Chapter 9

Auditing for Fraud

Copyright © 2010 South-Western/Cengage Learning

Audit Opinion Formulation Process

Fraud & Auditor Responsibilities: A Historical Evolution

• The mission of PCAOB – “The detection of material fraud is a reasonable expectation of users of audited financial statements. Society needs and expects assurance that financial information has not been material misstated because of fraud. Unless an independent audit can provide this assurance, it has little if any value to society”

• Today, the message is clear: auditors must assume greater responsibility for detecting fraud

LO 1: Magnitude of Fraud

• According to a 2008 study by the Association of Certified Fraud Examiners (ACFE):

– Seven percent of revenues were lost as a result of fraud

– Estimated at losses of $1 trillion per year

• 2007 survey by KPMG LLP found that inadequate internal control is the primary contributor to fraud

Fraud Defined

• International embezzlements or thefts of funds from a company, or the international misstatement of financial account balances in order to achieve a perception that a company is doing better than it really is

• Traditionally defined into broad categories:– Defalcations– Fraudulent financial reporting

LO 2 Defalcation

• Employee takes assets from the organization for personal gain

• Examples: theft, embezzlement• ACFE divides frauds due to

– Corruption• Fraudsters use their influence in a transaction to gain

personal benefit• Examples: kickbacks, conflict of interest, bribery,

economic extortion

– Asset misappropriation

Defalcation (continued)

• Theft or misuse of organization's assets• Common schemes: skimming revenues, cash schemes,

fraudulent disbursement, inventory theft, payroll fraud

• Defalcation may create misleading financial statements if stolen assets are reported on the statements

Fraudulent Financial Reporting

• Intentional manipulation of financial statements• Typically committed by management

– Has opportunity to override internal controls– Often evaluated and compensated based on financial results

• Usually involves:– Manipulation, falsification, or alteration of accounting

records or supporting documents– Misrepresentation or omission of events, transactions, or

significant information

Fraudulent Financial Reporting (continued)

• The most common types are– Overstate assets and understate expenses– Overstate revenues and assets– Understate liabilities

LO 3 Lessons Learned fromFraud Cases

• Auditors take risk whenever they do not audit the entire company– Auditors need to look at economic assumptions underlying a

company’s growth– Auditors need to assess risk factors and when the risk of fraud is

high, they must demand stronger evidence– Computer errors should be viewed as a risk factor– Dominant clients can be a problem– Auditors need to know what motivates management– Auditors should not assume all people are honest– When fraud risk indicators are discovered, they must be

thoroughly investigated

The Second COSO Report

• Report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) identified major characteristics of companies that had perpetrated fraud:– Involved smaller companies - under $200 million in

revenues– Board of directors dominated by management– Audit committees non-existent or inactive– Overstated revenues and corresponding assets in over half

the frauds– Most revenue frauds involved premature recognition or

fictitious revenues

The Second COSO Report (continued)

• No internal audit department• Perpetrated over relatively long-terms (average

period 2 years)• Companies were in loss situations or near break-even

prior to the fraud• CEO and /or CFO involved in 83% of the cases• Auditors realized there are signs that fraud might be

taking place and that auditors would have to identify and investigate these signs

LO 4: Summary of Major Financial Reporting Frauds

Summary of Major Financial Reporting Frauds (continued)

Implications for the Design of Audit Procedures

• The auditor should not be pressured by the client’s desire to release annual earnings at an early date

• The auditor must dissect complex transactions to determine their economic substance and the parties that have economic obligations

• Auditors must use “basic” audit procedures like testing additions to capital assets, performing cutoff tests, and examining the support for billings

• The auditor may need to go beyond standard confirmations to determine existence of assets that are dependent on other parties

LO 5: A Proactive Approach to Fraud Detection

• The audit must be planned to detect material misstatements - whether the misstatements are due to errors or fraud

• The auditor must – Understand the business– Understand how changes in the economy might affect the

business– Understand management's motivations for committing a fraud– Identify opportunities for other employees to commit

defalcation– Analyze changes in company's financial results for

reasonableness– Identify areas that might suggest fraud

Conducting the Financial Statement Audit—Fraud Awareness

• Overview of the process to integrate fraud risk assessment and fraud procedures into the audit includes ten major steps:– Understand the nature of fraud, motivations to commit fraud,

and how fraud may be committed– Develop and implement an approach based on professional

skepticism– Brainstorm and share knowledge within the audit team– Obtain information useful in identifying and assessing fraud risk– Identify specific fraud risks and areas likely to be affected by

fraud

Conducting the Financial Statement Audit—Fraud Awareness

• Evaluate the quality and effectiveness of company controls in mitigating the risk of fraud

• Adjust audit procedures to address the risk of fraud and gather evidence specifically related to the possibility of fraud

• Evaluate findings; if evidence signals fraud might exist, consider whether specialists are needed for the audit team

• Communicate possibility of fraud to management and audit committee

• Document all steps related to fraud

Step 1: Motivations to commit fraud?

• Research consistently shows three factors associated

with fraud

• These factors are referred to as the fraud triangle

1. Incentives or pressures to commit fraud

2. Opportunities to commit fraud

3. Rationalization of the fraud as acceptable

4. Capability to commit fraud

LO 6 Motivations to Commit Fraud: Incentives or Pressures

• Management compensation schemes

• Other financial pressures for either improved earnings or an improved balance sheet

• Personal factors, including the personal need for assets

• Debt covenants

• Personal wealth tied to either financial results or survival of the company

Motivations to Commit Fraud: Opportunities

• Warning signs indicating opportunities for fraud:– Weak or non-existent internal controls– Complex or unstable organizational structure– Ineffective monitoring of management, either because board of

directors is not effective, or management is dominant– Significant accounting estimates made by management– Significant related party transactions– Industry dominance, including ability to dictate terms to

suppliers or customers– Simple transactions made complex through disjointed recording

process– Complex or difficult to understand transactions

Step 2: Exercise Professional Skepticism

• Audits must be performed with professional skepticism

• SAS 99 states that auditors should conduct engagements recognizing the possibility of material misstatement

• Professional skepticism also requires auditors to continue to question whether the information and evidence they obtain suggest that a material misstatement due to fraud may have occurred

Step 3: Audit Team Brainstorming

• SAS 99 requires members of the audit team to discuss the risk of material misstatement due to fraud

• This brainstorming is designed to:– Allow experienced auditors to educate less experienced auditors– Set the proper level of professional skepticism for the audit

• Topics covered during the brainstorming should include:– Consider how fraud can be perpetrated and concealed– Presume fraud in revenue recognition– Consider incentives, opportunities, and rationalization for fraud– Consider industry conditions– Consider operating characteristics and financial stability

LO 7 Audit Procedures

• When there is a possibility of fraud, the auditor should consider that evidence might not be what it seems

• SAS 99 suggests the auditor consider the following:– Greater susceptibility of evidence manipulation

– Greater skepticism of management responses

– Journal entries are important

– New technology provides new ways to commit fraud

– Recognition that collusion may be likely

– Predictability of audit procedures

– Analytical procedures should tie to operational or industry data

Step 4: Obtaining Information about Fraud Risk

• The auditor should specify procedures that could signal the possibility of fraud including– Making inquires of management and others to obtain their

views about the risk and fraud and controls set up to address those risks

– Perform analytical procedures and consider any unusual relationships

– Review risk factors identified earlier (pressure, opportunity, rationalization)

– Review management responses to recommendations for control improvements and internal audit reports

LO 8 Analytical Indicators of Risk

• Some of the key analytical factors the auditor should develop include:– Large revenue increase at the end of the period– Sales increasing faster than industry sales which don't seem

justified– Unusually large increase in gross margin– Large number of sales returns after year-end– Increase in number of day's sales in receivables– Increase in number of day's sales in inventory– Significant increase in debt/equity ratio– Cash flow or liquidity problems– Significant changes in non-financial performance measures

Step 5: Identifying Risks of Fraud

• The auditor should examine each of the fraud risk conditions - pressure, opportunity, rationalization

• During this examination, the auditor should consider– The type of fraud that might occur

– The potential significance of the fraud in both quantitative and qualitative terms

– The likelihood of fraud occurring

– The pervasiveness of the risk that fraud might occur

Step 6: Analyzing Internal Controls for Fraud Risk

• Internal control weaknesses are a strong indicator of fraud risk

• The auditor will examine a variety of control areas including:– Corporate governance– Management control and influence– Audit committee– Corporate culture– Internal auditing– Monitoring controls– Whistle blowing– Codes of ethics– Related party transactions

Step 7: Developing the Revised Audit Plan

• Auditor should develop hypotheses about how fraud could be committed and concealed

• The audit team should then develop and implement audit procedures that are directly responsive to the fraud risks

• Depending on the hypothesized fraud risks the auditor may change the – Audit procedures in order to gather additional

corroborative and/or direct evidence– Timing of audit procedures – Staffing of the engagement to include more experience

auditors or specialists

Developing the Revised Audit Plan (continued)

• Extent of audit procedures; examples include:– Performing procedures on a surprise or unannounced basis– Requiring inventories be counted and observed at year-end

(instead of at an interim date)– Making oral inquiries of major customers and suppliers– Performing analytics using disaggregated data– Examining details of major sales contracts– Examining financial viability of customers– Examining, in detail, reciprocal or similar transactions

between two entities– Detailed examination of journal entries, particularly those

at year-end

Step 8: Evaluating Audit Evidence

• The auditor's skepticism should be heightened whenever– There are discrepancies in the accounting records

– The auditor finds conflicting or missing evidential matter

– The relationship with management is strained

– There are significant or unusual transactions around year-end

LO 9 Step 9: Communicating the Existence of Fraud

• Fraud should be communicated to a level at which effective action can be taken– The auditor must communicate the existence of

fraud to management, the Board, and the audit committee

– If fraud involves top management, the auditor must assess the actions taken by the Board

– If sufficient actions are not taken, the auditor must consider the control environment and the possible need to resign the engagement

Step 9: Communicating the Existence of Fraud (continued)

• The auditor must determine that the financial statements have been corrected and the fraud adequately disclosed

• If the statements are not corrected, the auditor should issue a qualified or adverse opinion

• In some cases, the auditor may be required to report the fraud to outside parties, such as to meet regulatory requirements

• For public companies, material fraud reflects a weakness in internal controls and may need be reported

Step 10: Documenting the Audit

• The audit team should document the full extent of the process described

• That documentation should include:– Discussion among audit team members including the

assessment of fraud risk and how such frauds might take place

– Discussion of the factors that affected the risk assessment– Audit procedures performed– Need for corroborating evidence– Evaluation of audit evidence and communication to

required parties

LO 10 Forensic Accounting

• Forensic accounting is an extension of auditing, but with a number of differences:– Detailed investigation where fraud has been identified or is

suspected– Focuses on identifying perpetrators and getting a

confession– Builds support for legal action against the perpetrator– May provide litigation support such as expert testimony– Extensive use of interviews– 100% examination of fraud-related documents– Reconstruction of account balances– Broader scope than auditing

Differences Between Forensic Accounting and Auditing