1. Discussions among the engagement team
The audit team must hold discussions or brainstorming sessions among themselves on the entity being audited. Questions to consider include the nature and state of the entity in the previous year and what has changed in the current year; the nature and state of competitors in the industry and what the expectation is in terms of the state and performance of the entity in the current year; and the general state of the economy. If the state and/or performance of the entity is different from the expectation, it is important for the auditor to be sceptical in investigating the deviation from the expectation. For example, when the economy is going through a recession yet the entity continues to generate income and grow cash, the auditor should not accept this at face value but rather question how the entity is achieving this.
During the team discussion, members of the engagement team should be reminded that they will often be dealing with management, who have the ability to override any control in the business.
Here, the auditor needs to make inquiries of management as well as others about fraud and the entity’s response to the identified fraud risks. The auditor should draw on self-confidence in having the courage to ask the difficult questions that may make the client feel uncomfortable. These questions should include whether management or others interviewed have seen any unethical behaviour and what the interviewee’s response would be in such a case. Questions of this nature will provide the auditor with a feel for the culture of ethics in the business.
Here, the auditor would look at the fraud triangle. The auditor should also consider the fraud exposure rectangle. This rectangle suggests that in identifying risks, the auditor should not focus on just the debits and credits, because management will ensure that the debits and credits balance. Rather the auditor should be focusing on the changes and non-financial measures to identify discrepancies between the entity’s financial and non-financial performance.
The four aspects of the fraud exposure rectangle are the following:
Auditors often question where the aspects of the fraud exposure rectangle can be found in the International Standards on Auditing (ISAs). This is mapped to the ISAs as follows:
In assessing the identified risks, the auditor should apply professional judgement in assessing the entity’s programmes and internal controls.
In terms of the best-practice fraud prevention framework for organisations, the following ten building blocks have been identified around which the auditor should be focusing their questions, procedures or other matters for consideration:
Depending on the results of the information gathering activities and the subsequent identification and assessment of risks of material misstatement, the auditor must determine the overall audit strategy and consider how this impacts the nature, timing and extent of the audit procedures. The audit plan is just that, only a plan, that can be changed as new information comes to light.
The auditor should consider whether the results of the procedures provide evidence of fraud. It is interesting to note that in order to prove fraud in a court of law, five things need to be present, namely prejudice, an unlawful act, misrepresentation, causality and criminal intent.
If misrepresentation is missing, this is considered to be theft and if intent is missing, this is considered an error.
The process of triangulating audit evidence starts with the auditor questioning management and in responding, management may show the auditor the accounting records. The auditor then moves onto a second information source, namely management information intermediaries, which include the Information Technology department (IT), Human Resources department (HR), Procurement, etc., to confirm the information obtained from management. The auditor must bear in mind that management control these functions and could therefore still influence these people. To complete the triangulating audit evidence and overcome management’s ability to influence others and override controls, the auditor should take the information-gathering process to the third, external source, namely entity business states (EBS) which comprise customers, suppliers, regulators, alliance partners, and capital markets or competitors and start building up the picture of evidence. (It is important to note that these three sources of evidence are not substitutes but rather complement each other.)
In applying the principle of triangulation of audit evidence to the audit process, and the auditor’s responsibility to obtain reasonable assurance, management representation does not get the auditor anywhere near obtaining the reasonable assurance that is required to form an opinion. The first source of information that the auditor receives is from management, but the auditor then confirms this information with the information intermediaries, which adds credibility to the information provided by management. In further enhancing the credibility of information received from management and moving closer towards obtaining reasonable assurance, the auditor moves on to the external EBS sources. If the information confirms what management and the information intermediaries have indicated, the auditor has most likely obtained sufficient appropriate audit evidence and hence reasonable assurance on which to base his/her audit opinion.
Whenever evidence of fraud is found, it should be brought to the attention of the appropriate level of management, even if the matter is inconsequential. Management are then aware of the findings and it is up to them to investigate the findings further and determine whether any preventive and/or corrective action is required. Should this finding result in a significant fraud act later, management will be solely responsible for the consequences of their inactions.
It is critical for the auditor to document the findings. The documentation should include evidence of conversations held, observations made and identified findings to enable the auditor to recall significant points noted. This may include copies of documents and photographs of observations where considered necessary.
The Independent Regulatory Board for Auditors (IRBA) recently issued the IRBA Staff Audit Practice Alert 4, A South African Perspective in the Auditor’s Considerations Relating to Fraud, which serves to provide auditors with implementation guidance in responding to the risks of material misstatements due to fraud and/or non-compliance with laws and regulations. Furthermore, the IRBA has developed a dedicated IRBA Fraud web page that contains a list of links to relevant audit-related guidance on fraud that have been developed internationally and locally.
Since auditors play an important role in combating fraud, auditors are encouraged to familiarise themselves with the content of the IRBA staff audit practice alert and consider implementing the guidance provided as well as the eight steps outlined above in performing an audit.
Do they trust and use the mechanism(s)?