Joanne M. Flood - Wiley Practitioner's Guide to GAAS 2020

Consider known external and internal factors affecting the entity that might create incentives and opportunities to commit fraud, and indicate an environment that enables rationalizations for committing fraud.

Consider indications of earnings management.

Consider the risk that management might override controls.

Consider how to respond to the susceptibility of the financial statements to material misstatement caused by fraud.

For the purposes of this discussion, set aside any of the audit team’s prior beliefs about management’s honesty and integrity.

The discussion would normally include key audit team members. Other factors that should be considered when planning the discussion include:

Whether to have multiple discussions if the audit involves more than one location

Whether to include specialists assigned to the audit

Audit team members should continue to communicate throughout the audit about the risks of material misstatement due to fraud. (AU-C 240.15)

In addition to performing procedures required under Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements , the auditor should obtain information needed to identify the risks of material misstatement due to fraud by:

Asking management and others within the entity about their views on the risk of fraud and how such risks are addressed.

Considering unusual or unexpected relationships identified by analytical procedures performed while planning the audit.

Considering whether any fraud risk factors exist.

Considering other information that may be helpful in identifying fraud risk.

The auditor should make the following inquiries of management:

Does management or others within the entity know about actual or suspected fraud?

Have there been any allegations of actual or suspected fraud from employees, former employees, analysts, regulators, short sellers, and others?

Does management understand the entity’s fraud risk, including any identified risk factors or account balances or classes of transactions for which a fraud risk is likely to exist? How does management identify, respond to, and monitor those risks?

What programs and controls does the entity have to help prevent, deter, and detect fraud? How does management monitor such programs?

When there are multiple locations, how are operating locations or business segments monitored? Is fraud more likely to exist at any one of the locations or business segments?

Does management communicate its views on business practices and ethical behavior to employees, and, if so, how?

Has management communicated to those charged with governance how the entity’s internal control prevents, deters, and detects fraud?

(AU-C 240.17–.19)

When evaluating management’s responses to these inquiries, auditors should remember that management is often in the best position to commit fraud. Therefore, the auditor should determine when it is necessary to corroborate those responses with other information. When responses are inconsistent, the auditor should obtain additional audit evidence.

The auditor should make the following inquiries of appropriate individuals within the internal audit function:

What are their views on the risk of fraud?

Have they performed procedures to identify or detect fraud during the year?

Has management satisfactorily responded to any finding from procedures performed to identify or detect fraud?

Are they aware of any actual, suspected, or alleged fraud?

(AU-C 240.19)

The auditor should also ask others within the entity whether they are aware of actual or suspected fraud, using professional judgment to determine to whom these inquiries are made and how extensive the inquiries should be. The following are examples of people who may provide helpful information and, therefore, to whom the auditor may wish to consider directing inquiries:

1 Anyone at varying levels of authority with whom the auditor deals during the audit, such as when the auditor is obtaining an understanding of the entity’s internal controls, observing inventory, performing cutoff procedures, or getting explanations for fluctuations noted during analytical procedures

2 Operating staff not directly involved in financial reporting

3 Employees involved in initiating, recording, or processing complex or unusual transactions

4 In-house legal counsel

(AU-C 240.A19)

The auditor should understand how those charged with governance oversee the entity’s assessment of fraud risks and the mitigating programs and controls. (AU-C 240.20) The auditor should make the following inquiries of those charged with governance:

What are those charged with governance’s (or the audit committee’s or at least the chair’s) views of the risk of fraud?

Do they know about actual, alleged, or suspected fraud in the entity?

(AU-C 240.21)

When performing the required analytical procedures in planning the audit as discussed in Section 520, Analytical Procedures , the auditor may find unusual or unexpected relationships as a result of comparing the auditor’s expectations with recorded amounts or ratios developed from such amounts. The auditor should consider those results in identifying the risk of material misstatement due to fraud. (AU-C 240.22)

The auditor should also perform analytical procedures relating to revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that may indicate a material misstatement due to fraudulent financial reporting. Examples of such procedures include:

Comparing sales volume with production capacity (sales volume greater than production capacity might indicate fraudulent sales).

Trend analysis of revenues by month and sales return by month shortly before and after the reporting period (the analysis may point to undisclosed side agreements with customers to return goods).

Trend analysis of sales by month compared with units shipped. This may identify a material misstatement of recorded revenues.

(AU-C 240.A25)

Although analytical procedures performed during audit planning may be helpful in identifying the risk of material misstatement due to fraud, they may only provide a broad indication, since such procedures use data aggregated at a high level. Therefore, the results of such procedures should be considered along with other information obtained by the auditor in identifying fraud risk. (AU-C 240.26)

Using professional judgment, the auditor should consider whether information obtained about the entity and its environment indicates that fraud risk factors are present, and, if so, whether it should be considered when identifying and assessing the risk of material misstatement due to fraud. (AU-C 240.24)

Examples of fraud risk factors are presented in Illustrations 1 and 2 at the end of this chapter. These risk factors are classified based on the three conditions usually present when fraud exists:

1 Incentive/pressure

2 Opportunity

3 Attitude/rationalization

(AU-C 240.A30)

The auditor should not assume that all three conditions must be present or observed. In addition, the extent to which any condition is present may vary.

The size, complexity, and ownership of the entity may also affect the identification of fraud risks. (AU-C 240.A31)