Consideration of Fraud in a Financial Statement Audit

The purpose of a financial statement audit is to provide an independent opinion on whether a company’s financial statements are presented fairly, in all material respects, with an applicable financial reporting framework. The resulting audit report adds credibility to the financial statements and is used by investors, creditors, and other stakeholders to make informed decisions.

A company’s management is responsible for preventing and detecting fraud by implementing internal controls and creating an ethical environment. In contrast, an auditor’s role is to conduct the audit to obtain reasonable assurance that the financial statements are free from material misstatement, whether caused by error or fraud.

Reasonable assurance is a high, but not absolute, level of assurance. Due to the inherent limitations of an audit, an unavoidable risk exists that some material misstatements may go undetected, particularly those involving sophisticated fraud schemes or collusion. Therefore, an auditor’s opinion enhances reliability but does not certify absolute correctness.

The Auditor’s Responsibility for Fraud Detection

Professional auditing standards, under AU-C Section 240, require an auditor to plan and perform the audit to obtain reasonable assurance about whether financial statements are free of material misstatement. The distinction is intent: fraud is an intentional act, while an error is unintentional. The risk of not detecting a material misstatement from fraud is higher than from an error because it often involves deliberate concealment.

Auditors are concerned with two types of intentional misstatements: fraudulent financial reporting and misappropriation of assets. Fraudulent financial reporting is committed by management to deceive users, such as manipulating revenues to meet targets. Misappropriation of assets, or theft, involves stealing company assets and is often perpetrated by employees.

Auditors must apply professional skepticism throughout the audit, which includes a questioning mind and a critical assessment of evidence. An auditor should not be satisfied with less-than-persuasive evidence based on a belief that management is honest. To understand conditions that lead to fraud, auditors use the “fraud triangle.” This framework suggests three conditions are present when fraud occurs: incentive (a motive), opportunity (weak controls), and rationalization (self-justification).

Risk Assessment Procedures for Fraud

The identification of potential fraud begins with risk assessment procedures to gather information and assess risks. A required discussion among the audit engagement team allows members to brainstorm how and where the entity’s financial statements might be susceptible to fraud, regardless of past experiences with management.

A significant part of risk assessment involves making inquiries of various individuals. Auditors speak with management about their process for identifying fraud risks and any knowledge of actual or suspected fraud. These conversations extend to the audit committee, internal auditors, and other employees who might have direct knowledge of activities that could signal fraud.

Auditors also perform analytical procedures to identify unusual or unexpected relationships in financial data that can highlight potential risk. For example, an auditor might compare a company’s reported revenue growth to its industry peers. A significant, unexplained spike in sales near the end of a reporting period could indicate improper revenue recognition.

The information gathered is used to evaluate fraud risk factors and pinpoint specific areas, such as revenue recognition or management estimates, that require a tailored audit response.

Audit Responses to Assessed Fraud Risks

Once fraud risks are identified, the auditor designs and implements appropriate responses. These occur at two levels: an overall response to general fraud risk and specific responses tailored to the identified risks. An overall response might involve assigning more experienced personnel, incorporating unpredictability into audit procedures, and heightening professional skepticism.

Professional standards mandate specific procedures to address the risk of management override of controls. Management is in a unique position to perpetrate fraud by overriding controls that otherwise seem effective. To counter this risk, auditors are required to perform three procedures in every audit.

First, auditors must test the appropriateness of journal entries recorded in the general ledger and other adjustments. This involves selecting entries made at the end of a reporting period or those with unusual characteristics and examining supporting documentation. The focus is on identifying entries that could be used to manipulate financial results or are made by individuals who do not typically make them.

Second, auditors must review accounting estimates for biases that could result in material misstatement. This involves looking back at significant estimates from prior years and scrutinizing the reasonableness of current-year estimates, such as allowances for doubtful accounts. The goal is to determine if management’s assumptions reflect a pattern of bias that could misrepresent the company’s financial position.

Third, auditors evaluate the business rationale for significant unusual transactions. For major transactions outside the normal course of business, the auditor must understand the underlying economic substance. This procedure helps determine if these transactions have been structured to engage in fraudulent financial reporting, and a lack of clear business purpose may be a red flag for fraud.

Beyond these mandatory procedures, auditors design further tests to address specific fraud risks. For instance, if a high risk of improper revenue recognition is identified, the auditor might confirm contract terms directly with customers. If there is a risk of inventory theft, the auditor may observe physical inventory counts at multiple locations on an unannounced basis.

Evaluation and Communication of Potential Fraud

After performing audit procedures, the auditor evaluates the evidence obtained. When a misstatement is identified, the auditor must determine if it is an isolated error or potentially indicative of fraud. Even a small, quantitatively immaterial misstatement can be significant if it suggests a deliberate act or a control breakdown.

If the auditor determines that evidence of fraud may exist, it must be brought to the attention of the appropriate level of management. This communication is required for any indication of fraud, regardless of its materiality, and is typically made to a level above the people involved.

When suspected fraud involves senior management or results in a material misstatement of the financial statements, the auditor must report the findings directly to those charged with governance, often the audit committee. This ensures that those with ultimate oversight responsibility are aware of significant integrity issues.

The discovery of fraud can also affect the auditor’s report. If management corrects the material misstatement, the auditor can issue an unqualified, or “clean,” opinion. If management refuses, the auditor will issue a modified opinion—either qualified or adverse—alerting users that the financial statements are not fairly presented. In some circumstances, the auditor may need to withdraw from the engagement.

Documenting the Consideration of Fraud

The auditor’s workpapers must contain a detailed record of the procedures performed and conclusions reached regarding the risk of material misstatement due to fraud. This documentation serves as the primary evidence that the audit was planned and performed in accordance with professional standards.

Key items that must be documented include the significant decisions reached during the audit team’s brainstorming session about the entity’s susceptibility to fraud. The workpapers must also detail the identified and assessed risks of material misstatement due to fraud at both the financial statement and assertion levels.

The documentation must also capture the auditor’s overall response to these risks and the nature, timing, and extent of the specific audit procedures performed. The results of these procedures, including those designed to address the risk of management override, and all communications about fraud must also be recorded.