By Charles Hall | Auditing , Fraud
Auditing for fraud is important, but some auditors ignore this duty.
So what is an auditor’s responsibility for detecting fraud? Today, I answer that question in light of generally accepted auditing standards in the United States. We’ll look specifically at AU-C 240, Consideration of Fraud in a Financial Statement Audit.
Here’s an overview of this article:
- Auditor’s responsibility for detecting fraud
- Turning a blind eye to fraud
- Signs of auditor disregard for fraud
- Incentives for fraud
- Discovering fraud opportunities
- Inquiries required by audit standards
- The accounting story and big bad wolves
- Documenting control weaknesses
- Brainstorming and planning your response to fraud risk
Auditor’s Responsibility for Detecting Fraud – AU-C 240
I still hear auditors say, “We are not responsible for detecting fraud.” But are we not? The detection of material misstatements whether caused by error or fraud is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. We must plan to look for material fraud.
Audits will not, however, detect every material misstatement—even if the audit is properly planned and conducted. Audits are designed to provide reasonable assurance, not perfect assurance. Some material frauds will not be detected. Why? First, an auditor’s time is limited. He can’t audit forever. Second, complex systems make it extremely difficult to discover fraud. Third, the number of potential fraud schemes (there are thousands) makes it challenging to consider all possibilities. And, finally, some frauds are so well hidden that auditors won’t detect them.
Even so, auditors should not turn a blind eye to fraud.
Turning a Blind Eye to Fraud
Why do auditors not detect fraud?
Think of these reasons as an attitude—a poor one—regarding fraud. This disposition manifests itself in the audit file with signs of disregard for fraud.
Signs of Auditor Disregard for Fraud
A disregard for fraud appears in the following ways:
- Asking just one or two questions about fraud
- Limiting our inquiries to as few people as possible (maybe even just one)
- Discounting the potential effects of fraud (after known theft occurs)
- Not performing walkthroughs
- We don’t conduct brainstorming sessions and window-dress related documentation
- Our files reflect no responses to brainstorming and risk assessment procedures
- Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
- The audit program doesn’t change though control weaknesses are noted
In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.
So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.
Incentives for Fraud
The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).
Fraud comes in two flavors:
- Cooking the books (intentionally altering numbers)
Cooking the Books
Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.
If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls.
Discovering Fraud Opportunities
My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs. Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches.”
For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:
- What can go wrong?
- Will existing control weakness allow material misstatements?
In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just break it down and allow more time.
Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.
Inquiries Required by Audit Standards
Audit Standards (AU-C 240) state that we should inquire of management regarding:
- Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
- Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
- Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
- Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
- The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they know of any actual, suspected, or alleged fraud affecting the entity
- For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures
Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and outside auditors regarding fraud?
- Management develops control systems to lessen the risk of fraud.
- Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.
So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we put together the pieces of a story.
The Accounting Story and Big Bad Wolves
Think of the accounting system as a story. Our job is to understand the narrative of that story. As we describe the accounting system in our work papers, we may find missing pieces. Controls may be inadequate. When they are, we ask more questions to make the story complete.
The purpose of writing the storyline is to identify any “big, bad wolves.”
The threats in our childhood stories were easy to recognize. The wolves were hard to miss. Not so in walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize.
So, how long should the story be? That depends on the size of the organization. Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid distracting details.
But what if control weaknesses are noted?
Documenting Control Weaknesses
I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:
Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.
Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.
Brainstorming and Planning Your Responses
Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.
The risk assessment procedures provide the fodder for the brainstorming session.
Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative.
In what way are we to be creative? Think like a thief. By thinking like a fraudster, we unearth theft schemes. Why? So we can audit those possibilities. This is the reason for risk assessment procedures in the first place.
What we discover in risk assessment informs the audit plan. In other words, it has bearing on what we do in the days ahead, in the substantive procedures we perform.
The Auditor’s Responsibility for Detecting Fraud – AU-C 240
In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for detecting fraud?”
Hopefully, you now better understand fraud procedures. But to understand the purpose of them, look at a standard audit opinion:
The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.
The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.
Additionally, even well-performed audits will not detect all material fraud. As we saw above, some frauds are extremely difficult to detect. Audits are designed to provide reasonable assurance, not perfect assurance. The standard audit opinion states:
Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.
In summary, the auditor should conduct the audit in a manner to detect material fraud. But it is possible that some material frauds will be missed, even when we perform the audit correctly.
The Why and How of Auditing: A Blog Series About Basics
Have you been following my series of posts: The Why and How of Auditing? If not, you may want to review the prior posts:
Also, subscribe to my blog to receive future installments in this series (I have several more coming). This series is a great way for seasoned auditors to refresh their overall audit knowledge and for new auditors to gain a better understanding of the audit process. Join now.
See my book The Why and How of Auditing on Amazon.