IN PRACTICE
The Auditor’s Responsibilities Relating to Fraud by Phyllis Willoughby
The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
by Phyllis Willoughby
Auditing is subject to continual change and when a standard is updated it has a ripple effect on many other audit processes such as planning, execution, completion and reporting stages of the audit. ISA (Ireland) 240 was updated in October 2022 and is effective for audits of financial statements for periods commencing on or after 15 December 2021, with early adoption permitted.
Two people looking at notepad
This article will provide an update on the most recent changes and current issues affecting the auditor’s responsibility relating to fraud in an audit of financial statements and how to apply practical steps for such changes within planning and execution of audits, particularly for accounting year ends 31 December 2022.

ISA 240 defines fraud as follows:

Fraud – An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage.

Characteristics of Fraud
Misstatements in the financial statements can arise from either fraud or error. The distinguishing factor between fraud and error is whether the underlying action that results in the misstatement of the financial statements is intentional and involves deception or is unintentional. Two types of intentional misstatements are relevant to the auditor – misstatements resulting from fraudulent financial reporting and misstatements resulting from misappropriation of assets.
Responsibility for the prevention and detection of Fraud
The primary responsibility for the prevention and detection of fraud rests with management and those charged with governance. Those charged with governance and management should place a strong emphasis on fraud prevention through creating a culture of honesty and enforcing strong ethical behaviors.
Responsibilities of the Auditor
The auditor is responsible for obtaining reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error.

The risk of not detecting a material misstatement resulting from fraud may be higher than the risk of not detecting one resulting from error. This is where fraud may have involved sophisticated and carefully organized schemes designed to conceal it, such as forgery, deliberate failure to record transactions, or intentional misrepresentations being made by the auditor. Such attempts at concealment may be even more difficult to detect when accompanied by collusion. Collusion may cause the auditor to believe that audit evidence is persuasive when it is, in fact, false. The auditor’s ability to detect a fraud is affected by factors such as the skillfulness of the perpetrator, the frequency and extent of manipulation, the degree of collusion involved, the relative size of individual amounts manipulated, and the seniority of those individuals involved. While the auditor may be able to identify potential opportunities for fraud to be perpetrated, it may be difficult for the auditor to determine whether misstatements in judgment areas such as accounting estimates are caused by fraud or error.

What’s changed for auditors?
The recent revisions to ISA 240 have resulted in the following changes:
  1. Greater focus on Professional skepticism
The auditor shall maintain professional skepticism throughout the audit recognizing the possibility that a material misstatement due to fraud could exist.
  1. Further Investigation
The auditor shall remain alert for conditions that indicate a record or document may not be authentic. The auditor is required to consider the reliability of information to be used as audit evidence. When the auditor identifies conditions that cause the auditor to believe that a document may not be authentic or that terms in a document have been modified but not disclosed to the auditor possible procedures to investigate further include:
  1. Increased discussions with audit team
The discussion shall include an exchange of ideas among engagement team members about fraud risk factors, including incentives for management or others within the entity to commit fraud, how management could perpetrate and conceal fraudulent financial reporting, and now assets of the entity could be misappropriated.
  1. Specialized skills
The auditor shall determine whether the engagement team requires specialized skills or knowledge to perform the risk assessment procedures, to identify and assess the risks of material misstatement due to fraud, to design and perform audit procedures to respond to those risks or to evaluate the audit evidence obtained.

The auditor may consider it appropriate to use the specialist skills of a forensic accountant when investigating a misstatement due to fraud or suspected fraud.

  1. Documentation of information that is inconsistent
If the auditor identified information that is inconsistent with the auditor’s final conclusion regarding a significant matter, the auditor shall document how the auditor addressed the inconsistency.
  1. Fraud risk factors
Fraud risk factors may not necessarily indicate the existence of fraud however they have often been present in circumstances where frauds have occurred and therefore may indicate risks of material misstatement due to fraud.

Fraud risk factors may relate to incentives, pressures or opportunities that arise from conditions that create susceptibility to misstatement before consideration of controls.

Extend fraud risk to requirements per ISA (Ireland) 550 (Related Parties)

  1. Inquiries of others within the entity
Making inquiries of others within the entity may provide individuals with an opportunity to convey information to the auditor that may not otherwise be communicated via management.

Examples include:

  • Employees with different levels of authority
  • Employees involved in initiating, processing or recording high volumes of payments and settlements and those who supervise or monitor such employees.
  • Employees responsible for the maintenance of IT systems or monitoring system logs for unusual or unauthorized activity.
Risk Assessment Procedures
When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, the appliable financial reporting framework and the entity’s system of internal control, required by ISA (Ireland) 315 the auditor shall make inquires of management and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity. The auditor shall make inquiries of those charged with governance to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity. These inquiries are made in part to determine whether the responses of those charged with governance corroborate or contradict the responses to the inquiries of management.

Discussions between the auditor and those charged with governance about the risks of fraud in the entity, including those specific to the entity’s business sector, assists the auditor in identifying and assessing the risks of material misstatement of the financial statements due to fraud. Business sector specific risks may arise from economic, industry and operating conditions that give risk to fraud risk factors for particular classes of transactions, account balances and disclosures.

Deliberate and unauthorized modification of Information
Tampering with information includes deliberate and unauthorized modification of information through destruction, manipulation or editing documents that are fraudulent or have been tampered with can be difficult to detect. Conditions that indicate a document is not authentic or has been tampered with include:

  • Document style different to others of the same type from the same source (for example changes to fonts and formatting).
  • ‘Copy’ documents presented rather than originals.
  • Electronic documents with a last edited date that is after the date they were represented as finalized.
Businesswoman talking on phone and using laptop
10 Practical steps the auditor can implement when assessing fraud risk particularly for 2022-year end audits:
Step 1
Update audit working papers to incorporate the content within “What’s changed for auditors”.

Step 2
Document all meetings with management, those charged with governance and others within the entity.

Step 3
Create a checklist of examples of circumstances that indicate the possibility of fraud per Appendix 3 of ISA (Ireland) 240.

Step 4
Document discussions with the Engagement Team incorporating exchange of ideas about fraud risk factors.

Step 5
Determine whether the engagement team requires specialized skills or knowledge to perform risk assessment procedures.

Step 6
Perform audit procedures to test the appropriateness of manual or automated journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements, including consolidation adjustments in the preparation of group financial statements. Make inquiries of individuals with different levels of responsibility. Select journal entries and other adjustments made at the end of a reporting period and post-closing entries.

Step 7
Consider the reliability of information to be used as audit evidence ensuring tampering of documents is not evident.

Step 8
Automated tools and techniques may enable more extensive testing of electronic transactions and account files.

Step 9
Appendix 2 of ISA (Ireland) 240 provides examples of possible audit procedures to address the assessed risks of material misstatement due to fraud.

Step 10
Obtain written representations from management that they acknowledge their responsibility for the design, implementation and maintenance of internal controls to prevent and detect fraud and that they believe they have appropriately fulfilled those responsibilities.

Conclusion
We recommend that you familiarize yourself with the updates to ISA (Ireland) 240 and incorporate as appropriate within your audit processes, procedures and working papers. Whilst adhering to the objectives of ISA (Ireland) 240 it is still necessary that you, as auditor, maintain professional skepticism throughout the audit, recognizing the possibility that a material misstatement due to fraud could exist.

https://iaasa.ie/wp-content/uploads/2022/11/ISA-240_Oct_2022.pdf

Phyllis Willoughby headshot
Phyllis Willoughby
Learning & Development Accountant
Member Services
CPA Ireland
Back to Issue