Key messages from a webcast by Mario Fazekas are summarised in this two-part article series. Part 1 covers the history of the audit in terms of the responsibilities for the detection and prevention of fraud, the characteristics of fraud and an overview of a sceptical mindset while Part 2 will outline the eight steps that auditors should follow during the audit to add value to the client and enhance the chances of the auditor detecting fraud.
Jeffrey Robinson, an international expert on organised crime and fraud, said that ‘Fraud has become pandemic around the world and if fraud were a disease, political leaders of all our nations would have to declare a global health emergency!’ In a recent webcast presented by Mario Fazekas, a renowned certified fraud examiner, it was noted that the fraud pandemic is only going to get worse with the COVID-19 pandemic. The webcast provided an overview of the auditor’s responsibilities relating to fraud using International Standard on Auditing 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements (ISA 240), as the basis.
Responsibility for the prevention and detection of fraud
When we trace the history of auditing, we find that in the early 1900s, fraud detection was one of the primary objectives of the audit. However, this objective became too onerous and from the 1920s, auditors no longer assumed the responsibility to detect fraud. Since then, audit has never reinstated the primary objective of detecting fraud. This may well be a root cause of the expectation gap that has arisen over the years with respect to the auditor’s responsibility to detect fraud. Between 1960 and 1980, audits were performed in accordance with Generally Accepted Auditing Standards (GAAS) where the focus shifted to the risks of material misstatement and the responses thereto, and these requirements remain to this day.
For the auditor to truly add value to the client and enhance the chances of the auditor identifying fraud, the auditor needs to understand the characteristics of fraud and perform the audit with an appropriately sceptical mindset.
Characteristics of fraud
ISA 240 states that misstatements in the financial statements can arise from either fraud or error, with the distinguishing factor being intent.1 Experience has shown that fraud is often overlooked. Auditors may identify an anomaly, for example an error or disparity between different sources of information that may be indicative of fraud, but do not apply the appropriate level of professional scepticism to the facts presented and fail to take the identified anomaly further in looking for evidence of intent. Such evidence may include alterations of documents, concealment or destruction of evidence, obstruction of justice, a pattern of conduct in terms of repetition of certain behaviour, personal gain as evidenced by lifestyle, and false statements.
ISA 240 indicates an auditor conducting an audit in accordance with the ISAs is responsible for obtaining reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error.2 This requirement focuses the auditor’s attention on fraud that causes a material misstatement in the financial statements. The response of some auditors to anomalies is that the amounts are not material and are therefore not investigated further. This may well be an area where auditors are going wrong. Owing to the nature of fraud, auditors should be cognisant of qualitative materiality when identifying fraud risk factors and when assessing identified anomalies, rather than purely focusing on quantitative materiality.
The identification of an anomaly in the audit environment can be equated to a visit to the doctor where the doctor identifies an anomaly. Like the auditor, the doctor has certain choices, namely to ignore the identified anomaly or to investigate it further. The doctor may find a minuscule spot of cancer and therefore not to report this to the patient because he or she does not want to cause unnecessary concern, or report the finding to the patient to provide them with the opportunity to take the necessary responsive action.
Fraud is like a cancer and if left, the problem does not go away but rather grows. Experience has shown that perpetrators of fraud start out committing small acts of fraud to test the system, then expand on these fraudulent activities once they realise it has gone undetected and such acts often result in significant financial loss to the entity. To prevent significant financial loss, it is imperative for the anomaly to be nipped in the bub at the early stages of the fraud − in the same way that a doctor would want the cancer to be eliminated before it spreads.
Auditors are therefore encouraged to report all identified errors or fraud risk factors to management regardless of how small they may be, in order to empower management to perform the necessary investigations and take any necessary corrective and/or preventive action.
The Association of Certified Fraud Examiners have identified five main categories of financial statement fraud schemes in their Fraud Tree:
- Timing differences, where the accounting period is kept open longer than it should and revenue ‘stolen’ from other reporting periods
- Fictitious revenue by way of fictitious transactions being created
- Concealed liabilities and expenses
- Improper asset valuation, where the entity records assets at a higher value than the true valuations or reflects more assets than they actually have
- Improper disclosures where for example related party transactions are not disclosed or incomplete disclosure where management hides damaging transactions or events that occurred
The application and other explanatory material of ISA 240 contains an extensive list of risk factors relating to misstatements arising from fraudulent financial reporting that are related to the categories of incentives/pressure, opportunity and attitude/rationalisation that auditors should be alert to when performing an audit.
Sam Antar, former Crazy Eddie CFO, former CPA and convicted felon, said that ‘As a criminal, I feared two things, scepticism and cynicism.’
A sceptical mindset has the following characteristics:
- A questioning mindset, described as a disposition to inquiry with some sense of doubt
- A suspension of (pre-) judgement where the auditor withholds judgement until appropriate evidence is obtained
- A search for knowledge where the auditor has a desire to investigate beyond the obvious with a desire to corroborate audit evidence obtained
- An interpersonal understanding, recognising that people’s motivations and perceptions can lead them to provide biased or misleading information, including lying, cheating and stealing, including by CEOs and CFOs
- The self-esteem and the self-confidence to resist persuasion and to challenge assumptions or conclusions and consult with parties other than management if they are not providing the required information.
- Autonomy, where the auditor has self-direction, moral independence, and conviction to decide for him- or herself rather than accepting the claims of others at face value.
Auditor scepticism starts with a person’s competence, including knowledge and skills. From this comes attitude or mind-set. Auditors must assume neither honesty nor dishonesty of their clients and be neutral in recognising the possibility of material misstatement due to fraud. Based on the competence of the auditor and the auditor’s professional scepticism, the auditor will decide how to act. Experience shows that most auditors have the necessary attributes, in that they have received the necessary training and therefore know what they should do. The attitude or mindset is where auditors are going wrong in that auditors are overly concerned with their clients’ reactions to the auditors’ actions.
Sam Antar also stated: ‘Don’t trust, just verify, verify, verify. The inclination to trust and the presumption of innocence gives the fraudsters the initial benefit of any doubt while they are free to plan and execute their crimes.’ Professional scepticism and cynicism are key for auditors to positively contribute to detecting and therefore combating fraud. To succeed in adding value in identifying fraud, auditors must have a questioning mind and keep on asking questions until they are satisfied that they have the answers.
AUTHOR │ Hayley Barker Hoogwerf, Project Director: Assurance at SAICA
1 ISA 240.2
2 ISA 240.5
4 Mark S Beasley, Joseph V Carcello, Dana R Hermanson and Terry L Neal, An analysis of alleged auditor deficiencies in SEC fraud investigations: 1998–2010, Centre for Audit Quality, May 2013, page 22.