Mario Fazekas, a certified forensic auditor, presented a webcast1 in which he provided an overview of the auditor’s responsibilities relating to fraud using ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements (ISA 240), as the outline. The key messages from the webcast are summarised in a two-part article series. Part 12 covered the history of the audit in terms of the responsibilities for the detection and prevention of fraud, the characteristics of fraud and an overview of a sceptical mindset while Part 2 outlines the eight steps that auditors should follow during the audit to add value to the client and enhance the chances of the auditor detecting fraud.
The eight steps
To truly add value to the client and enhance the chances of the auditor identifying fraud, eight recommended steps that the auditor should follow during the performance of the audit have been identified. These are outlined below.
1. Discussion among the engagement team
The audit team must hold discussions or brainstorming sessions among themselves on the entity being audited. Questions to consider include the nature and state of the entity in the previous year and what has changed in the current year; the nature and state of competitors in the industry and what the expectation is in terms of the state and performance of the entity in the current year; and the general state of the economy. If the state and/or performance of the entity is different from the expectation, it is important for the auditor to be sceptical in investigating the deviation from the expectation. For example, when the economy is going through a recession yet the entity continues to generate income and grow cash, the auditor should not accept this at face value but rather question how the entity is managing to achieve this.
During the team discussion, members of the engagement team should be reminded that they will often be dealing with management, who have the ability to override any control in the business.
2. Risk assessment procedures and related activities
Here, the auditor needs to make inquires of management as well as others about fraud and the entity’s response to the identified fraud risks. The auditor should draw on self-confidence in having the courage to ask the difficult questions that may make the client feel uncomfortable. These questions should include whether management or others interviewed have seen any unethical behaviour and what the interviewee’s response would be in such a case. Questions of this nature will provide the auditor with a feel for the culture of ethics in the business.
3. Identifying risks
Here, the auditor would look at the fraud triangle as set out in appendix 1 of ISA 240. The auditor should also consider the fraud exposure rectangle. This rectangle suggests that in identifying risks, the auditor should not focus on just the debits and credits, because management will ensure that the debits and credits balance. Rather the auditor should be focusing on the changes and non-financial measures to identify discrepancies between the entity’s financial and non-financial performance.
The four aspects of the fraud exposure rectangle are the following:
Management and the directors, where the auditor should analyse the people and their behaviour. It is fundamental that the auditor assess the integrity of the client, because this will ultimately determine whether the auditor is neutral in the application of professional scepticism or carrying out the necessary procedures to appropriately investigate an anomaly.
The company’s relationship with other entities, where the auditor should be alert to related-party transactions.
The organisation and its industry, where the auditor compares the entity to the industry and the competitors to assess their performance in comparison.
Financial results and operating characteristics.
Auditors often question where the aspects of the fraud exposure rectangle can be found in the International Standards on Auditing (ISAs). This is mapped to the ISAs as follows:
International Standard on Quality Control (ISQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements (ISQC 1), requires the auditor to consider the integrity of the client (26(c)), including the identity and business reputation of the client’s principal owners, key management and those charged with governance, and the attitude of the client’s principal owners and key management towards such matters as an aggressive interpretation of accounting standards and the internal control environment (A19).
Factors listed in the application and other explanatory material of ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (ISA 315 (Revised)), indicate that relevant industry factors include supplier and customer relations (A25).
ISA 315 (Revised) requires the auditor to obtain an understanding of relevant industry factors (11(a)) and an example of such factors listed in the application and other explanatory material includes the general economic conditions (A30).
ISA 315 (Revised) further requires the auditor to obtain an understanding of the entity, including its operations (11(b)).
4 Assessing risks
In assessing the identified risks, the auditor should apply professional judgement in assessing the entity’s programmes and internal controls.
In terms of the best-practice fraud prevention framework for organisations, the following ten building blocks have been identified around which the auditor should be focusing their questions, procedures or other matters for consideration:3
5. Responding to risks
Depending on the results of the information gathering activities and the subsequent identification and assessment of risks of material misstatement, the auditor must determine the overall audit strategy and consider how this impacts the nature, timing and extent of the audit procedures. The audit plan is just that, only a plan, that can be changed as new information comes to light.
6. Evaluating evidence
The auditor should consider whether the results of the procedures provide evidence of fraud. It is interesting to note that in order to prove fraud in a court of law, five things need to be present, namely prejudice, an unlawful act, misrepresentation, causality and criminal intent.
If misrepresentation is missing, this is considered to be theft and if intent is missing, this is considered an error.
6.1 Triangulating of audit evidence
The process of triangulating audit evidence6 starts with the auditor questioning management and in responding, management may show the auditor the accounting records. The auditor then moves onto a second information source, namely management information intermediaries, which include the Information Technology department (IT), Human Resources department (HR), Procurement, etc, to confirm the information obtained from management. The auditor must bear in mind that management control these functions and could therefore still influence these people. To complete the triangulating audit evidence and overcome management’s ability to influence others and override controls, the auditor should take the information-gathering process to the third, external source, namely entity business states (EBS) which comprise customers, suppliers, regulators, alliance partners, and capital markets or competitors and start building up the picture of evidence. (It is important to note that these three sources of evidence are not substitutes but rather complement each other.)
In applying the principle of triangulation of audit evidence to the audit process, and the auditor’s responsibility to obtain reasonable assurance, management representation does not get the auditor anywhere near obtaining the reasonable assurance that is required to form an opinion. The first source of information that the auditor receives is from management, but the auditor then confirms this information with the information intermediaries, which adds credibility to the information provided by management. In further enhancing the credibility of information received from management and moving closer towards obtaining reasonable assurance, the auditor moves on to the external EBS sources. If the information confirms what management and the information intermediaries have indicated, the auditor has most likely obtained sufficient appropriate audit evidence and hence reasonable assurance on which to base his/her audit opinion.
7. Communicating
Whenever evidence of fraud is found, it should be brought to the attention of the appropriate level of management, even if the matter is inconsequential. Management are then aware of the findings and it is up to them to investigate the findings further and determine whether any preventive and/or corrective action is required. Should this finding result in a significant fraud act later, management will be solely responsible for the consequences of their inactions.
8. Documenting
It is critical for the auditor to document the findings. The documentation should include evidence of conversations held, observations made and identified findings to enable the auditor to recall significant points noted. This may include copies of documents and photographs of observations where considered necessary.
South African guidance
The Independent Regulatory Board for Auditors (IRBA) recently issued the IRBA Staff Audit Practice Alert 4, A South African Perspective in the Auditor’s Considerations Relating to Fraud, which serves to provide auditors with implementation guidance in responding to the risks of material misstatements due to fraud and/or non-compliance with laws and regulations. Furthermore, the IRBA has developed a dedicated IRBA Fraud web page that contains a list of links to relevant audit-related guidance on fraud that have been developed internationally and locally.
In concluding
Since auditors play an important role in combating fraud, auditors are encouraged to familiarise themselves with the content of the IRBA staff audit practice alert and consider implementing the guidance provided as well as the eight steps outlined above in performing an audit.
Notes
1 https://livestream.com/saica/maytechtalk1/videos/206346230.
2 Accountancy SA, August issue.
3 Based on the Association of Certified Fraud Examiners fraud prevention check-up.
4 KPMG report Global profiles of the fraudster: technology enables and weak controls fuel the fraud published in 2016: https://home.kpmg/xx/en/home/insights/2016/05/global-profiles-of-the-fraudster.html.
5 https://teris.com/key-differences-between-ediscovery-and-digital-forensics/#:~:text=Unlike%20digital%20forensics%2C%20eDiscovery%20is,can%20view%2C%20access%20and%20duplicate.&text=Forensics%20gather%2C%20preserve%20and%20restore,data%20to%20the%20appropriate%20parties.
6 Professor Mark E Peecher PhD, CPA, Auditing II: The Practice of Auditing, University of Illinois.
AUTHOR | Hayley Barker Hoogwerf CA(SA), Project Director: Assurance at SAICA