Many CPAs still hold the view that there is no responsibility for an auditor to detect fraud. This is simply not the case and audit standards have only increased the auditor’s responsibilities relating to fraud over the years. The Canadian Auditing Standards (CAS) that became effective back in 2010 have an entire section devoted to the auditor’s responsibilities relating to fraud in an audit of financial statements. CAS 240 includes and provides guidance on how fraud is to be considered throughout the audit process.
The CASs require an auditor to maintain professional skepticism throughout the audit, recognizing the possibility that a material misstatement due to fraud could exist, notwithstanding the auditor's past experience of the honesty and integrity of the entity's management and those charged with governance. Furthermore, if conditions identified during the audit cause the auditor to believe that a document may not be authentic or that terms in a document have been modified but not disclosed to the auditor, the auditor shall investigate further. Additionally, where responses to inquiries of management or those charged with governance are inconsistent, the auditor shall investigate the inconsistencies.
Planning and Risk Assessment
CAS 240 provides detailed guidance on how fraud should be considered at the planning and risk assessment stages of an audit. At a high level the standard requires that fraud be considered during the following:
- During the planning discussions amoung the engagement team which is often referred to as the team planning meeting;
- When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, including the entity’s internal control; and
- While identifying and assessing the risk of material misstatement the auditor is also required to identify and assess those risk of material misstatement due to fraud and both the financial statement level and at the assertion level for classes of transactions, accounting balances and disclosures.
CAS 240 Appendix 1 also provides a list of examples of fraud risk factors relating to misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets.
Responses to the Assessed Risks of Material Misstatement Due to Fraud
As fraud must be considered at the planning and risk assessment stages of an audit it must also be included in the auditor’s responses at both the financial statement and assertion levels. CAS 240.29 and CAS 240.A33 provides guidance on the auditor’s overall response to fraud:
In determining overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level, the auditor shall:
- Assign and supervise personnel taking account of the knowledge, skill and ability of the individuals to be given significant engagement responsibilities and the auditor's assessment of the risks of material misstatement due to fraud for the engagement;
- Evaluate whether the selection and application of accounting policies by the entity, particularly those related to subjective measurements and complex transactions, may be indicative of fraudulent financial reporting resulting from management's effort to manage earnings; and
- Incorporate an element of unpredictability in the selection of the nature, timing and extent of audit procedures.
Determining overall responses to address the assessed risks of material misstatement due to fraud generally includes the consideration of how the overall conduct of the audit can reflect increased professional skepticism, for example, through:
- Increased sensitivity in the selection of the nature and extent of documentation to be examined in support of material transactions.
- Increased recognition of the need to corroborate management explanations or representations concerning material matters.
CAS 240.A37-A39 provide the following guidance with respect to determining audit procedures responsive to assessed risks of material misstatement due to fraud at the assertion level:
The auditor's responses to address the assessed risks of material misstatement due to fraud at the assertion level may include changing the nature, timing and extent of audit procedures in the following ways:
- The nature of audit procedures to be performed may need to be changed to obtain audit evidence that is more reliable and relevant or to obtain additional corroborative information. This may affect both the type of audit procedures to be performed and their combination. For example:
- Physical observation or inspection of certain assets may become more important or the auditor may choose to use computer-assisted audit techniques to gather more evidence about data contained in significant accounts or electronic transaction files.
- The auditor may design procedures to obtain additional corroborative information. For example, if the auditor identifies that management is under pressure to meet earnings expectations, there may be a related risk that management is inflating sales by entering into sales agreements that include terms that preclude revenue recognition or by invoicing sales before delivery. In these circumstances, the auditor may, for example, design external confirmations not only to confirm outstanding amounts, but also to confirm the details of the sales agreements, including date, any rights of return and delivery terms. In addition, the auditor might find it effective to supplement such external confirmations with inquiries of non-financial personnel in the entity regarding any changes in sales agreements and delivery terms.
- The timing of substantive procedures may need to be modified. The auditor may conclude that performing substantive testing at or near the period end better addresses an assessed risk of material misstatement due to fraud. The auditor may conclude that, given the assessed risks of intentional misstatement or manipulation, audit procedures to extend audit conclusions from an interim date to the period end would not be effective. In contrast, because an intentional misstatement — for example, a misstatement involving improper revenue recognition — may have been initiated in an interim period, the auditor may elect to apply substantive procedures to transactions occurring earlier in or throughout the reporting period.
- The extent of the procedures applied reflects the assessment of the risks of material misstatement due to fraud. For example, increasing sample sizes or performing analytical procedures at a more detailed level may be appropriate. Also, computer-assisted audit techniques may enable more extensive testing of electronic transactions and account files. Such techniques can be used to select sample transactions from key electronic files, to sort transactions with specific characteristics, or to test an entire population instead of a sample.
If the auditor identifies a risk of material misstatement due to fraud that affects inventory quantities, examining the entity's inventory records may help to identify locations or items that require specific attention during or after the physical inventory count. Such a review may lead to a decision to observe inventory counts at certain locations on an unannounced basis or to conduct inventory counts at all locations on the same date.
The auditor may identify a risk of material misstatement due to fraud affecting a number of accounts and assertions. These may include asset valuation, estimates relating to specific transactions (such as acquisitions, restructurings, or disposals of a segment of the business), and other significant accrued liabilities (such as pension and other post-employment benefit obligations, or environmental remediation liabilities). The risk may also relate to significant changes in assumptions relating to recurring estimates. Information gathered through obtaining an understanding of the entity and its environment may assist the auditor in evaluating the reasonableness of such management estimates and underlying judgments and assumptions. A retrospective review of similar management judgments and assumptions applied in prior periods may also provide insight about the reasonableness of judgments and assumptions supporting management estimates.
CAS 240 Appendix 2 provides a list of examples of possible audit procedures to address the assessed risks of material misstatement at the assertion level as well as specific responses to misstatements resulting from fraudulent financial reporting and misstatements due to misappropriation of assets.
Evaluation of Audit Evidence
The auditor is required, based on the audit procedures performed and the audit evidence obtained, to evaluate whether the assessments of the risks of material misstatement at the assertion level remain appropriate. This evaluation is primarily a qualitative matter based on the auditor's judgment. Such an evaluation may provide further insight about the risks of material misstatement due to fraud and whether there is a need to perform additional or different audit procedures. CAS 240 Appendix 3 contains examples of circumstances that may indicate the possibility of fraud.