Clarified Auditing Standard--Consideration of Fraud in a Financial Statement Audit, Part 2 (AU-C 240)

In the first part of this article, key requirements of the standard were summarized.  This second part will discuss application issues pertinent to today’s audit practice, including the identification and assessment of risks of material misstatement due to fraud, auditors’ responses, the evaluation of evidence, communications with management and persons charged with governance and audit documentation of these issues.

Identifying and Assessing Potential Fraud Risks

As it is with risk of material misstatement due to error, auditors must identify and assess potential fraud risks at the financial statement and assertion levels throughout an engagement. Because there is a required presumption fraud exists in revenue recognition, an auditor must evaluate which types of revenues, transactions or assertions cause such risks. Revenues can be overstated by recording transactions before revenue is earned or by recording fictitious revenues. Assessed risks related to revenue recognition should be considered significant and an entity’s related internal control system should be evaluated.  When the internal control system for revenues is not appropriately designed and operated, other audit responses will be necessary.

Audit Responses to Assessed Fraud Risks

Overall responses to assessed fraud risks include assigning personnel to the engagement, or to sections of the engagement, that have knowledge and experience commensurate with the degree of risk. Particular attention should be paid to subjective measurements and large, unusual and complex transactions throughout the reporting period, particularly during the last month of the period.

In responding to other assessed risks of fraudulent financial reporting and misappropriation at the financial statement and assertion levels, the auditor may also incorporate more unpredictability in the nature, extent and timing of auditing procedures. While lower limits for individually significant items are derived from calculations of performance materiality or tolerable misstatement, higher risk factors will result in lower limits, thereby requiring 100% audit of more individually significant items to mitigate the risks. Numerous other responses to assessed risks at the assertion levels are outlined in Appendix B to AU-C 240.

Evaluating Evidence

When misstatements are discovered throughout the audit, the auditor should determine if they possibly indicate fraud. When fraud is indicated, the auditor should qualitatively evaluate the impact and previous determination of materiality levels, the integrity of management and employees and the validity and reliability of management representations.

If management is involved or collusion is suspected, the audit strategy and audit plan should be re-evaluated and additional substantive procedures performed as necessary.  If sufficient additional evidence cannot be obtained, the auditor should consider the possibility of withdrawal from the engagement under applicable laws or regulations.

Communications with Management and Persons Charged with Governance

When a fraud has been identified or evidence has been gathered that indicates a fraud may exist, the auditor should communicate the circumstances to management or persons charged with governance, at least one level above the level of the fraud or suspected fraud. In a partnership or LLC when a partner is suspected of perpetrating the fraud for example, other partners or persons charged with governance should be informed of the matters. The same would be true when officers or management persons are suspected in other for-profit and non-profit organizations.

Audit Documentation

In addition to the evidence requirements in AU-C 315 (to be discussed in a later article) engagement documentation should include:

·      Decisions reached regarding potential fraud risks in the engagement team planning and brainstorming meeting.  This documentation would normally be part of a Planning Document.

·      Identified and assessed fraud risks of material misstatement and the linking of overall and specific audit responses at both the financial statement and assertion levels.  This documentation should include the results of those audit responses and auditor decisions regarding their findings, including those designed to address the risk of management override of controls..

·      The communications about fraud to management and persons charged with governance, their responses and the auditor’s resulting actions.

·      The circumstances of the engagement that have overcome the presumption that there is risk of material misstatement due to error or fraud, along with the auditor’s reasoning about those circumstances.

My exclusive presentation of webcasts on CPE Credit.com and self-study courses covering various applications of auditing standards can be accessed by clicking the appropriate box on the left side of my home page, www.cpafirmsupport.com. Registered users on my website receive a 20% discount on CPE materials presented by myself and numerous other authors on a variety of professional topics. My assistance in CPA firm quality control consulting, audit planning and peer review preparation can be obtained by sending an email using the “Contact Us” tab on my home page.