Chapter 8

Auditing for Fraud

Fraud & Auditor Responsibilities: Historical Evolution

"The detection of material fraud is a reasonable expectation of users of audited financial statements. Society needs and expects assurance that financial information has not been material misstated because of fraud. Unless an independent audit can provide this assurance, it has little if any value to society"

This statement by the Public Companies Accounting Oversight Board represents a dramatic change in auditors' responsibility for detecting fraudulent financial reporting

Previously, AICPA auditing standards required auditors to plan and perform an audit to provide reasonable assurance of detecting material misstatements, including those caused by fraud

Today, the message is clear: auditors must assume greater responsibility for detecting fraud

Comment on the Magnitude of Fraud

According to a 2002 study by the Association of Certified Fraud Examiners (ACFE)--

Six percent of revenues will be lost as a result of fraud

Estimated at losses of $600 Billion per year

These estimates cover all types of fraud, but do not include the losses investors incurred on major financial reporting frauds such as Enron or WorldCom

Define Fraud

Intentional concealment or misrepresentation of material facts in order to deceive

Differentiated from errors by the intent to deceive

Traditionally defined into broad categories:

Defalcations Fraudulent financial reporting

What is defalcation?

Employee takes assets from the organization for personal gain

Examples: theft, embezzlementACFE divides into frauds due to Corruption

Fraudsters use their influence in a transaction to gain personal benefit

Examples: kickbacks, conflict of interest, bribery, economic extortion

Asset misappropriation Theft or misuse of organization's assets Common schemes: skimming revenues, cash schemes,

fraudulent disbursement, inventory theft, payroll fraud

Defalcation may create misleading financial statements if stolen assets are reported on the statements

Define Fraudulent Financial Reporting

Intentional manipulation of financial statementsTypically committed by management Has opportunity to override internal controls Often evaluated and compensated based on financial resultsUsually involves: Manipulation, falsification, or alteration of accounting

records or supporting documents Misrepresentation or omission of events, transactions, or

significant information Intentional misapplication of accounting principlesThe most common types are Overstate assets and understate expenses Overstate revenues and assets Understate liabilities

Review Lessons Learned From Fraud Cases

Auditors take risk whenever they do not audit the entire company

Auditors need to look at economic assumptions underlying a company’s growth

Auditors need to assess risk factors and when the risk of fraud is high, they must demand stronger evidence

Computer errors should be viewed as a risk factor Dominant clients can be a problem Auditors need to know what motivates management Auditors should not assume all people are honest When fraud risk indicators are discovered, they must

be thoroughly investigated

Discuss the Second COSO Report

Report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) identified major characteristics of companies that had perpetrated fraud:

Involved smaller companies - under $200 million in revenues

Board of directors dominated by management

Audit committees non-existent or inactiveOverstated revenues and corresponding

assets in over half the fraudsMost revenue frauds involved premature

recognition or fictitious revenues

No internal audit departmentPerpetrated over relatively long-terms

(average period 2 years)Companies were in loss situations or near

break-even prior to the fraudCEO and /or CFO involved in 83% of the

casesAuditors realized there are signs that fraud

might be taking place and that auditors would have to identify and investigate these signs

Discuss the Second COSO Report (Continued)

Review Auditing Standards on Fraud

SAS 99, "Fraud Detection in a Financial Statement Audit" issued in 2002

Requires auditors to search for risk factors related to fraud

If these risk factors are present, auditor needs to modify audit toActively search for fraudRequire more substantive audit evidenceIn some cases, assign forensic (fraud) auditors to

the engagementEmphasizes the need for professional

skepticism

Review a Proactive Approach to Fraud Detection - Planning the Audit

The audit must be planned to detect material misstatements - whether the misstatements are due to errors or fraud

The auditor must Understand the business Understand how changes in the economy might

affect the business Understand management's motivations for

committing a fraud Identify opportunities for other employees to commit

defalcation Analyze changes in company's financial results for

reasonableness Identify areas that might suggest fraud

Discuss Proactive Approach to Fraud Detection - Conducting the Audit

Overview of the process to integrate fraud risk assessment and fraud procedures into the audit includes ten major steps:

Understand the nature of fraud, motivations to commit fraud, and how fraud may be committed

Develop and implement an approach based on professional skepticism

Brainstorm and share knowledge within the audit team

Obtain information useful in identifying and assessing fraud risk

Identify specific fraud risks and areas likely to be affected by fraud

Evaluate the quality and effectiveness of company controls in mitigating the risk of fraud

Adjust audit procedures to address the risk of fraud and gather evidence specifically related to the possibility of fraud

Evaluate findings; if evidence signals fraud might exist, consider whether specialists are needed for the audit team

Communicate possibility of fraud to management and audit committee

Document all steps related to fraud

Discuss Proactive Approach to Fraud Detection - Conducting the Audit

What are the motivations to commit fraud?

Research consistently shows three factors associated with fraud

These factors are referred to as the fraud triangle

Incentives or pressures to commit fraud

Opportunities to commit fraudRationalization of the fraud as

acceptable

Review Motivations to Commit Fraud – Incentives or Pressures

The pressures to commit fraud include:Management compensation schemesPersonal wealth ties to financial results

or survival of the companyOther financial pressures to improve

earnings or the balance sheetExample: to avoid violating debt covenant

Personal factors, including personal financial needs

Discuss Motivations to Commit Fraud – Opportunities

Warning signs indicating opportunities for fraud: Weak or non-existent internal controls Complex or unstable organizational structure Ineffective monitoring of management, either

because board of directors is not effective, or management is dominant

Significant accounting estimates made by management

Significant related party transactions Industry dominance, including ability to dictate

terms to suppliers or customers Simple transactions made complex through

disjointed recording process Complex or difficult to understand transactions

Comment on Motivations to Commit Fraud – RationalizationsThe nature of fraud rationalization often differs

depending on the type of fraudFor defalcations, rationalizations often revolve around

personal issues: Personal financial problems Mistreatment by the company Sense of entitlement Everyone does itFor fraudulent financial reporting, the rationalizations

may involve personal or organizational issues: Compensation based on financial results (personal) Ego (personal) Necessary for organization to survive

What is the purpose of audit team brainstorming?

SAS 99 requires members of the audit team to discuss the risk of material misstatement due to fraud

This brainstorming is designed to: Allow experienced auditors to educate less experienced

auditors Set the proper level of professional skepticism for the auditTopics covered during the brainstorming should include: Consider how fraud can be perpetrated and concealed Presume fraud in revenue recognition Consider incentives, opportunities, and rationalization for

fraud Consider industry conditions Consider operating characteristics and financial stability

Audit Procedures

When there is a possibility of fraud, the auditor should consider that evidence might not be what it seems

SAS 99 suggests the auditor consider the following: Greater susceptibility of evidence manipulation Greater skepticism of management responses Journal entries are important New technology provides new ways to commit fraud Recognition that collusion may be likely Predictability of audit procedures Analytical procedures should tie to operational or

industry data

Obtaining Information about Fraud Risk

The auditor should specify procedures that could signal the possibility of fraud including

Making inquires of management and others to obtain their views about the risk and fraud and controls set up to address those risks

Perform analytical procedures and consider any unusual relationships

Review risk factors identified earlier (pressure, opportunity, rationalization)

Review management responses to recommendations for control improvements and internal audit reports

What are some analytical indicators of fraud risk?

Some of the key analytical factors the auditor should develop include:

Large revenue increase at the end of the period Sales increasing faster than industry sales which

don't seem justified Unusually large increase in gross margin Large number of sales returns after year-end Increase in number of day's sales in receivables Increase in number of day's sales in inventory Significant increase in debt/equity ratio Cash flow or liquidity problems Significant changes in non-financial performance

measures

Identifying Risks of Fraud

The auditor should examine each of the fraud risk conditions - pressure, opportunity, rationalization

During this examination, the auditor should consider The type of fraud that might occur The potential significance of the fraud in both

quantitative and qualitative terms The likelihood of fraud occurring The pervasiveness of the risk that fraud might occur

SAS 99 requires the auditor presume there are risks with revenue recognition and management override of internal controls

Relate Internal Control and Fraud Risk

Internal control weaknesses are a strong indicator of fraud risk

The auditor will examine a variety of control areas including:

Corporate governance Management control and influence Audit committee Corporate culture Internal auditing Monitoring controls Whistle blowing Codes of ethics Related party transactions

Developing a Revised Audit Plan

Auditor should develop hypotheses about how fraud could be committed and concealed

The audit team should then develop and implement audit procedures that are directly responsive to the fraud risks

Depending on the hypothesized fraud risks the auditor may change the

Audit procedures in order to gather additional corroborative and/or direct evidence

Timing of audit procedures Staffing of the engagement to include more

experience auditors or specialists

Extent of audit procedures; examples include:Performing procedures on a surprise or

unannounced basisRequiring inventories be counted and observed at

year-end (instead of at an interim date)Making oral inquiries of major customers and

suppliersPerforming analytics using disaggregated dataExamining details of major sales contractsExamining financial viability of customersExamining, in detail, reciprocal or similar

transactions between two entitiesDetailed examination of journal entries,

particularly those at year-end

Developing a Revised Audit Plan (Continued)

Discuss Evaluating Audit Evidence

The auditor's skepticism should be heightened whenever

There are discrepancies in the accounting records

The auditor finds conflicting or missing evidential matter

The relationship with management is strained

There are significant or unusual transactions around year-end

Review Communicating the Existence of Fraud

Fraud should be communicated to a level at which effective action can be taken

The auditor must communicate the existence of fraud to management, the Board, and the audit committee

If fraud involves top management, the auditor must assess the actions taken by the Board

If sufficient actions are not taken, the auditor must consider the control environment and the possible need to resign the engagement

The auditor must determine that the financial statements have been corrected and the fraud adequately disclosed

If the statements are not corrected, the auditor should issue a qualified or adverse opinion

In some cases, the auditor may be required to report the fraud to outside parties, such as to meet regulatory requirements

For public companies, material fraud reflects a weakness in internal controls and may need be reported

Review Communicating the Existence of Fraud

Comment on Audit Documentation

The audit team should document the full extent of the process described

That documentation should include:Discussion among audit team members

including the assessment of fraud risk and how such frauds might take place

Discussion of the factors that affected the risk assessment

Audit procedures performedNeed for corroborating evidenceEvaluation of audit evidence and

communication to required parties

Discuss Characteristics of Financial Reporting Frauds

Historically, there are patterns in financial reporting frauds: Complex revenue recognition schemes Incorrect billings to the government Holding the books open (accelerated revenue

recognition) Capitalizing expensesThe implications for audit procedures is clear: The auditor must understand complex transactions to

determine their economic substance The auditor cannot be pressured to complete the audit

early; there must be sufficient time to examine year-end transactions

The auditor must use necessary procedures to gather sufficient reliable evidence including

What are the characteristics of defalcations?

ACFE reports 90% of defalcations involve thefts of cash; remaining 10% were thefts of inventory and other assets

Cash misappropriation schemes include: Larceny: stealing cash after it has been recorded on

the books Skimming: stealing cash before it is recorded on the

books Fraudulent disbursements

Most common: 70% of defalcation schemes Billing: set up false vendors and pay for fictitious goods Payroll: add fictitious employees to payroll Expense reimbursement: submit overstated reimbursement

requests Check tampering: alter check, e.g. change payee or amount

Audit Procedures & Evidence Considerations

The procedures used by the auditor should reflect the internal control weaknesses and fraud risk indicators found with the client

Linking Audit Procedures to Control Deficiencies Audit procedures used are based on specific control

deficiencies Linkage process from control deficiencies to audit procedures:

What errors or fraud could occur because of the control deficiencies

What account balances would be affected and how What audit procedures would provide evidence on whether the

account balance is misstated Do the audit procedures provide objective evidence independent

of the parties who have access to the assets Examples listed in Exhibit 8.11

Review Linking Audit Procedures to Fraud Risk Indicators

As with control deficiencies, audit procedures will depend on the fraud risk indicators and auditor's preliminary analytical review of account balances

Existence of fraud risk indicators should cause the auditor to

Expand audit testing to more detailed sampling Review all major sales Place more emphasis on independent outside

evidence Perform more procedures at year-end (instead of

interim testing) Examples listed in Exhibits 8.12 and 8.13

Discuss Using Computers to Analyze the Possibility of Fraud

Audit software can read a file and perform a number of procedures to analyze the possibility of fraud:

Test mechanical accuracy: footing, mathematical extensions, and logical relationships

Statistical selection Search for duplicate entries Analyze unusual patterns in data Analysis of logical relationships among data sets Identify unusual sources of entries to an account Search for missing data

Responsibilities for Detecting and Reporting Illegal Acts

Illegal acts are violations of laws or governmental regulations...by management or employees acting on behalf of the entity (AU 317.02)

Illegal acts often have a direct impact on financial statements

Audit must be designed to identify illegal acts that have a direct, material effect on the financial statements; audit procedures include:

Reading corporate minutesInquiries of management and legal counsel

Tests of details to support transactions or account balances Large payments to consultants or employees for

unspecified services Excessively large sales commissions Unexplained governmental payments Unauthorized or unnecessarily complex transactions

If illegal acts are discovered, the auditor should Consult with the client's legal counsel Report the acts to management and the audit

committee Make the financial statements present fairly

including proper disclosure

Responsibilities for Detecting and Reporting Illegal Acts (continued)

Define Forensic Accounting

Forensic accounting is an extension of auditing, but with a number of differences:

Detailed investigation where fraud has been identified or is suspected

Focuses on identifying perpetrators and getting a confession

Builds support for legal action against the perpetrator

May provide litigation support such as expert testimony

Extensive use of interviews 100% examination of fraud-related documents Reconstruction of account balances Broader scope than auditing