporting, and examples of responses to risks from misstatements arising from the misappropriation of assets can be found in Techniques for Application.
Note: Audit procedures may involve both substantive tests and tests of controls. However, since management may be able to override controls, it is unlikely that audit risk can be reduced to an appropriate level by performing only tests of controls.
Addressing the Risk of Management Override – The auditor should perform the following procedures to specifically address the risk for management’s override of controls. Examine journal entries and other adjustments for evidence of possible material misstatement due to fraud, and test the appropriateness and authorization of such entries. The following procedures should help the auditor in addressing possible recording of inappropriate or unauthorized journal entries or making financial statement adjustments, such as consolidating adjustments, report combinations, or reclassifications not reflected in formal journal entries. The auditor should specifically:
. Understand the financial reporting process, understand the design of controls over journal entries and other adjustments, and determine that such controls are suitably designed and placed in operation.
. Identify and select journal entries and other adjustments for testing, while considering the following:
- What is our assessment of the risk of material misstatement due to fraud? (The auditor may identify a specific class of journal entries to examine after considering a specific fraud risk factor).
- How effective are controls over journal entries and other adjustments? (Even if controls are implemented and operating effectively, the auditor should identify and test specific items).
- Based on our understanding of the entity’s financial reporting process, what is the nature of evidence that can be examined? (Regardless of whether journal entries are automated or processed manually, the auditor should select journal entries to be tested from the general ledger, and examine support for those items. In addition, if journal entries and adjustments are in electronic form only, the auditor may require that an information technology [IT] specialist extract the data. Similarly, in an IT environment, the auditor may need computer-assisted audit techniques to identify and select journal entries and adjustments for testing).
- What are the characteristics of fraudulent entries or adjustments, or the nature and complexity of accounts? Illustration 3 provides a worksheet to use in identifying characteristics of fraudulent journal entries or adjustments, or accounts that may be more likely to contain inappropriate journal entries or adjustments. (When audits involve multiple locations, the auditor should consider whether to select journal entries from various locations).
- Are there any journal entries or other adjustments processed outside the normal course of business, (i.e., nonstandard or nonrecurring entries)? The auditor should consider placing additional emphasis in identifying and testing items processed outside the normal course of business, because such items may not be subject to the same level of internal control as other entries.
. Determine the timing of testing. Fraud may occur throughout a period, and so the auditor should consider the need to test journal entries throughout the period under audit. However, the auditor should also consider that fraudulent journal entries are often made at the end of the reporting period, and should focus on entries made during that time.
. Ask individuals in the financial reporting process about inappropriate or unusual activity relating to journal entries and adjustments.
Note: The auditor should document the results of procedures performed to address the possibility that management might override controls.
Reviewing accounting estimates for biases that could result in fraud. The auditor should consider whether differences between amounts supported by audit evidence and the estimates included in the financial statements, even if individually reasonable, indicate a possible bias on the part of entity’s management. If so, the auditor should reconsider the estimates taken as a whole.
The auditor should retrospectively review significant accounting estimates in prior year’s financial statements to determine whether there is a possible bias on the part of Management (Significant accounting estimates are those based on highly sensitive assumptions or significantly affected by management’s judgment). The review should provide information to the auditor about a possible management bias that can be helpful in evaluating the current year’s estimates. If a management bias is identified, the auditor should evaluate whether the bias represents a risk for material misstatement due to fraud.
Evaluating whether the rationale for significant unusual transactions is appropriate.
Personnel at the entity engaged in trying to hide a theft or commit fraudulent financial
reporting might use unusual or nonstandard transactions to conceal the fraud. The auditor
should understand the business rationale for such transactions and whether the rationale suggests that the transactions are fraudulent. When evaluating the transactions, the auditor should consider:
- Is the transaction overly complex?
- Has management discussed the nature and accounting for the transaction with the audit committee or board of directors?
- Is management focusing more on achieving a particular accounting treatment than the underlying economics?
- Have any transactions involving special-purpose entities or other unconsolidated related parties been approved by the audit committee or board of directors?
- Do transactions involve previously unidentified related parties?
- Do transactions involve parties that cannot support the transaction without the help of the audited entity?
Fraud Consideration In Audit [SAS 99 Fundamentals]
Obtaining Information Needed To Identify Fraud Risks
Evaluating Audit Evidence
Communication about Possible Fraud To Management
Documentation of Fraud Consideration
Or; use below page navigation to move foreward or backward: