An auditor’s main concern in an audit is the risk of a material misstatement in the financial statements. These material misstatements can arise from fraud or error.
An error is an unintentional misstatement in the financial statements, whether an omission of an amount or a disclosure. It can be a mistake in gathering or processing data for the accounts, an incorrect accounting estimate or a mistake in the application of accounting principles.
Fraud is an intentional act by one or more individuals among management, employees or third parties, involving the use of deception to obtain an unjust or illegal advantage.
Auditors do not make legal determination of whether fraud has actually occurred, the auditor is concerned with fraud that causes a material misstatement in the financial statements.
ISA 240: the auditor’s responsibility to consider fraud in an audit of financial statements, states quite clearly in paragraph 240.13 that the primary responsibility for the prevention and detection of fraud rests with the management and those charged with governance of the entity. It is their responsibility to establish a control environment to assist in achieving the orderly and efficient conduct of the entities operations. It is up to them to put a strong emphasis within the entity on fraud prevention.
The auditor does not have a specific responsibility to prevent or detect fraud, but he must consider whether it has caused a material misstatement in the financial statements.
Types of fraud
There are two types of intentional misstatement:
- Fraudulent financial reporting
- Misappropriation of assets
Fraudulent financial reporting
This may be accomplished by the following:
- Manipulation, falsification, or alteration of accounting records or supporting documentation from which the accounts are prepared
- Misrepresentation in or intentional omission from the accounts of events, transactions or other significant information
- Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation or disclosure.
Specifically fraud can be committed by management overriding controls using techniques such as:
- recording fictitious journal entries
- inappropriately adjusting assumptions
- omitting, advancing or delaying recognition of events or transactions in the correct accounting period
- Concealing or not disclosing facts that could affect amounts recorded in the financial statements
- Engaging in complex transactions that are structured to misrepresent the financial position
- Altering records and terms related to significant and unusual transactions.
Misappropriation of assets
This involves the theft of a company’s assets. While management are in a position to be able to disguise or conceal misappropriations in ways that are difficult to detect, small and immaterial amounts misappropriated are often perpetrated by employees.
Misappropriations can be accomplished in a number of ways:
- Embezzling receipts
- Stealing physical assets or intellectual property
- Causing a entity to pay for something they never received
- Using an entity’s assets for own personal use.
The misappropriation of assets is often accompanied by false or misleading records or documents in order to conceal the fact that the assets are missing.
Why is there fraud
Fraud occurs because
- There is an incentive or pressure to commit fraud A perceived opportunity to do so
- Rationalisation of the act.
- Individuals may be living beyond their means
- Management is under pressure to reach targets An individual may believe internal controls can be over-ridden.
The auditors approach in relation to fraud
ISA paragraph 240.3 states that in planning and performing the audit to reduce risk to an acceptable level, the auditor should consider the risks of material misstatement in the financial statements due to fraud.
- Maintain an attitude of professional scepticism
- Audit team should discuss the entity’s susceptibility to fraud
- Carry out risk assessment procedures
- Respond to the assessed risks
- Consider whether any identified misstatement is indicative of fraud
- Obtain written representations from management relating to fraud
- Communicate with management
ISA 240.24 states that the auditor should maintain an attitude of professional scepticism throughout the audit, recognising the possibility that a material misstatement due to fraud could exist notwithstanding the auditors past experience with the entity about the honesty and integrity of management.
Members of the engagement team should discuss the susceptibility of the entity’s financial statements to material misstatements due to fraud. (ISA 240.27)
The engagement partner should consider which matters are to be communicated to members of the audit team not involved in the discussion (ISA 240.29).
The discussion may include:
- An exchange of ideas about how and where a company may be susceptible to fraud, how management could conceal fraud and how assets could be misappropriated.
- A consideration of circumstance that might lead to aggressive earnings management
- A consideration of known factors both external and internal that may create an incentive or pressure from management or others to commit fraud
- A consideration of management involvement in the supervision of employees with access to cash or other assets susceptible to misappropriation
- A consideration of any unusual or unexplained changes in behaviour or lifestyle of management or employees that has come to the teams’ attention
- Emphasising the importance of professional scepticism
- A consideration of the types of circumstances that might indicate fraud
- A consideration of how unpredictability will be incorporated into the audit
- A consideration of audit procedures that might be selected to respond to any suspicions of fraud
- A consideration of any allegations that have come to the auditors attention
- A consideration of the risk of management override of controls.
Risk assessment procedures
The auditor should undertake risk assessment procedures in order to obtain an understanding of the entity and its environment, including its internal control.
As part of this work the auditor performs procedures to obtain information that is used to identify the risks of misstatement due to fraud. These procedures include:
- Making inquiries of management as to how they identify and respond to the risks of fraud
- Consider whether fraud risk factors are present
- Consider the results of analytical procedures and any other relevant information
When obtaining an understanding of the entity and its environment, including its internal control, the auditor should make inquiries of management regarding:
- Management’s assessment of the risk of fraud
- Management’s process for identifying and responding to the risks
- Management’s communication to those charged with governance
- Management’s communication, if any, to employees regarding its views on business practices and ethical behaviour.
The auditor should make inquiries of management, internal audit and others within the entity, to determine whether they have knowledge of any actual or suspected fraud.
The auditor should obtain an understanding of how those charged with governance exercise oversight of management processes for identifying and responding to risks and the internal control that management has established to mitigate these risks.
The auditor should make inquiries of those charged with governance to determine whether they have knowledge of any actual or suspected fraud.
When obtaining an understanding of the entity and its environment, the auditor should consider whether the information obtained indicates that one or more fraud risk factors are present.
Fraud risk factors are detailed in appendix 1 of ISA 240.
When performing analytical procedures, the auditor should consider unusual or unexpected relationships that may indicate risks of material misstatements due to fraud.
When identifying and assessing the risks of material misstatement at the financial statement level, and at the assertion level for classes of transactions, account balance and disclosures, the auditor should identify and assess the risk of material misstatement due to fraud. Those assessed risks that could result in a material misstatement are significant risks and accordingly, the auditor should evaluate the design of the related controls and determine whether they have been implemented.
The auditor identifies the risks of fraud, relates the identified risks to what can go wrong at the assertion level and considers the likely magnitude of a potential misstatement.
Responses to risk
The auditor should determine overall responses to address the assessed risks of material misstatement due to the fraud at the financial statement level and should design and perform further audit procedures whose nature, timing and extent are responsive to the assessed risks at the assertion level.
The auditor should respond in the following ways:
- A response that has an overall effect on how the audit is conducted
- A response to identified risks at the assertion level
- A response to identified risks where management override controls are involved.
In determining overall responses to address the risk of material misstatement due to fraud at the financial statement level the auditor should consider
- the assignment and supervision of personnel
- the accounting policies used
- Incorporate an element of unpredictability in the selection of the nature, timing and extent of audit procedures.
Audit procedures responsive to risks at assertion level may change the nature, timing and extent of audit procedures such as:
- Audit evidence may need to be more reliable and relevant or to obtain additional corroborative information. Physical inspection or observation may become more important.
- Timing of substantive tests may need to be modified, for example in revenue recognition testing.
- Sample sizes may need to be increased.
- (see appendix 2 ISA 240)
To respond to the risk of management override of controls, the auditor should design and perform audit procedures to
- test the appropriateness of journal entries
- review accounting estimates and
- obtain an understanding of the business rationale of significant transactions that are outside the normal course of business for the entity.
Evaluation of audit evidence
The auditor evaluates whether the risks of material misstatement are appropriate based on the evidence gathered. He must also consider the reliability of management representations and must obtain from the management in writing, that the management accepts its responsibilities in relation to the prevention and detection of fraud and has made all relevant disclosure to the auditors.
The auditor must document:
- The significant decisions reached during the audit team discussion of fraud
- The identified and assessed risks of material misstatement due to fraud
- The response to the assessed risks
- Communication to management
The auditor should communicate to the appropriate level of management any identified fraud. Where the fraud involves management or key employees in internal control operations, the auditor should communicate as soon as possible any such fraud to those charged with governance.
The auditor may have a statutory duty to report fraudulent behaviour to a regulator outside the entity.
Withdrawal from audit
The auditor should consider resigning from the audit if exceptional circumstances arise that would bring into question the auditor’s ability to continue in office.
If the auditor withdraws, he should discuss with the appropriate level of management as to the reasons and should consider whether there are legal or professional requirements to report to third parties.
- PROFESSIONAL LIABILITY
Auditors may have professional liability under statute law and in the tort of negligence.
There are occasions when auditors have professional liability under statute law:
- In insolvency legislation, the auditor could be found to be an officer of the company and thus could be charged with a criminal offence in connection with the winding up of the company.
- An auditor could be found to be guilty of insider dealing, which is a criminal offence.
- Auditors could be found guilty of a criminal offence in respect of money laundering issues as to their failure to report any known suspicions to the proper authority.
Tort of negligence
Negligence is based on customary/common law. It seeks to provide compensation to loss suffered by one due to another’s wrongful neglect.
To succeed, an injured party must prove:
- A duty of care existed
- The duty of care was breached
- The actual breach caused the loss.
Who would take an action against an Auditor
If an auditor gave an incorrect audit opinion the following parties might take an action:
- The company
- The shareholders
- The bank
- Other lenders
- Other interested third parties
The key difference between all the above mentioned parties is the nature and duty of care owed to them by the auditor.
An auditor owes a duty of care to the company as it is the audit client. The company has a contract with the audit firm. Therefore, the duty of care is automatic under law.
The company is all the shareholders acting as a body; it cannot be represented by one shareholder alone.
The standard of work of the auditor is generally defined by legislation. A number of judgements exist which have gauged the level of care as specific legislation does not exist which states clearly how an auditor should discharge his duty of care.
- Re Kingston cotton mills 1896 Court of Appeal, England
“.it is the duty of the auditor to bring to bear on the work he has performed that skill, care and caution which a reasonably competent, careful and cautious auditor would use. What is reasonable skill, care and caution, must depend on the particular circumstances of the case.”
EG. Re Thomas Gerrard & son Ltd 1967 Chancery Division, England
“…the real ground on which re Kingston cotton mills….is, I think, capable of being distinguished is that the standards of reasonable care and skill are, upon the expert evidence, more exacting today than those which prevailed in 1896.”
EG. Re Fomento(sterling area) Ltd v Selsdon fountain pen co Ltd 1958
“…they must come to it with an inquiring mind, not suspicious of dishonesty…..but suspecting that someone may have made a mistake somewhere and that a check must be made to ensure that there has been none.”
Auditors have to be careful in forming an opinion and they must give consideration to all relevant matters.
If an opinion reached by an auditor is one that no reasonably competent auditor would be likely to reach, then the auditor would possibly be held for negligence.
The auditor can only owe a duty of care to parties other than the audit client, if one can be established.
Third parties will include any individual shareholders, potential investors and the bank. In these cases, there is no contract with the audit firm. Therefore, there is no implied duty of care.
Case law seems to suggest that the courts have been reluctant to attribute a duty of care for third parties to the auditor.
- Caparo industries plc v Dickman and others 1990 England House of Lords – Tort Caparo relied on a set of accounts to purchase shares in a company. Subsequently, they alleged that the accounts were misleading. They argued the auditors owed a duty of care. The House of Lords found that there was no duty of care. The audit complied with the company’s legislation and there was no mention in that legislation to suggest that auditors should protect the interests of investors.
EG. James McNaughton paper group Ltd v Hicks Anderson 1990
The position held that a restrictive approach was now adopted to any extension of the scope of the duty of care beyond the person directly intended by the auditor. In addition, all circumstances should now be taken into account in deciding on a duty of care.
However, in 1995, a high court judge made an award against BDO as their joint audit of a company in which ADT were investing was held to be a contractual relationship with ADT.
Problems however still arise after this case law. The reality is that third parties do rely on audited accounts. The perception is if you are required to file your accounts with for example the Office of Registrar General in Rwanda, then this information must be credible and independent.
It seems unfair that auditors should bear full responsibility for something for which they do not have the primary responsibility.
In recent times, directors of companies are required by law not to make misleading statements to auditors.
Banks and other major lenders appear to have a more special relationship than other third parties.
Loan facilities will often contain clauses requiring audited accounts and up to date financial information on a regular basis. This may be seen to document a relationship with the auditor that establishes a duty of care.
EG. Royal Bank of Scotland v Bannerman, Johnstone Maclay and other 2002
The bank provided an overdraft facility to the company, who it is claimed misstated its position due to a fraud. It was argued that the auditors neglected to find the fraud.
The judge found that the auditors had a duty of care. They knew that the bank need audited accounts as part of the overdraft arrangement and could have issued a disclaimer to the bank. But they didn’t and this was an important factor in deciding that they did owe a duty of care.
One way of dealing with litigation is to try and avoid it.
- Have clear client acceptance procedures, screen new clients, use an engagement letter.
- Perform all audit work in accordance with standards and best practice.
- Have sensible and effective quality control procedures in place.
- Issue appropriate disclaimers. Auditors may attempt to limit their liability by issuing disclaimers, although this may not always be effective in law.
Misconduct includes any act or default that is likely to bring discredit to the member, relevant firm or registered student.
A member should comply with relevant laws and regulations and should avoid any action that discredits the profession.
A member found guilty of misconduct by a competent court shall be liable to disciplinary action, the penalties for which are at the discretion of the professional bodies committees dealing with this area.
Misconduct could include:
Honesty and integrity is a fundamental principle for auditors as they are in a position of trust. Dishonesty therefore would be taken very seriously.
- PROFESSIONAL INDEMNITY INSURANCE
Most professions insist that auditors take out professional indemnity insurance.
This is insurance against civil claims made by clients and third parties arising out of the work undertaken by a firm.
Fidelity guarantee is insurance against liability arising through any acts of fraud or dishonesty by an employee of a firm in respect of money or goods held in trust by the firm. Insurance is important in order to compensate the client as it is highly unlikely that a firm would have the necessary resources to fully compensate a client. It also provides some protection for the firm against bankruptcy.
There is a downside to the insurance. It is quite expensive and there may also be limits to the cover. There is also the risk that some auditors will take less care than their duty requires as they have a safety net if something goes wrong.
It is also common for the insurance requirement to remain in place after a member ceases to engage in public practice.
The major accountancy firms have been interested in trying to limit their liability for partners in the event of negligence.
Write a note, where you must consider the extent to which an auditor should be responsible for detecting fraud when auditing the accounts of limited companies.
- Outline the extent to which an auditor is responsible for detecting fraud.
- Discuss whether it would be reasonable to extend the auditor’s responsibilities and are there any practical problems of extending such responsibilities?
- Conclude on and define the extent to which you consider it reasonable for an auditor to be responsible for detecting fraud.
In an action for negligence, what must occur in order to proceed?
What practical actions can an auditor apply in order to avoid litigation?