- 1. Chapter 8 Auditing for Fraud
2. Fraud & Auditor Responsibilities: Historical
Evolution
- "The detection of material fraud is a reasonable expectation of
users of audited financial statements. Society needs and expects
assurance that financial information has not been material
misstated because of fraud. Unless an independent audit can provide
this assurance, it has little if any value to society"
- This statement by the Public Companies Accounting Oversight
Board represents a dramatic change in auditors' responsibility for
detecting fraudulent financial reporting
- Previously, AICPA auditing standards required auditors to plan
and perform an audit to provide reasonable assurance of detecting
material misstatements, including those caused by fraud
- Today, the message is clear: auditors must assume greater
responsibility for detecting fraud
3. Comment on the Magnitude of Fraud
- According to a 2002 study by the Association of Certified Fraud
Examiners (ACFE)--
- Six percent of revenues will be lost as a result of fraud
- Estimated at losses of $600 Billion per year
- These estimates cover all types of fraud, but do not include
the losses investors incurred on major financial reporting frauds
such as Enron or WorldCom
4. Define Fraud
- Intentional concealment or misrepresentation of material facts
in order to deceive
- Differentiated from errors by the intent to deceive
- Traditionally defined into broad categories:
- Fraudulent financial reporting
5. What is defalcation?
- Employee takes assets from the organization for personal
gain
- Examples: theft, embezzlement
- ACFE divides into frauds due to
-
- Fraudsters use their influence in a transaction to gain
personalbenefit
-
- Examples: kickbacks, conflict of interest, bribery, economic
extortion
-
- Theft or misuse of organization's assets
-
- Common schemes: skimming revenues, cash schemes,
fraudulentdisbursement, inventory theft, payroll fraud
- Defalcation may create misleading financial statements if
stolen assets are reported on the statements
6. Define Fraudulent Financial Reporting
- Intentional manipulation of financial statements
- Typically committed by management
- Has opportunity to override internal controls
- Often evaluated and compensated based on financial results
- Manipulation, falsification, or alteration of accounting
records or supporting documents
- Misrepresentation or omission of events, transactions, or
significant information
- Intentional misapplication of accounting principles
- The most common types are
- Overstate assets and understate expenses
- Overstate revenues and assets
7. Review Lessons Learned From Fraud Cases
- Auditors take risk whenever they do not audit the entire
company
- Auditors need to look at economic assumptions underlying a
companys growth
- Auditors need to assess risk factors and when the risk of fraud
is high, they must demand stronger evidence
- Computer errors should be viewed as a risk factor
- Dominant clients can be a problem
- Auditors need to know what motivates management
- Auditors should not assume all people are honest
- When fraud risk indicators are discovered, they must be
thoroughly investigated
8. Discuss the Second COSO Report
- Report of the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) identified major characteristics of
companies that had perpetrated fraud:
- Involved smaller companies - under $200 million in
revenues
- Board of directors dominated by management
- Audit committees non-existent or inactive
- Overstated revenues and corresponding assets in over half the
frauds
- Most revenue frauds involved premature recognition or
fictitious revenues
9.
- No internal audit department
- Perpetrated over relatively long-terms (average period 2
years)
- Companies were in loss situations or near break-even prior to
the fraud
- CEO and /or CFO involved in 83% of the cases
- Auditors realized there are signs that fraud might be taking
place and that auditors would have to identify and investigate
these signs
Discuss the Second COSO Report(Continued) 10. Review Auditing
Standards on Fraud
- SAS 99, "Fraud Detection in a Financial Statement Audit" issued
in 2002
- Requires auditors to search for risk factors related to
fraud
- If these risk factors are present, auditor needs to modify
audit to
-
- Actively search for fraud
-
- Require more substantive audit evidence
-
- In some cases, assign forensic (fraud) auditors to the
engagement
- Emphasizes the need for professional skepticism
11. Review a Proactive Approach to Fraud Detection - Planning
the Audit
- The audit must be planned to detect material misstatements -
whether the misstatements are due to errors or fraud
- Understand how changes in the economy might affect the
business
- Understand management's motivations for committing a fraud
- Identify opportunities for other employees to commit
defalcation
- Analyze changes in company's financial results for
reasonableness
- Identify areas that might suggest fraud
12. Discuss Proactive Approach to Fraud Detection - Conducting
the Audit
- Overview of the process to integrate fraud risk assessment and
fraud procedures into the audit includes ten major steps:
- Understand the nature of fraud, motivations to commit fraud,
and how fraud may be committed
- Develop and implement an approach based on professional
skepticism
- Brainstorm and share knowledge within the audit team
- Obtain information useful in identifying and assessing fraud
risk
- Identify specific fraud risks and areas likely to be affected
by fraud
13.
- Evaluate the quality and effectiveness of company controls in
mitigating the risk of fraud
- Adjust audit procedures to address the risk of fraud and gather
evidencespecifically related to the possibility of fraud
- Evaluate findings; if evidence signals fraud might exist,
consider whether specialists are needed for the audit team
- Communicate possibility of fraud to management and audit
committee
- Document all steps related to fraud
Discuss Proactive Approach to Fraud Detection - Conducting the
Audit 14. What are the motivations to commit fraud?
- Research consistently shows three factors associated with
fraud
- These factors are referred to as the fraud triangle
- Incentives or pressures to commit fraud
- Opportunities to commit fraud
- Rationalization of the fraud as acceptable
15. Review Motivations to Commit Fraud Incentives or
Pressures
- The pressures to commit fraud include:
- Management compensation schemes
- Personal wealth ties to financial results or survival of the
company
- Other financial pressures to improve earnings or the balance
sheet
-
- Example: to avoid violating debt covenant
- Personal factors, including personal financial needs
16. Discuss Motivations to Commit Fraud Opportunities
- Warning signs indicating opportunities for fraud:
- Weak or non-existent internal controls
- Complex or unstable organizational structure
- Ineffective monitoring of management, either because board of
directors is not effective, or management is dominant
- Significant accounting estimates made by management
- Significant related party transactions
- Industry dominance, including ability to dictate terms to
suppliers or customers
- Simple transactions made complex through disjointed recording
process
- Complex or difficult to understand transactions
17. Comment on Motivations to Commit Fraud Rationalizations
- The nature of fraud rationalization often differs depending on
the type of fraud
- For defalcations, rationalizations often revolve around
personal issues:
- Personal financial problems
- Mistreatment by the company
- For fraudulent financial reporting, the rationalizations may
involve personal or organizational issues:
- Compensation based on financial results (personal)
- Necessary for organization to survive
18. What is the purpose of audit team brainstorming?
- SAS 99 requires members of the audit team to discuss the risk
of material misstatement due to fraud
- This brainstorming is designed to:
- Allow experienced auditors to educate less experienced
auditors
- Set the proper level of professional skepticism for the
audit
- Topics covered during the brainstorming should include:
- Consider how fraud can be perpetrated and concealed
- Presume fraud in revenue recognition
- Consider incentives, opportunities, and rationalization for
fraud
- Consider industry conditions
- Consider operating characteristics and financial stability
19. Audit Procedures
- When there is a possibility of fraud, the auditor should
consider that evidence might not be what it seems
- SAS 99 suggests the auditor consider the following:
- Greater susceptibility of evidence manipulation
- Greater skepticism of management responses
- Journal entries are important
- New technology provides new ways to commit fraud
- Recognition that collusion may be likely
- Predictability of audit procedures
- Analytical procedures should tie to operational or industry
data
20. Obtaining Information about Fraud Risk
- The auditor should specify procedures that could signal the
possibility of fraud including
- Making inquires of management and others to obtain their views
about the risk and fraud and controls set up to address those
risks
- Perform analytical procedures and consider any unusual
relationships
- Review risk factors identified earlier (pressure, opportunity,
rationalization)
- Review management responses to recommendations for control
improvements and internal audit reports
21. What are some analytical indicators of fraud risk?
- Some of the key analytical factors the auditor should develop
include:
- Large revenue increase at the end of the period
- Sales increasing faster than industry sales which don't seem
justified
- Unusually large increase in gross margin
- Large number of sales returns after year-end
- Increase in number of day's sales in receivables
- Increase in number of day's sales in inventory
- Significant increase in debt/equity ratio
- Cash flow or liquidity problems
- Significant changes in non-financial performance measures
22. Identifying Risks of Fraud
- The auditor should examine each of the fraud risk conditions -
pressure, opportunity, rationalization
- During this examination, the auditor should consider
- The type of fraud that might occur
- The potential significance of the fraud in both quantitative
and qualitative terms
- The likelihood of fraud occurring
- The pervasiveness of the risk that fraud might occur
- SAS 99 requires the auditor presume there are risks with
revenue recognition and management override of internal
controls
23. Relate Internal Control and Fraud Risk
- Internal control weaknesses are a strong indicator of fraud
risk
- The auditor will examine a variety of control areas
including:
- Management control and influence
- Related party transactions
24. Developing a Revised Audit Plan
- Auditor should develop hypotheses about how fraud could be
committed and concealed
- The audit team should then develop and implement audit
procedures that are directly responsive to the fraud risks
- Depending on the hypothesized fraud risks the auditor may
change the
- Audit procedures in order to gather additional corroborative
and/or direct evidence
- Timing of audit procedures
- Staffing of the engagement to include more experience auditors
or specialists
25.
- Extent of audit procedures; examples include:
-
- Performing procedures on a surprise or unannounced basis
-
- Requiring inventories be counted and observed at year-end
(instead of at an interim date)
-
- Making oral inquiries of major customers and suppliers
-
- Performing analytics using disaggregated data
-
- Examining details of major sales contracts
-
- Examining financial viability of customers
-
- Examining, in detail, reciprocal or similar transactions
between two entities
-
- Detailed examination of journal entries, particularly those at
year-end
Developing a Revised Audit Plan(Continued) 26. Discuss
Evaluating Audit Evidence
- The auditor's skepticism should be heightened whenever
- There are discrepancies in the accounting records
- The auditor finds conflicting or missing evidential matter
- The relationship with management is strained
- There are significant or unusual transactions around
year-end
27. Review Communicating the Existence of Fraud
- Fraud should be communicated to a level at which effective
action can be taken
- The auditor must communicate the existence of fraud to
management, the Board, and the audit committee
- If fraud involves top management, the auditor must assess the
actions taken by the Board
- If sufficient actions are not taken, the auditor must consider
the control environment and the possible need to resign the
engagement
28.
- The auditor must determine that the financial statements have
been corrected and the fraud adequately disclosed
- If the statements are not corrected, the auditor should issue a
qualified or adverse opinion
- In some cases, the auditor may be required to report the fraud
to outside parties, such as to meet regulatory requirements
- For public companies, material fraud reflects a weakness in
internal controls and may need be reported
Review Communicating the Existence of Fraud 29. Comment on Audit
Documentation
- The audit team should document the full extent of the process
described
- That documentation should include:
- Discussion among audit team members including the assessment of
fraud risk and how such frauds might take place
- Discussion of the factors that affected the risk
assessment
- Audit procedures performed
- Need for corroborating evidence
- Evaluation of audit evidence and communication to required
parties
30. Discuss Characteristics of Financial Reporting Frauds
- Historically, there are patterns in financial reporting
frauds:
- Complex revenue recognition schemes
- Incorrect billings to the government
- Holding the books open (accelerated revenue recognition)
- The implications for audit procedures is clear:
- The auditor must understand complex transactions to determine
their economic substance
- The auditor cannot be pressured to complete the audit early;
there must be sufficient time to examine year-end transactions
- The auditor must use necessary procedures to gather sufficient
reliable evidence including
31. What are the characteristics of defalcations?
- ACFE reports 90% of defalcations involve thefts of cash;
remaining 10% were thefts of inventory and other assets
- Cash misappropriation schemes include:
- Larceny: stealing cash after it has been recorded on the
books
- Skimming: stealing cash before it is recorded on the books
-
- Most common: 70% of defalcation schemes
-
- Billing: set up false vendors and pay for fictitious goods
-
- Payroll: add fictitious employees to payroll
-
- Expense reimbursement: submit overstated reimbursement
requests
-
- Check tampering: alter check, e.g. change payee or amount
32. Audit Procedures & Evidence Considerations
- The procedures used by the auditor should reflect the internal
control weaknesses and fraud risk indicators found with the
client
- Linking Audit Procedures to Control Deficiencies
- Audit procedures used are based on specific control
deficiencies
- Linkage process from control deficiencies to audit
procedures:
-
- What errors or fraud could occur because of the control
deficiencies
-
- What account balances would be affected and how
-
- What audit procedures would provide evidence on whether the
account balance is misstated
-
- Do the audit procedures provide objective evidence independent
of the parties who have access to the assets
- Examples listed in Exhibit 8.11
33. Review Linking Audit Procedures to Fraud Risk Indicators
- As with control deficiencies, audit procedures will depend on
the fraud risk indicators and auditor's preliminary analytical
review of account balances
- Existence of fraud risk indicators should cause the auditor
to
- Expand audit testing to more detailed sampling
- Place more emphasis on independent outside evidence
- Perform more procedures at year-end (instead of interim
testing)
- Examples listed in Exhibits 8.12 and 8.13
34. Discuss Using Computers to Analyze the Possibility of
Fraud
- Audit software can read a file and perform a number of
procedures to analyze the possibility of fraud:
- Test mechanical accuracy: footing, mathematical extensions, and
logical relationships
- Search for duplicate entries
- Analyze unusual patterns in data
- Analysis of logical relationships among data sets
- Identify unusual sources of entries to an account
35. Responsibilities for Detecting and Reporting Illegal
Acts
- Illegal acts are violations of laws or governmental
regulations...by management or employees acting on behalf of the
entity (AU 317.02)
- Illegal acts often have a direct impact on financial
statements
- Audit must be designed to identify illegal acts that have a
direct, material effect on the financial statements; audit
procedures include:
- Reading corporate minutes
- Inquiries of management and legal counsel
36.
- Tests of details to support transactions or account
balances
-
- Large payments to consultants or employees for unspecified
services
-
- Excessively large sales commissions
-
- Unexplained governmental payments
-
- Unauthorized or unnecessarily complex transactions
- If illegal acts are discovered, the auditor should
- Consult with the client's legal counsel
- Report the acts to management and the audit committee
- Make the financial statements present fairly including proper
disclosure
Responsibilities for Detecting and Reporting Illegal
Acts(continued) 37. Define Forensic Accounting
- Forensic accounting is an extension of auditing, but with a
number of differences:
- Detailed investigation where fraud has been identified or is
suspected
- Focuses on identifying perpetrators and getting a
confession
- Builds support for legal action against the perpetrator
- May provide litigation support such as expert testimony
- Extensive use of interviews
- 100% examination of fraud-related documents
- Reconstruction of account balances
- Broader scope than auditing