ICAI Seminar – 8 July 2006 • AAS4 Auditors’ Responsibility as regards Fraud & Error
Bookkeeping scandals June 20, 2002 September, 2003 March 28, 2002 October 16, 2001 Issue: Financial Reporting Fraud Impact: $9 billion in unreported expenses Issue: Financial Reporting Fraud and inappropriate consolidation Impact: $ millions in overstated earnings Issue: Financial Reporting Fraud and embezzlement Impact: $2.5 billion of hidden debt Issue: Off-Balance Sheet Accounting and Financial Reporting Fraud Impact: $3 billion in undisclosed losses
What is Fraud? • Fraud is an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. • Although fraud is a broad legal concept, the auditor is concerned with fraud that causes a material misstatement in the financial statements. Two types of misstatements relevant to the auditor’s consideration of fraud: • Misstatements resulting from fraudulent financial reporting • Misstatements resulting from misappropriation of assets.
Introduction to Fraud Fraudulent Financial Reporting • Misrepresentation in,or intentional omission from, the financial statements of events, transactions, or other significant information • Manipulation, falsification or alteration of records or documents from which financial statements are prepared • Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosures. Misappropriation • Misappropriation of assets – often accompanied by false or misleading records in order to conceal that the assets are missing Examples include: • Embezzling receipts • Stealing physical assets or intellectual property • Recording of transactions without substance
Introduction to Fraud • There are three conditions generally present when fraud occurs. Attitudes/Rationalizations Fraud Triangle Opportunities Incentive/Pressures
Error Unintentional mistakes in financial information such as: • mathematical or clerical mistakes in the underlying records and accounting data; • Incorrect accounting estimate arising from oversight or misinterpretation of facts; or • misapplication of accounting policies.
Distinguishing Factor The distinguishing factor between fraud and error is whether the underlying action that results in the misstatement in the financial statements is intentional or unintentional. Unlike error, fraud is intentional and usually involves deliberate concealment of the facts. While the auditor may be able to identify potential opportunities for fraud to be perpetrated, it is difficult, if not impossible, for the auditor to determine intent, particularly in matters involving management judgment, such as accounting estimates and the appropriate application of accounting principles.
Responsibility for Prevention & Detection Management Responsibility • Although AAS4 focuses on the auditor's responsibilities with respect to fraud and error, the primary responsibility for the prevention and detection of fraud and error rests with both those charged with governance and the management of an entity. The respective responsibilities may vary from entity to entity. • The management is responsible for establishing a control environment and maintain policies and procedures by implementing and ensuring continued operation of accounting and internal control systems, which are designed to prevent fraud and error. • Such systems reduce but do not eliminate the risk of misstatements,Accordingly, management assumes responsibility for any remaining risk.
Responsibility for Prevention & Detection AuditorsResponsibility • As regards the auditors’, the standard states that when planningand performing audit procedures and evaluating and reporting the results thereof, the auditor should consider the risk ofmaterialmisstatements in the financial statements resulting fromfraud or error. Inherent Limitations of an audit • An auditor cannot obtain absolute assurance that material misstatements in the financial statements will be detected.The auditor is able to obtain only a reasonable assurance that material misstatements in the financial statements will be detected. The risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting a material misstatement resulting from error.
Auditors – Tackling Fraud & Error: • Increased Professional Skepticism in their attitude- matters that increase risk of misstatement, circumstances that arouse suspicion, evidences obtained that are contradictory to management assertions or representations. Professional Skepticism is an attitude implying that the auditor makes a critical assessment, with a questioning mind, of the validity of audit evidence obtained and is alert to audit evidence that contradicts or brings into question the reliability of documents or management representations.
Auditors – Tackling Fraud & Error: • While planning an audit, the auditor should discuss with the audit team members the susceptibility of the entity to material misstatements in the financial statements. • While planning an audit, the auditor should make inquiries of management, so as to be able to understand managements assessment of risk and the systems in place to address the risk, to determine whether management is aware of any known or suspected fraud, and to determine whether management has discovered any material errors. This will provide useful information regarding risk of material misstatements resulting from management fraud • Discussions with those charged with governance • Continual assessment of Fraud assessment • Documentation
Risk • Inherent Risk • Control risk • Detection risk When assessing inherent risk and control risk in accordance with AAS 6 (Revised), “Risk Assessments and Internal Control”, the auditor should consider how the financial statements might be materially misstated as a result of fraud or error. In considering the risk of material misstatement resulting from fraud, the auditor should consider whether fraud risk factors are present that indicate the possibility of either fraudulent financial reporting or misappropriation of assets.
Fraud Risk Factors Auditor may identify events or conditions that provide an opportunity, a motive, or a means to commit fraud, or indicate that fraud may have already occurred. Such events or conditions are called fraud risk factors. Accordingly, the auditor exercises professional judgment when considering fraud risk factors individually or in combination and whether there are specific controls that mitigate the risk. The auditor uses professional judgment when assessing the significance and relevance of fraud risk factors and determining the appropriate audit response. The presence of fraud risk factors may indicate that the auditor will be unable to assess control risk at less than high for certain financial statement assertions. On the other hand, the auditor may be able to identify internal controls designed to mitigate those fraud risk factors that the auditor can test to support a control risk assessment below high.
Fraud Risk Factors Some examples of Fraud Risk Factors Relating to Misstatements resulting from Fraudulent Financial Reporting can be grouped into: • Management’s Characteristics and Influence over control environment – compensation, stock options, increasing stock price or earnings trend, management commitments to third parties like creditors or analysts, taxation issues, no ethics policies, domination, non monitoring of controls, failure to correct material weaknesses, aggressive targets, disregard for regulatory matters, high turnover of management personnel, relationship with previous auditor, history of claims against the entity or violations, weak corporate structure • Industry Conditions – new accounting, statutory or regulatory requirements, high degree of competition or market saturation, decline in demand, technological obsolescence • Operating Characteristics and Financial Stability – cash flows generation, pressure to obtain additional capital, assets or liabilities or revenues or expenses based on significant estimates, significant related party transactions, significant number of unduly complex transactions, complex organizational structure, interest rates, dependency on debt
Fraud Risk Factors Examples of Fraud Risk Factors Relating to Misstatements resulting from Misappropriation of assets can be grouped into: • Susceptibility of assets to misappropriation – large amounts of cash on hand, easily convertible assets like bearer bonds, small inventory or fixed assets items of high value • Lack of Controls – poor physical safeguards, lack of appropriate segregation of duties, inadequate record keeping, lack of inadequate management supervision, lack of appropriate system of authorization and approval of transactions
Detection Risk Based on the auditor's assessment of inherent and control risks (including the results of any tests of controls), the auditor should design substantive procedures to reduceto an acceptably low level the risk that misstatements resulting from fraud and error that are material to the financial statements taken as a whole will not be detected. In designing the substantive procedures, the auditor should address the fraud risk factors that the auditor has identified as being present.
Impact AAS 6 (Revised) “Risk Assessments and Internal Control”, explains that the auditor's control risk assessment, together with the inherent risk assessment, influences the nature, timing and extent of substantive procedures to be performed to reduce detection risk to an acceptably low level. In some cases, even though fraud risk factors have been identified as being present, the auditor's judgment may be that the audit procedures, including both tests of control, and substantive procedures, already planned, are sufficient to respond to the fraud risk factors. In other circumstances, the auditor may conclude that there is a need to modify the nature, timing and extent of substantive procedures to address fraud risk factors present. In these circumstances, the auditor considers whether the assessment of the risk of material misstatement calls for an overall response, a response that is specific to a particular account balance, class of transactions or assertion, or both types of response. The auditor considers whether changing the nature of audit procedures, rather than the extent of them, may be more effective in responding to identified fraud risk factors.
Procedures when circumstances indicate possible misstatement • To perform procedures to determine whether the financial statements are materially misstated • Use of professional judgment to assess the type of fraud or error and likelihood of its occurrence • Use of professional judgment to assess the likelihood that a particular fraud or error could have a material effect on the financial statements • Consider impact on audit risk and the nature, timing and extent of substantive procedures • Consider the assessment of effectiveness of internal controls if control risk was assessed below high • Assignment of team members and work allocation/ reallocation
Procedures to consider whether an identified misstatement indicates fraud • The auditor should assess whether an identified misstatements may be indicative of fraud- use professional judgment • If there is an indication then the auditor should consider the implications of misstatement in relation to the other aspects of the audit with particular emphasis on management representations.
Evaluation and Disposition of Misstatements and Effect on Audit Report • When the auditor confirms that, or is unable to conclude whether, the financial statements are materially misstated as a result of fraud or error, the auditor should consider the implications for the audit. • If a significant fraud has occurred or the fraud is committed by those charged with governance the auditor should consider the necessity for a disclosure in the financial statements. If disclosure is not made then the auditor should consider an appropriate disclosure in his report
Documentation • Auditors should document all fraud risk factors identified as being present and document the auditors response to such factors. If during the performance of the audit, if such factors indicate that additional audit procedures are necessary, the auditor should document these and his response to these factors. • Auditor must document matters which are important in providing evidence to support the audit opinion and the working papers must include the auditors reasoning on all matters which required use of professional judgment.
Management Representations The auditor should obtain written representations that: • it acknowledges its responsibility for the implementation and operation of accounting and internal control systems that are designed to prevent and detect fraud and error; • it believes the effects of those uncorrected financial statement misstatements aggregated by the auditor during the audit are immaterial, both individually and in the aggregate, to the financial statements taken as a whole. A summary of such items should be included in or attached to the written representation; • it has disclosed to the auditorall significant facts relating to any frauds or suspected frauds known to management that may have affected the entity; and • it has disclosed to the auditor the results of its assessment of the risk that the financial statements may be materially misstated as a result of fraud.
Communication When the auditor identifies a misstatement resulting from fraud, or a suspected fraud, or error, the auditor should consider the auditor's responsibility to communicate that information to management, those charged with governance and, in some circumstances, when so required by the laws and regulations, to regulatory and enforcement authorities also. Communication on a timely basis is necessary to initiate action. Determination of the level of management to which the communication should be made is a matter of professional judgment, and factors like nature, magnitude and frequency of misstatement should be considered.
Communication – Error If the auditor has: • identified a material misstatement from error, then the auditor should communicate to the appropriate level of management andconsider the need to report to those charged with governance. Uncorrected misstatements considered immaterial individually or in the aggregate should be informed to those charged with governance of those uncorrected misstatements after taking into consideration materiality limits.
Communication – Fraud If the auditor has: • identified a fraud, whether or not it results in a material misstatement in the financial statements; or • obtained evidence that indicates that fraud may exist (even if the potential effect on the financial statements would not be material); the auditor should communicate these matters to the appropriate level of management on a timely basis, and consider the need to report such matters to those charged with governance.
Communication- Fraud If the auditor has concluded that the misstatements is or may be, arising from fraud and has determined that the effect could either be material or has not been able to evaluate whether the effect is material then he should consider • discuss the matter and the approach for further investigation if required with a level in the management higher than those involved and with the management at the highest level • If appropriate, suggest the management to seek legal opinion
Communication- Material Weaknesses in Internal Control Material Weaknesses identified by • Auditor – the auditor should communicate to management all material weaknesses in internal control related to the prevention and detection of fraud and error and the auditor should be satisfied that those charged by governance have been informed of any weaknesses related to the prevention and detection of fraud (Note: not error) • Management – the auditor should be satisfied that those charged by governance have been informed of any weaknesses related to the prevention and detection of fraud
Communication- Exceptional Circumstances • If the auditor has reason to doubt the integrity or honesty of management or those charged with governance, the auditor should consider seeking legal advice. • If the statutory & regulatory framework requires that the auditor should report adverse or unfavorable remarks, the auditor may consider seeking legal advice. eg. NBFC
Communication Examples: • Questions regarding management competence and integrity • Fraud involving management – communicate with Parent company, BOD, Audit Committee • Other frauds resulting in material misstatement – CFO, Audit committee • Material Misstatements resulting from an error- CFO or audit coordinator. Further consider the need to inform those charged with governance. Uncorrected misstatements considered immaterial individually or in the aggregate should be informed after taking into consideration materiality limits. • Misstatements indicating material weaknesses in internal controls including design or operation of the financial reporting – Management letter, CFO, Audit committee or parent company • Misstatements that may cause future financial statements to be materially misstated – Audit committee, CFO
Non Continuance If the auditor concludes : that it is not possible to continue performing the audit as a result of a misstatement resulting from fraud or suspected fraud, the auditor should • consider the professional or legal responsibilities applicable in the circumstances • consider the possibility of withdrawing from the engagement If the auditor withdraws: • Discuss the same with appropriate level of management and those charged with governance, and the reasons for the withdrawal • Consider if there is a professional or legal requirement to report • When contacted, inform the incoming auditor of the professional reasons why the appointment should not be accepted. Only facts should be communicated to the incoming auditor and not the auditors conclusions.
Non Continuance Such an event may be triggered by such circumstances: • Entity does not take remedial action regarding fraud • Auditors consideration of the risk of material misstatement resulting from fraud and the results of audit tests indicate a significant risk of material or pervasive fraud; or • Auditor has significant concern about the integrity or competence of the management or those charged with governance
Fraud Risk Assessment Identify & Capture Fraud Risk Factors • Consider Available Information: • External - news, analyst reports, significant developments, litigation) • Inquiries • Preliminary analytical review • Engagement team discussions • Fraud Risks: • Industry-specific • Revenue recognition • Management override • Company-specific fraud schemes Evaluate Fraud Risk Factors & Identify Fraud Risks • Execute Plan: • Test mitigating controls • Test journal entries and estimates • Perform substantive procedures • Evaluate evidence Design & Execute Tests of Controls & Substantive Procedures