Auditor's responsibilities relating to fraud - part 2

1. Discussions among the engagement team
The audit team must hold discussions or brainstorming sessions among themselves on the entity being audited. Questions to consider include the nature and state of the entity in the previous year and what has changed in the current year; the nature and state of competitors in the industry and what the expectation is in terms of the state and performance of the entity in the current year; and the general state of the economy. If the state and/or performance of the entity is different from the expectation, it is important for the auditor to be sceptical in investigating the deviation from the expectation. For example, when the economy is going through a recession yet the entity continues to generate income and grow cash, the auditor should not accept this at face value but rather question how the entity is achieving this.

During the team discussion, members of the engagement team should be reminded that they will often be dealing with management, who have the ability to override any control in the business.

2. Risk assessment procedures and related activities

Here, the auditor needs to make inquiries of management as well as others about fraud and the entity’s response to the identified fraud risks. The auditor should draw on self-confidence in having the courage to ask the difficult questions that may make the client feel uncomfortable. These questions should include whether management or others interviewed have seen any unethical behaviour and what the interviewee’s response would be in such a case. Questions of this nature will provide the auditor with a feel for the culture of ethics in the business.

3. Identifying risks

Here, the auditor would look at the fraud triangle. The auditor should also consider the fraud exposure rectangle. This rectangle suggests that in identifying risks, the auditor should not focus on just the debits and credits, because management will ensure that the debits and credits balance. Rather the auditor should be focusing on the changes and non-financial measures to identify discrepancies between the entity’s financial and non-financial performance.

The four aspects of the fraud exposure rectangle are the following:

• Management and the directors, where the auditor should analyse the people and their behaviour. It is fundamental that the auditor assesses the integrity of the client, because this will ultimately determine whether the auditor is neutral in the application of professional scepticism or carrying out the necessary procedures to appropriately investigate an anomaly;
• The company’s relationship with other entities, where the auditor should be alert to related-party transactions;
• The organisation and its industry, where the auditor compares the entity to the industry and the competitors to assess their performance in comparison; and
• Financial results and operating characteristics.

Auditors often question where the aspects of the fraud exposure rectangle can be found in the International Standards on Auditing (ISAs). This is mapped to the ISAs as follows:

• International Standard on Quality Control (ISQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements (ISQC 1), requires the auditor to consider the integrity of the client (26(c)), including the identity and business reputation of the client’s principal owners, key management and those charged with governance, and the attitude of the client’s principal owners and key management towards such matters as an aggressive interpretation of accounting standards and the internal control environment (A19).
• Factors listed in the application and other explanatory material of ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (ISA 315 (Revised)), indicate that relevant industry factors include supplier and customer relations (A25).
• ISA 315 (Revised) requires the auditor to obtain an understanding of relevant industry factors (11(a)) and an example of such factors listed in the application and other explanatory material includes the general economic conditions (A30).
• ISA 315 (Revised) further requires the auditor to obtain an understanding of the entity, including its operations (11(b)).

4. Assessing risks

In assessing the identified risks, the auditor should apply professional judgement in assessing the entity’s programmes and internal controls.

In terms of the best-practice fraud prevention framework for organisations, the following ten building blocks have been identified around which the auditor should be focusing their questions, procedures or other matters for consideration:

Fraud risk assessment

• Have you performed fraud risk assessments?
• When last were fraud risk assessments performed?
• What were the results of the fraud risk assessments?
• Were the recommendations of the fraud risk assessment implemented?

Internal controls

Controls cannot eliminate errors and fraud, but can alert management to their presence so that timely and effective corrective action can be taken. Is management therefore:

• Following up on ‘red flags’ as they are noticed?
• Investigating all indications of potential errors or irregularities?
• Incorporating a healthy scepticism by obtaining explanations and corroborating with supporting evidence?

Use of technology

In a recent survey, it was found that only 3% of fraudsters were detected through proactive use of technology while 24% of fraudsters use technology to defraud. Enquire if the entity is making use of data analytics, digital forensics and eDiscovery tools – proactively and not just reactively. eDiscovery is explained as a process of collecting, preparing, reviewing, interpreting and producing electronic documents from hard discs and other forms of storage.

Hiring

• How does HR verify qualifications such as degrees and diplomas?
• Does HR perform exit interviews?
• How far does HR investigate and how extensive are the background checks that are performed before hiring – university, social media, a general Google search, etc.
• Have the HR people been trained in statement analysis while reviewing CVs and in deception detection when interviewing candidates either in person or online?

Training and awareness

• Is the entity actively doing training and awareness?
• When last was employee training held?
• The length of training programme(s)
• Inclusion of all employees, including senior management
• Do you believe that there was a transfer of skills in this training?
• Observable behaviour changes?

Policies

• When last were policies reviewed/revised?
• Do employees understand the content?
• What is the frequency and method of communication to stakeholders?
• Overall appeal – are there images, colour learning aids, etc.

Ethics

Auditors should assess a company’s culture as it relates to ethics through:

• Interviews
• Surveys
• Observations, and
• Reviewing historical unethical activities (What happened, and how was it handled).

Accountability

Check HR files to see if all staff members have signed:

• Conflict of interest declarations
• Code of ethics declarations
• Inspect attendance register for fraud and awareness training

Hotline

Enquire about:

• The number of calls
• The type of calls
• When the calls were made – after downsizing, crisis, etc.
• Which division/departments were focus of the calls?
• Was reporting information shared with those charged with governance and/or senior managers as well as all employees?
• Do employees understand the hotline process?
• Do they know where to find the number?

Tone at the top

What is the perception of employees regarding executives? Are they perceived as having integrity, being fair, transparent, competent, responsible, and held accountable, as per principle 1 of King IV?

5. Responding to risks

Depending on the results of the information gathering activities and the subsequent identification and assessment of risks of material misstatement, the auditor must determine the overall audit strategy and consider how this impacts the nature, timing and extent of the audit procedures. The audit plan is just that, only a plan, that can be changed as new information comes to light.

6. Evaluating evidence

The auditor should consider whether the results of the procedures provide evidence of fraud. It is interesting to note that in order to prove fraud in a court of law, five things need to be present, namely prejudice, an unlawful act, misrepresentation, causality and criminal intent.
If misrepresentation is missing, this is considered to be theft and if intent is missing, this is considered an error.

Triangulating of audit evidence

The process of triangulating audit evidence starts with the auditor questioning management and in responding, management may show the auditor the accounting records. The auditor then moves onto a second information source, namely management information intermediaries, which include the Information Technology department (IT), Human Resources department (HR), Procurement, etc., to confirm the information obtained from management. The auditor must bear in mind that management control these functions and could therefore still influence these people. To complete the triangulating audit evidence and overcome management’s ability to influence others and override controls, the auditor should take the information-gathering process to the third, external source, namely entity business states (EBS) which comprise customers, suppliers, regulators, alliance partners, and capital markets or competitors and start building up the picture of evidence. (It is important to note that these three sources of evidence are not substitutes but rather complement each other.)

In applying the principle of triangulation of audit evidence to the audit process, and the auditor’s responsibility to obtain reasonable assurance, management representation does not get the auditor anywhere near obtaining the reasonable assurance that is required to form an opinion. The first source of information that the auditor receives is from management, but the auditor then confirms this information with the information intermediaries, which adds credibility to the information provided by management. In further enhancing the credibility of information received from management and moving closer towards obtaining reasonable assurance, the auditor moves on to the external EBS sources. If the information confirms what management and the information intermediaries have indicated, the auditor has most likely obtained sufficient appropriate audit evidence and hence reasonable assurance on which to base his/her audit opinion.

7. Communicating

Whenever evidence of fraud is found, it should be brought to the attention of the appropriate level of management, even if the matter is inconsequential. Management are then aware of the findings and it is up to them to investigate the findings further and determine whether any preventive and/or corrective action is required. Should this finding result in a significant fraud act later, management will be solely responsible for the consequences of their inactions.

8. Documenting

It is critical for the auditor to document the findings. The documentation should include evidence of conversations held, observations made and identified findings to enable the auditor to recall significant points noted. This may include copies of documents and photographs of observations where considered necessary.

South African guidance

The Independent Regulatory Board for Auditors (IRBA) recently issued the IRBA Staff Audit Practice Alert 4, A South African Perspective in the Auditor’s Considerations Relating to Fraud, which serves to provide auditors with implementation guidance in responding to the risks of material misstatements due to fraud and/or non-compliance with laws and regulations. Furthermore, the IRBA has developed a dedicated IRBA Fraud web page that contains a list of links to relevant audit-related guidance on fraud that have been developed internationally and locally.

In concluding

Since auditors play an important role in combating fraud, auditors are encouraged to familiarise themselves with the content of the IRBA staff audit practice alert and consider implementing the guidance provided as well as the eight steps outlined above in performing an audit.
Do they trust and use the mechanism(s)?