AU-C Section 240: Consideration of Fraud in a Financial Statement Audit

"Scope of This Section

.01 This section addresses the auditor's responsibilities relating to fraud in an audit of financial statements. Specifically, it expands on how section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, and section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, are to be applied regarding risks of material misstatement due to fraud.

Characteristics of Fraud

.02 Misstatements in the financial statements can arise from either fraud or error. The distinguishing factor between fraud and error is whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional.

.03 Although fraud is a broad legal concept, for the purposes of generally accepted auditing standards (GAAS), the auditor is primarily concerned with fraud that causes a material misstatement in the financial statements. Two types of intentional misstatements are relevant to the auditor—misstatements resulting from fraudulent financial reporting and misstatements resulting from misappropriation of assets. Although the auditor may suspect or, in rare cases, identify the occurrence of fraud, the auditor does not make legal determinations of whether fraud has actually occurred. (Ref: par. .A1–.A8)"

".04 The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. It is important that management, with the oversight of those charged with governance, places a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment. This involves a commitment to creating a culture of honesty and ethical behavior, which can be reinforced by active oversight by those charged with governance. Oversight by those charged with governance includes considering the potential for override of controls or other inappropriate influence over the financial reporting process, such as efforts by management to manage earnings in order to influence the perceptions of financial statement users regarding the entity's performance and profitability.

Responsibilities of the Auditor

.05 An auditor conducting an audit in accordance with GAAS is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error. Due to the inherent limitations of an audit, an unavoidable risk exists that some material misstatements of the financial statements may not be detected, even though the audit is properly planned and performed in accordance with GAAS.

.06 As described in section 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards, the potential effects of inherent limitations are particularly significant in the case of misstatement resulting from fraud. The risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting one resulting from error. This is because fraud may involve sophisticated and carefully organized schemes designed to conceal it, such as forgery, deliberate failure to record transactions, or intentional misrepresentations being made to the auditor. Such attempts at concealment may be even more difficult to detect when accompanied by collusion. Collusion may cause the auditor to believe that audit evidence is persuasive when it is, in fact, false. The auditor's ability to detect a fraud depends on factors such as the skillfulness of the perpetrator, the frequency and extent of manipulation, the degree of collusion involved, the relative size of individual amounts manipulated, and the seniority of those individuals involved. Although the auditor may be able to identify potential opportunities for fraud to be perpetrated, it is difficult for the auditor to determine whether misstatements in judgment areas, such as accounting estimates, are caused by fraud or error.

.07 Furthermore, the risk of the auditor not detecting a material misstatement resulting from management fraud is greater than for employee fraud because management is frequently in a position to directly or indirectly manipulate accounting records, present fraudulent financial information, or override control procedures designed to prevent similar frauds by other employees.

.08 When obtaining reasonable assurance, the auditor is responsible for maintaining professional skepticism throughout the audit, considering the potential for management override of controls, and recognizing the fact that audit procedures that are effective for detecting error may not be effective in detecting fraud. The requirements in this section are designed to assist the auditor in identifying and assessing the risks of material misstatement due to fraud and in designing procedures to detect such misstatement.

Objectives

.10 The objectives of the auditor are to

a. identify and assess the risks of material misstatement of the financial statements due to fraud;

b. obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and

c. respond appropriately to fraud or suspected fraud identified during the audit. "

".12 In accordance with section 200, the auditor should maintain professional skepticism throughout the audit, recognizing the possibility that a material misstatement due to fraud could exist, notwithstanding the auditor's past experience of the honesty and integrity of the entity's management and those charged with governance.(Ref: par. .A9–.A10)

.13 Unless the auditor has reason to believe the contrary, the auditor may accept records and documents as genuine. If conditions identified during the audit cause the auditor to believe that a document may not be authentic or that terms in a document have been modified but not disclosed to the auditor, the auditor should investigate further. (Ref: par. .A11)

.14 When responses to inquiries of management, those charged with governance, or others are inconsistent or otherwise unsatisfactory (for example, vague or implausible), the auditor should further investigate the inconsistencies or unsatisfactory responses."

".15 Section 315 requires a discussion among the key engagement team members, including the engagement partner, and a determination by the engagement partner of which matters are to be communicated to those team members not involved in the discussion. This discussion should include an exchange of ideas or brainstorming among the engagement team members about how and where the entity's financial statements might be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated. The discussion should occur setting aside beliefs that the engagement team members may have that management and those charged with governance are honest and have integrity, and should, in particular, also address (Ref: par. .A12–.A13)

a. known external and internal factors affecting the entity that may create an incentive or pressure for management or others to commit fraud, provide the opportunity for fraud to be perpetrated, and indicate a culture or environment that enables management or others to rationalize committing fraud;

b. the risk of management override of controls;

c. consideration of circumstances that might be indicative of earnings management or manipulation of other financial measures and the practices that might be followed by management to manage earnings or other financial measures that could lead to fraudulent financial reporting;

d. the importance of maintaining professional skepticism throughout the audit regarding the potential for material misstatement due to fraud; and

e. how the auditor might respond to the susceptibility of the entity's financial statements to material misstatement due to fraud.

Communication among the engagement team members about the risks of material misstatement due to fraud should continue throughout the audit, particularly upon discovery of new facts during the audit."

"Risk Assessment Procedures and Related Activities

.16 When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, including the entity's internal control, required by section 315, the auditor should perform the procedures in paragraphs .17–.24 to obtain information for use in identifying the risks of material misstatement due to fraud.

Discussions With Management and Others Within the Entity

.17 The auditor should make inquiries of management regarding

a. management's assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments; (Ref: par. .A14– .A15)

b. management's process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist; (Ref: par. .A16)

c. management's communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity; and

d. management's communication, if any, to employees regarding its views on business practices and ethical behavior.

.18 The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity. (Ref: par. .A17–.A20)

.19 For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures. [As amended, effective for audits of financial statements for periods ending on or after December 15, 2014, by SAS No. 128.]"

".20 Unless all of those charged with governance are involved in managing the entity, the auditor should obtain an understanding of how those charged with governance exercise oversight of management's processes for identifying and responding to the risks of fraud in the entity and the internal control that management has established to mitigate these risks. (Ref: par. .A21–.A23)

.21 Unless all of those charged with governance are involved in managing the entity, the auditor should make inquiries of those charged with governance (or the audit committee or, at least, its chair) to determine their views about the risks of fraud and whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity. These inquiries are made, in part, to corroborate the responses received from the inquiries of management."

"Unusual or Unexpected Relationships Identified

.22 Based on analytical procedures performed as part of risk assessment procedures, the auditor should evaluate whether unusual or unexpected relationships that have been identified indicate risks of material misstatement due to fraud. To the extent not already included, the analytical procedures, and evaluation thereof, should include procedures relating to revenue accounts. (Ref: par. .A24–.A26 and .A46)

Other Information

.23 The auditor should consider whether other information obtained by the auditor indicates risks of material misstatement due to fraud. (Ref: par. .A27)

Evaluation of Fraud Risk Factors

.24 The auditor should evaluate whether the information obtained from the risk assessment procedures and related activities performed indicates that one or more fraud risk factors are present. Although fraud risk factors may not necessarily indicate the existence of fraud, they have often been present in circumstances in which frauds have occurred and, therefore,may indicate risks of material misstatement due to fraud. (Ref: par. .A28–.A32)"

".25 In accordance with section 315, the auditor should identify and assess the risks of material misstatement due to fraud at the financial statement level, and at the assertion level for classes of transactions, account balances, and disclosures. The auditor's risk assessment should be ongoing throughout the audit, following the initial assessment.

.26 When identifying and assessing the risks of material misstatement due to fraud, the auditor should, based on a presumption that risks of fraud exist in revenue recognition, evaluate which types of revenue, revenue transactions, or assertions give rise to such risks. Paragraph .46 specifies the documentation required when the auditor concludes that the presumption is not applicable in the circumstances of the engagement and, accordingly, has not identified revenue recognition as a risk of material misstatement due to fraud. (Ref: par. .A33–.A35)

.27 The auditor should treat those assessed risks of material misstatement due to fraud as significant risks and, accordingly, to the extent not already done so, the auditor should obtain an understanding of the entity's related controls, including control activities, relevant to such risks, including the evaluation of whether such controls have been suitably designed and implemented to mitigate such fraud risks. (Ref: par. .A36–.A37)"

"Overall Responses

.28 In accordance with section 330, the auditor should determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level. (Ref: par. .A38)

.29 In determining overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level, the auditor should

a. assign and supervise personnel, taking into account the knowledge, skill, and ability of the individuals to be given significant engagement responsibilities and the auditor's assessment of the risks of material misstatement due to fraud for the engagement; (Ref: par. .A39–.A40)

b. evaluate whether the selection and application of accounting policies by the entity, particularly those related to subjective measurements and complex transactions, may be indicative of fraudulent financial reporting resulting from management's effort to manage earnings, or a bias that may create a material misstatement; and (Ref: par. .A41)

c. incorporate an element of unpredictability in the selection of the nature, timing, and extent of audit procedures. (Ref: par. .A42)"

".30 In accordance with section 330, the auditor should design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed risks of material misstatement due to fraud at the assertion level. (Ref: par. .A43–.A46)"

".31 Management is in a unique position to perpetrate fraud because of management's ability to manipulate accounting records and prepare fraudulent financial statements by overriding controls that otherwise appear to be operating effectively. Although the level of risk of management override of controls will vary from entity to entity, the risk is, nevertheless, present in all entities. Due to the unpredictable way in which such override could occur, it is a risk of material misstatement due to fraud and, thus, a significant risk.

.32 Even if specific risks of material misstatement due to fraud are not identified by the auditor, a possibility exists that management override of controls could occur. Accordingly, the auditor should address the risk of management override of controls apart from any conclusions regarding the existence of more specifically identifiable risks by designing and performing audit procedures to

a. test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements, including entries posted directly to financial statement drafts. In designing and performing audit procedures for such tests, the auditor should (Ref: par. .A47–.A50 and .A55)

i. obtain an understanding of the entity's financial reporting process and controls over journal entries and other adjustments, and the suitability of design and implementation of such controls;

ii. make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments;

iii. consider fraud risk indicators, the nature and complexity of accounts, and entries processed outside the normal course of business;

iv. select journal entries and other adjustments made at the end of a reporting period; and

v. consider the need to test journal entries and other adjustments throughout the period.

b. review accounting estimates for biases and evaluate whether the circumstances producing the bias, if any, represent a risk of material misstatement due to fraud. In performing this review, the auditor should

i. evaluate whether the judgments and decisions made by management in making the accounting estimates included in the financial statements, even if they are individually reasonable, indicate a possible bias on the part of the entity's management that may represent a risk of material misstatement due to fraud. If so, the auditor should reevaluate the accounting estimates taken as a whole, and

ii. perform a retrospective review of management judgments and assumptions related to significant accounting estimates reflected in the financial statements of the prior year. Estimates selected for review should include those that are based on highly sensitive assumptions or are otherwise significantly affected by judgments made by management. (Ref: par. .A51–.A53)

c. evaluate, for significant transactions that are outside the normal course of business for the entity or that otherwise appear to be unusual given the auditor's understanding of the entity and its environment and other information obtained during the audit, whether the business rationale (or the lack thereof) of the transactions suggests that they may have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets. (Ref: par. .A54)

Other Audit Procedures

.33 The auditor should determine whether, in order to respond to the identified risks of management override of controls, the auditor needs to perform other audit procedures in addition to those specifically referred to previously (that is, when specific additional risks of management override exist that are not covered as part of the procedures performed to address the requirements in paragraph .32). (Ref: par. .A55)"

".34 The auditor should evaluate, at or near the end of the audit, whether the accumulated results of auditing procedures (including analytical procedures that were performed as substantive tests or when forming an overall conclusion) affect the assessment of the risks of material misstatement due to fraud made earlier in the audit or indicate a previously unrecognized risk of material misstatement due to fraud. If not already performed when forming an overall conclusion, the analytical procedures relating to revenue, required by paragraph .22, should be performed through the end of the reporting period. (Ref: par. .A57–.A58)

.35 If the auditor identifies a misstatement, the auditor should evaluate whether such a misstatement is indicative of fraud. If such an indication exists, the auditor should evaluate the implications of the misstatement with regard to other aspects of the audit, particularly the auditor's evaluation of materiality, management and employee integrity, and the reliability of management representations, recognizing that an instance of fraud is unlikely to be an isolated occurrence. (Ref: par. A59–.A62)

.36 If the auditor identifies a misstatement, whether material or not, and the auditor has reason to believe that it is, or may be, the result of fraud and that management (in particular, senior management) is involved, the auditor should reevaluate the assessment of the risks of material misstatement due to fraud and its resulting effect on the nature, timing, and extent of audit procedures to respond to the assessed risks.The auditor should also consider whether circumstances or conditions indicate possible collusion involving employees, management, or third parties when reconsidering the reliability of evidence previously obtained. (Ref: par. .A60)

.37 If the auditor concludes that, or is unable to conclude whether, the financial statements are materially misstated as a result of fraud, the auditor should evaluate the implications for the audit. (Ref: par. .A61)"

".38 If, as a result of identified fraud or suspected fraud, the auditor encounters circumstances that bring into question the auditor's ability to continue performing the audit, the auditor should

a. determine the professional and legal responsibilities applicable in the circumstances, including whether a requirement exists for the auditor to report to the person or persons who engaged the auditor or, in some cases, to regulatory authorities;

b. consider whether it is appropriate to withdraw from the engagement, when withdrawal is possible under applicable law or regulation; and

c. if the auditor withdraws

i. discuss with the appropriate level of management and those charged with governance the auditor's withdrawal from the engagement and the reasons for the withdrawal, and

ii. determine whether a professional or legal requirement exists to report to the person or persons who engaged the auditor or, in some cases, to regulatory authorities, the auditor's withdrawal from the engagement and the reasons for the withdrawal. (Ref: par. .A63–.A66)"

".39 If the auditor has identified a fraud or has obtained information that indicates that a fraud may exist, the auditor should communicate these matters on a timely basis to the appropriate level of management in order to inform those with primary responsibility for the prevention and detection of fraud of matters relevant to their responsibilities. (Ref: par. .A67)

.40 Unless all of those charged with governance are involved in managing the entity, if the auditor has identified or suspects fraud involving

a. management,

b. employees who have significant roles in internal control, or

c. others, when the fraud results in a material misstatement in the financial statements, the auditor should communicate these matters to those charged with governance on a timely basis. If the auditor suspects fraud involving management, the auditor should communicate these suspicions to those charged with governance and discuss with them the nature, timing, and extent of audit procedures necessary to complete the audit. (Ref: par. .A68–.A70)

.41 The auditor should communicate with those charged with governance any other matters related to fraud that are, in the auditor's professional judgment, relevant to their responsibilities. (Ref: par. .A71)"

".42 If the auditor has identified or suspects a fraud, the auditor should determine whether the auditor has a responsibility to report the occurrence or suspicion to a party outside the entity. Although the auditor's professional duty to maintain the confidentiality of client information may preclude such reporting, the auditor's legal responsibilities may override the duty of confidentiality in some circumstances. (Ref: par. .A72–.A74)"

".43 The auditor should include in the audit documentation of the auditor's understanding of the entity and its environment and the assessment of the risks of material misstatement required by section 315 the following:

a. The significant decisions reached during the discussion among the engagement team regarding the susceptibility of the entity's financial statements to material misstatement due to fraud, and how and when the discussion occurred and the audit team members who participated

b. The identified and assessed risks of material misstatement due to fraud at the financial statement level and at the assertion level (See paragraphs .16–.27.)

.44 The auditor should include in the audit documentation of the auditor's responses to the assessed risks of material misstatement required by section 330 the following:

a. The overall responses to the assessed risks of material misstatement due to fraud at the financial statement level and the nature, timing, and extent of audit procedures, and the linkage of those procedures with the assessed risks of material misstatement due to fraud at the assertion level

b. The results of the audit procedures, including those designed to address the risk of management override of controls

.45 The auditor should include in the audit documentation communications about fraud made to management, those charged with governance, regulators, and others.

.46 If the auditor has concluded that the presumption that there is a risk of material misstatement due to fraud related to revenue recognition is overcome in the circumstances of the engagement, the auditor should include in the audit documentation the reasons for that conclusion."