Joanne M. Flood - Wiley Practitioner's Guide to GAAS 2020

In planning the audit, the auditor will most likely use a list of fraud risk factors to serve as a memory jogger. This list may be taken from the examples listed in the AU-C Illustrations at the end of this chapter, or the examples provided may be tailored to the client. The documentation of this list of fraud risk factors to be considered is not required, but represents good practice.

During the planning and performance of the audit, the auditor may identify some of the fraud risk factors from the list as being present at the client. Of those risk factors present, some will be addressed sufficiently by the planned audit procedures; others may require the auditor to extend audit procedures.

The auditor should evaluate other information that may be helpful in identifying fraud risk. The auditor should consider:

Any information from procedures performed when deciding to accept or continue with a client

Results of review of interim financial statements

Identified inherent risks

Information from the discussion among engagement team members

Fraud risk factors may come to the auditor’s attention while performing procedures relating to acceptance or continuance of clients, during engagement planning or obtaining an understanding of an entity’s internal control, or while conducting fieldwork. Accordingly, the assessment of the risk of material misstatement due to fraud is a cumulative process that includes a consideration of risk factors individually and in combination. As noted earlier, assessment of fraud risk factors is not a simple matter of counting the factors present and converting the result to a level of fraud risk. A few risk factors or even a single risk factor may heighten the risk of fraud significantly.

The auditor should use professional judgment and information obtained when identifying the risks of material misstatement due to fraud. The auditor should consider the following attributes of the risk when identifying risks:

Type (Does the risk involve fraudulent financial reporting or misappropriation of assets?)

Significance (Could the risk lead to a material misstatement of the financial statements?)

Likelihood (How likely is it that the risk would lead to a material misstatement of the financial statements?)

Pervasiveness (Does the risk impact the financial statements as a whole, or does it relate to an assertion, account, or class of transactions?)

Throughout the audit, the auditor should evaluate whether identified fraud risks can be related to certain account balances or classes of transactions and related assertions, or whether they relate to the financial statements as a whole. (AU-C 240.25) Examples of accounts or classes of transactions that might be more susceptible to fraud risk include:

Liabilities from a restructuring because of the subjectivity in estimating them

Revenues for a software developer, because of their complexity

NOTE: The auditor should document the identified fraud risks.

Since fraudulent financial reporting often involves improper revenue recognition, the auditor should ordinarily presume that there is a risk of material misstatement due to fraudulent revenue recognition. (AU-C 240.26)

The auditor should document the reasons supporting his or her conclusion when improper revenue recognition is not identified as a fraud risk. (AU-C 240.46)

The auditor should also recognize that, even when other specific risks of material misstatement are not identified, there is a risk that management can override controls. (AU-C 240.31) The auditor should address this risk, as discussed in the later section on “Addressing the Risk of Management Override.”

As part of the understanding of internal control required by Section 319, the auditor should:

1 Evaluate whether the entity’s programs and controls that address identified risks have been appropriately designed and placed in operation. Programs and controls may involve specific controls, such as those designed to prevent theft, or broad programs, such as one that promotes ethical behavior.

2 Consider whether programs and controls mitigate identified risks of material misstatement due to fraud or whether control deficiencies exacerbate risks.

3 Assess identified risks, taking into account the evaluation of programs and controls.

4 Consider this assessment when responding to the identified risks of material misstatement due to fraud.

The auditor responds to assessment of risk of material misstatement due to fraud by:

Exercising professional skepticism

Evaluating audit evidence

Considering programs and controls to address those risks

Examples of the use of professional skepticism include:

Designing additional or different audit procedures to obtain more reliable evidence

Obtaining additional corroboration of management’s responses or representations

The auditor should respond to the risk of material misstatement in the following ways:

1 Evaluate the overall conduct of the audit.

2 Adjust the nature, timing, and extent of audit procedures performed in response to identified risks.

3 Perform certain procedures to address the risk that management will override controls.

NOTE: The auditor should document a description of the auditor’s response to identified fraud risks.

If the auditor concludes that it is not practical to design audit procedures to sufficiently address the risks of material misstatement due to fraud, the auditor should consider withdrawing from the engagement and communicating the reason to the audit committee.

Judgments about the risk of material misstatements due to fraud may affect the audit in the following ways:

1 Assignment of personnel and supervision. The personnel assigned to the engagement should have the knowledge, skill, and experience necessary to address the auditor’s assessment of the level of risk of the engagement. The extent of supervision should also reflect the level of risk.

2 Accounting principles. The auditor should evaluate management’s selection and application of significant accounting principles, particularly those relating to subjective measurements and complex transactions. The auditor should also consider whether the collective application of the principles indicates a bias that may create a material misstatement.

3 Predictability of audit procedures. The auditor should vary procedures from year to year to create an element of unpredictability. For example, the auditor may perform unannounced procedures or use a different sampling method.

(AU-C 240.29)

The auditor may respond to identified risks by adjusting the nature, timing, and extent of audit procedures performed. Specifically:

The nature of procedures may need to be modified to provide more reliable and persuasive evidence, or to corroborate management’s representations. For example, the auditor may need to rely more on independent sources, physical observation of assets, or computer- assisted audit techniques (CAATs).

The timing of procedures may need to be changed. For example, the auditor may decide to perform more procedures at year-end, rather than relying on tests from an interim date.