AU Section 316A
Consideration of Fraud in a Financial Statement Audit
- (.01 - .02) Introduction
- (.03 - .10) Description and Characteristics of Fraud
- (.11 - .25) Assessment of the Risk of Material Misstatement Due to Fraud
- (.26 - .32) The Auditor's Response to the Results of the Assessment
- (.33 - .36) Evaluation of Audit Test Results
- (.37) Documentation of the Auditor's Risk Assessment and Response
- (.38 -.40) Communications About Fraud to Management, the Audit Committee, and Others
- (.41) Effective Date
(Supersedes SAS No. 53)
Source: SAS No. 82.
Effective for audits of financial statements for periods ending on or after December 15, 1997.
Section 110, Responsibilities and Functions of the Independent Auditor, states that "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud." fn 1 This section provides guidance to auditors in fulfilling that responsibility, as it relates to fraud, in an audit of financial statements conducted in accordance with generally accepted auditing standards. Specifically, this section—
- Describes fraud and its characteristics (see paragraphs .03 through .10).
- Requires the auditor to specifically assess the risk of material misstatement due to fraud and provides categories of fraud risk factors to be considered in the auditor's assessment (see paragraphs .11 through .25).
- Provides guidance on how the auditor responds to the results of the assessment (see paragraphs .26 through .32).
- Provides guidance on the evaluation of audit test results as they relate to the risk of material misstatement due to fraud (see paragraphs .33 through .36).
- Describes related documentation requirements (see paragraph .37).
- Provides guidance regarding the auditor's communication about fraud to management, the audit committee, and others (see paragraphs .38 through .40).
While this section focuses on the auditor's consideration of fraud in an audit of financial statements, management is responsible for the prevention and detection of fraud. fn 2 That responsibility is described in section 110.03, which states, "Management is responsible for adopting sound accounting policies and for establishing and maintaining internal control that will, among other things, initiate, record, process, and report transactions consistent with management's assertions embodied in the financial statements." [Revised, April 2002, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 94.]
Description and Characteristics of Fraud
Although fraud is a broad legal concept, the auditor's interest specifically relates to fraudulent acts that cause a material misstatement of financial statements. The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement in financial statements is intentional or unintentional. fn 3 Two types of misstatements are relevant to the auditor's consideration of fraud in a financial statement audit—misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets. fn 4 These two types of misstatements are described in the following paragraphs.
Misstatements arising from fraudulent financial reporting are intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. Fraudulent financial reporting may involve acts such as the following:
- Manipulation, falsification, or alteration of accounting records or supporting documents from which financial statements are prepared
- Misrepresentation in, or intentional omission from, the financial statements of events, transactions, or other significant information
- Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure
Misstatements arising from misappropriation of assets (sometimes referred to as defalcation) involve the theft of an entity's assets where the effect of the theft causes the financial statements not to be presented in conformity with generally accepted accounting principles. fn 5 Misappropriation can be accomplished in various ways, including embezzling receipts, stealing assets, or causing an entity to pay for goods or services not received. Misappropriation of assets may be accompanied by false or misleading records or documents and may involve one or more individuals among management, employees, or third parties.
Fraud frequently involves the following: (a) a pressure or an incentive to commit fraud and (b) a perceived opportunity to do so. Although specific pressures and opportunities for fraudulent financial reporting may differ from those for misappropriation of assets, these two conditions usually are present for both types of fraud. For example, fraudulent financial reporting may be committed because management is under pressure to achieve an unrealistic earnings target. Misappropriation of assets may be committed because the individuals involved are living beyond their means. A perceived opportunity may exist in either situation because an individual believes he or she could circumvent internal control.
Fraud may be concealed through falsified documentation, including forgery. For example, management that engages in fraudulent financial reporting might attempt to conceal misstatements by creating fictitious invoices, while employees or management who misappropriate cash might try to conceal their thefts by forging signatures or creating invalid electronic approvals on disbursement authorizations. An audit conducted in accordance with generally accepted auditing standards rarely involves authentication of documentation, nor are auditors trained as or expected to be experts in such authentication.
Fraud also may be concealed through collusion among management, employees, or third parties. For example, through collusion, false evidence that control activities have been performed effectively may be presented to the auditor. As another example, the auditor may receive a false confirmation from a third party who is in collusion with management. Collusion may cause the auditor to believe that evidence is persuasive when it is, in fact, false.
Although fraud usually is concealed, the presence of risk factors or other conditions may alert the auditor to a possibility that fraud may exist. For example, a document may be missing, a general ledger may be out of balance, or an analytical relationship may not make sense. However, these conditions may be the result of circumstances other than fraud. Documents may have been legitimately lost; the general ledger may be out of balance because of an unintentional accounting error; and unexpected analytical relationships may be the result of unrecognized changes in underlying economic factors. Even reports of alleged fraud may not always be reliable, because an employee or outsider may be mistaken or may be motivated to make a false allegation.
An auditor cannot obtain absolute assurance that material misstatements in the financial statements will be detected. Because of (a) the concealment aspects of fraudulent activity, including the fact that fraud often involves collusion or falsified documentation, and (b) the need to apply professional judgment in the identification and evaluation of fraud risk factors and other conditions, even a properly planned and performed audit may not detect a material misstatement resulting from fraud. Accordingly, because of the above characteristics of fraud and the nature of audit evidence as discussed in section 230A, Due Professional Care in the Performance of Work, the auditor is able to obtain only reasonable assurance that material misstatements in the financial statements, including misstatements resulting from fraud, are detected.
Assessment of the Risk of Material Misstatement Due to Fraud
Section 311, Planning and Supervision, provides guidance as to the level of knowledge of the entity's business that will enable the auditor to plan and perform an audit of financial statements in accordance with generally accepted auditing standards. Section 312, Audit Risk and Materiality in Conducting an Audit, provides that determination of the scope of the auditing procedures is directly related to the consideration of audit risk and indicates that the risk of material misstatement of the financial statements due to fraud is part of audit risk.
The auditor should specifically assess the risk of material misstatement of the financial statements due to fraud and should consider that assessment in designing the audit procedures to be performed. In making this assessment, the auditor should consider fraud risk factors that relate to both (a) misstatements arising from fraudulent financial reporting and (b) misstatements arising from misappropriation of assets in each of the related categories presented in paragraphs .16 and .18. fn 6 While such risk factors do not necessarily indicate the existence of fraud, they often have been observed in circumstances where frauds have occurred.
As part of the risk assessment, the auditor also should inquire of management (a) to obtain management's understanding regarding the risk of fraud in the entity and (b) to determine whether they have knowledge of fraud that has been perpetrated on or within the entity. Information from these inquiries could identify fraud risk factors that may affect the auditor's assessment and related response. Some examples of matters that might be discussed as part of the inquiry are (a) whether there are particular subsidiary locations, business segments, types of transactions, account balances, or financial statement categories where fraud risk factors exist or may be more likely to exist and (b) how management may be addressing such risks.
Although the fraud risk factors described in paragraphs .17 and .19 below cover a broad range of situations typically faced by auditors, they are only examples. Moreover, not all of these examples are relevant in all circumstances, and some may be of greater or lesser significance in entities of different size, with different ownership characteristics, in different industries, or because of other differing characteristics or circumstances. Accordingly, the auditor should use professional judgment when assessing the significance and relevance of fraud risk factors and determining the appropriate audit response.
For example, in a small entity domination of management by a single individual generally does not, in and of itself, indicate a failure by management to display and communicate an appropriate attitude regarding internal control and the financial reporting process. As another example, there may be little motivation for fraudulent financial reporting by management of a privately held business when the financial statements audited are used only in connection with seasonal bank borrowings, debt covenants are not especially burdensome, and the entity has a long history of financial success consistent with the industry in which it operates. Conversely, management of a small entity with unusually rapid growth or profitability may be motivated to avoid an interruption in its growth trends, especially compared with others in its industry.
Risk Factors Relating to Misstatements Arising From Fraudulent Financial Reporting
Risk factors that relate to misstatements arising from fraudulent financial reporting may be grouped in the following three categories:
- Management's characteristics and influence over the control environment. These pertain to management's abilities, pressures, style, and attitude relating to internal control and the financial reporting process.
- Industry conditions. These involve the economic and regulatory environment in which the entity operates.
- Operating characteristics and financial stability. These pertain to the nature and complexity of the entity and its transactions, the entity's financial condition, and its profitability.
The following are examples of risk factors relating to misstatements arising from fraudulent financial reporting for each of the three categories described above:
- Risk factors relating to management's characteristics and influence over the control environment. Examples include—
- A motivation for management to engage in fraudulent financial reporting. Specific indicators might include—
- A significant portion of management's compensation represented by bonuses, stock options, or other incentives, the value of which is contingent upon the entity achieving unduly aggressive targets for operating results, financial position, or cash flow.
- An excessive interest by management in maintaining or increasing the entity's stock price or earnings trend through the use of unusually aggressive accounting practices.
- A practice by management of committing to analysts, creditors, and other third parties to achieve what appear to be unduly aggressive or clearly unrealistic forecasts.
- An interest by management in pursuing inappropriate means to minimize reported earnings for tax-motivated reasons.
- A failure by management to display and communicate an appropriate attitude regarding internal control and the financial reporting process. Specific indicators might include—
- An ineffective means of communicating and supporting the entity's values or ethics, or communication of inappropriate values or ethics.
- Domination of management by a single person or small group without compensating controls such as effective oversight by the board of directors or audit committee.
- Inadequate monitoring of significant controls.
- Management failing to correct known reportable conditions on a timely basis.
- Management setting unduly aggressive financial targets and expectations for operating personnel.
- Management displaying a significant disregard for regulatory authorities.
- Management continuing to employ an ineffective accounting, information technology, or internal auditing staff.
- Nonfinancial management's excessive participation in, or preoccupation with, the selection of accounting principles or the determination of significant estimates.
- High turnover of senior management, counsel, or board members.
- Strained relationship between management and the current or predecessor auditor. Specific indicators might include—
- Frequent disputes with the current or predecessor auditor on accounting, auditing, or reporting matters.
- Unreasonable demands on the auditor including unreasonable time constraints regarding the completion of the audit or the issuance of the auditor's reports.
- Formal or informal restrictions on the auditor that inappropriately limit his or her access to people or information or his or her ability to communicate effectively with the board of directors or the audit committee.
- Domineering management behavior in dealing with the auditor, especially involving attempts to influence the scope of the auditor's work.
- Known history of securities law violations or claims against the entity or its senior management alleging fraud or violations of securities laws.
- A motivation for management to engage in fraudulent financial reporting. Specific indicators might include—
- Risk factors relating to industry conditions. Examples include—
- New accounting, statutory, or regulatory requirements that could impair the financial stability or profitability of the entity.
- High degree of competition or market saturation, accompanied by declining margins.
- Declining industry with increasing business failures and significant declines in customer demand.
- Rapid changes in the industry, such as high vulnerability to rapidly changing technology or rapid product obsolescence.
- Risk factors relating to operating characteristics and financial stability. Examples include—
- Inability to generate cash flows from operations while reporting earnings and earnings growth.
- Significant pressure to obtain additional capital necessary to stay competitive considering the financial position of the entity—including need for funds to finance major research and development or capital expenditures.
- Assets, liabilities, revenues, or expenses based on significant estimates that involve unusually subjective judgments or uncertainties, or that are subject to potential significant change in the near term in a manner that may have a financially disruptive effect on the entity—such as ultimate collectibility of receivables, timing of revenue recognition, realizability of financial instruments based on the highly subjective valuation of collateral or difficult-to-assess repayment sources, or significant deferral of costs.
- Significant related-party transactions not in the ordinary course of business or with related entities not audited or audited by another firm.
- Significant, unusual, or highly complex transactions, especially those close to year end, that pose difficult "substance over form" questions.
- Significant bank accounts or subsidiary or branch operations in tax-haven jurisdictions for which there appears to be no clear business justification.
- Overly complex organizational structure involving numerous or unusual legal entities, managerial lines of authority, or contractual arrangements without apparent business purpose.
- Difficulty in determining the organization or individual(s) that control(s) the entity.
- Unusually rapid growth or profitability, especially compared with that of other companies in the same industry.
- Especially high vulnerability to changes in interest rates.
- Unusually high dependence on debt or marginal ability to meet debt repayment requirements; debt covenants that are difficult to maintain.
- Unrealistically aggressive sales or profitability incentive programs.
- Threat of imminent bankruptcy or foreclosure, or hostile takeover.
- Adverse consequences on significant pending transactions, such as a business combination or contract award, if poor financial results are reported.
- Poor or deteriorating financial position when management has personally guaranteed significant debts of the entity.
Risk Factors Relating to Misstatements Arising From Misappropriation of Assets
Risk factors that relate to misstatements arising from misappropriation of assets may be grouped in the two categories below. The extent of the auditor's consideration of the risk factors in category b is influenced by the degree to which risk factors in category a are present.
- Susceptibility of assets to misappropriation. These pertain to the nature of an entity's assets and the degree to which they are subject to theft.
- Controls. These involve the lack of controls designed to prevent or detect misappropriations of assets.
The following are examples of risk factors relating to misstatements arising from misappropriation of assets for each of the two categories described above:
- Risk factors relating to susceptibility of assets to misappropriation
- Large amounts of cash on hand or processed
- Inventory characteristics, such as small size, high value, or high demand
- Easily convertible assets, such as bearer bonds, diamonds, or computer chips
- Fixed asset characteristics, such as small size, marketability, or lack of ownership identification
- Risk factors relating to controls
- Lack of appropriate management oversight (for example, inadequate supervision or monitoring of remote locations)
- Lack of job applicant screening procedures relating to employees with access to assets susceptible to misappropriation
- Inadequate record-keeping with respect to assets susceptible to misappropriation
- Lack of appropriate segregation of duties or independent checks
- Lack of appropriate system of authorization and approval of transactions (for example, in purchasing)
- Poor physical safeguards over cash, investments, inventory, or fixed assets
- Lack of timely and appropriate documentation for transactions (for example, credits for merchandise returns)
- Lack of mandatory vacations for employees performing key control functions
The auditor is not required to plan the audit to discover information that is indicative of financial stress of employees or adverse relationships between the entity and its employees. Nevertheless, the auditor may become aware of such information. Some examples of such information include (a) anticipated future employee layoffs that are known to the workforce, (b) employees with access to assets susceptible to misappropriation who are known to be dissatisfied, (c) known unusual changes in behavior or lifestyle of employees with access to assets susceptible to misappropriation, and (d) known personal financial pressures affecting employees with access to assets susceptible to misappropriation. If the auditor becomes aware of the existence of such information, he or she should consider it in assessing the risk of material misstatement arising from misappropriation of assets.
Consideration of Risk Factors in Assessing the Risk of Material Misstatement Due to Fraud
Fraud risk factors cannot easily be ranked in order of importance or combined into effective predictive models. The significance of risk factors varies widely. Some of these factors will be present in entities where the specific conditions do not present a risk of material misstatement. Accordingly, the auditor should exercise professional judgment when considering risk factors individually or in combination and whether there are specific controls that mitigate the risk. For example, an entity may not screen newly hired employees having access to assets susceptible to theft. This factor, by itself, might not significantly affect the assessment of the risk of material misstatement due to fraud. However, if it were coupled with a lack of appropriate management oversight and a lack of physical safeguards over such assets as readily marketable inventory or fixed assets, the combined effect of these related factors might be significant to that assessment.
The size, complexity, and ownership characteristics of the entity have a significant influence on the consideration of relevant risk factors. For example, in the case of a large entity, the auditor ordinarily would consider factors that generally constrain improper conduct by senior management, such as the effectiveness of the board of directors, the audit committee or others with equivalent authority and responsibility, and the internal audit function. The auditor also would consider what steps had been taken to enforce a formal code of conduct and the effectiveness of the budgeting or reporting system. Furthermore, risk factors evaluated at a country-specific or business segment operating level may provide different insights than the evaluation at an entity-wide level. fn 7 In the case of a small entity, some or all of these considerations might be inapplicable or less important. For example, a smaller entity might not have a written code of conduct but, instead, develop a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example.
Section 319, Consideration of Internal Control in a Financial Statement Audit, requires the auditor to obtain a sufficient understanding of the entity's internal control over financial reporting to plan the audit. It also notes that such knowledge should be used to identify types of potential misstatements; consider factors that affect the risk of material misstatement; design tests of controls, when applicable; and design substantive tests. The understanding often will affect the auditor's consideration of the significance of fraud risk factors. In addition, when considering the significance of fraud risk factors, the auditor may wish to assess whether there are specific controls that mitigate the risk or whether specific control deficiencies may exacerbate the risk. [Revised, May 2001, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 94.] [fn 8]
If the entity has established a program that includes steps to prevent, deter, and detect fraud, the auditor may consider its effectiveness. The auditor also should inquire of those persons overseeing such programs as to whether the program has identified any fraud risk factors.
The assessment of the risk of material misstatement due to fraud is a cumulative process that includes a consideration of risk factors individually and in combination. In addition, fraud risk factors may be identified while performing procedures relating to acceptance or continuance of clients and engagements, fn 9 during engagement planning or while obtaining an understanding of an entity's internal control, or while conducting fieldwork. fn 10 Also, other conditions may be identified during fieldwork that change or support a judgment regarding the assessment—such as the following:
- Discrepancies in the accounting records, including—
- Transactions not recorded in a complete or timely manner or improperly recorded as to amount, accounting period, classification, or entity policy.
- Unsupported or unauthorized balances or transactions.
- Last-minute adjustments by the entity that significantly affect financial results.
- Conflicting or missing evidential matter, including—
- Missing documents.
- Unavailability of other than photocopied documents when documents in original form are expected to exist.
- Significant unexplained items on reconciliations.
- Inconsistent, vague, or implausible responses from management or employees arising from inquiries or analytical procedures.
- Unusual discrepancies between the entity's records and confirmation replies.
- Missing inventory or physical assets of significant magnitude.
- Problematic or unusual relationships between the auditor and client, including—
- Denied access to records, facilities, certain employees, customers, vendors, or others from whom audit evidence might be sought. fn 11
- Undue time pressures imposed by management to resolve complex or contentious issues.
- Unusual delays by the entity in providing requested information.
- Tips or complaints to the auditor about fraud.
The Auditor's Response to the Results of the Assessment
A risk of material misstatement due to fraud is always present to some degree. The auditor's response to the foregoing assessment is influenced by the nature and significance of the risk factors identified as being present. In some cases, even though fraud risk factors have been identified as being present, the auditor's judgment may be that audit procedures otherwise planned are sufficient to respond to the risk factors. In other circumstances, the auditor may conclude that the conditions indicate a need to modify procedures. fn 12 In these circumstances, the auditor should consider whether the assessment of the risk of material misstatement due to fraud calls for an overall response, one that is specific to a particular account balance, class of transactions or assertion, or both. The auditor also may conclude that it is not practicable to modify the procedures that are planned for the audit of the financial statements sufficiently to address the risk. In that case withdrawal from the engagement with communication to the appropriate parties may be an appropriate course of action (see paragraph .36).
Judgments about the risk of material misstatement due to fraud may affect the audit in the following ways:
- Professional skepticism. Due professional care requires the auditor to exercise professional skepticism—that is, an attitude that includes a questioning mind and critical assessment of audit evidence (seesection 230A.07 through .09). Some examples demonstrating the application of professional skepticism in response to the auditor's assessment of the risk of material misstatement due to fraud include (a) increased sensitivity in the selection of the nature and extent of documentation to be examined in support of material transactions, and (b) increased recognition of the need to corroborate management explanations or representations concerning material matters—such as further analytical procedures, examination of documentation, or discussion with others within or outside the entity.
- Assignment of personnel. The knowledge, skill, and ability of personnel assigned significant engagement responsibilities should be commensurate with the auditor's assessment of the level of risk of the engagement (see section 210, Training and Proficiency of the Independent Auditor, paragraph .03). In addition, the extent of supervision should recognize the risk of material misstatement due to fraud and the qualifications of persons performing the work (seesection 311.11).
- Accounting principles and policies. The auditor may decide to consider further management's selection and application of significant accounting policies, particularly those related to revenue recognition, asset valuation, or capitalizing versus expensing. In this respect, the auditor may have a greater concern about whether the accounting principles selected and policies adopted are being applied in an inappropriate manner to create a material misstatement of the financial statements.
- Controls. When a risk of material misstatement due to fraud relates to risk factors that have control implications, the auditor's ability to assess control risk below the maximum may be reduced. However, this does not eliminate the need for the auditor to obtain an understanding of the components of the entity's internal control sufficient to plan the audit (seesection 319). In fact, such an understanding may be of particular importance in further understanding and considering any controls (or lack thereof) the entity has in place to address the identified fraud risk factors. However, this consideration also would need to include an added sensitivity to management's ability to override such controls.
The nature, timing, and extent of procedures may need to be modified in the following ways:
- The nature of audit procedures performed may need to be changed to obtain evidence that is more reliable or to obtain additional corroborative information. For example, more evidential matter may be needed from independent sources outside the entity. Also, physical observation or inspection of certain assets may become more important. (See section 326, Evidential Matter, paragraphs .19 through .22.)
- The timing of substantive tests may need to be altered to be closer to or at year end. For example, if there are unusual incentives for management to engage in fraudulent financial reporting, the auditor might conclude that substantive testing should be performed near or at year end because it would not otherwise be possible to control the incremental audit risk associated with that risk factor. (See section 313, Substantive Tests Prior to the Balance-Sheet Date,paragraph .06.)
- The extent of the procedures applied should reflect the assessment of the risk of material misstatement due to fraud. For example, increased sample sizes or more extensive analytical procedures may be appropriate. (See section 350, Audit Sampling, paragraph .23, andsection 329, Analytical Procedures.)
Considerations at the Account Balance, Class of Transactions, and Assertion Level
Specific responses to the auditor's assessment of the risk of material misstatement due to fraud will vary depending upon the types or combinations of fraud risk factors or conditions identified and the account balances, classes of transactions, and assertions they may affect. If these factors or conditions indicate a particular risk applicable to specific account balances or types of transactions, audit procedures addressing these specific areas should be considered that will, in the auditor's judgment, limit audit risk to an appropriate level in light of the risk factors or conditions identified. The following are specific examples of responses:
- Visit locations or perform certain tests on a surprise or unannounced basis—for example, observing inventory at locations where auditor attendance has not been previously announced or counting cash at a particular date on a surprise basis.
- Request that inventories be counted at a date closer to year end.
- Alter the audit approach in the current year—for example, contacting major customers and suppliers orally in addition to written confirmation, sending confirmation requests to a specific party within an organization, or seeking more and different information.
- Perform a detailed review of the entity's quarter-end or year-end adjusting entries and investigate any that appear unusual as to nature or amount.
- For significant and unusual transactions, particularly those occurring at or near year end, investigate (a) the possibility of related parties and (b) the sources of financial resources supporting the transactions. fn 13
- Perform substantive analytical procedures at a detailed level. For example, compare sales and cost of sales by location and line of business to auditor-developed expectations. fn 14
- Conduct interviews of personnel involved in areas in which a concern about the risk of material misstatement due to fraud is present, to obtain their insights about the risk and whether or how controls address the risk.
- When other independent auditors are auditing the financial statements of one or more subsidiaries, divisions, or branches, consider discussing with them the extent of work necessary to be performed to ensure that the risk of material misstatement due to fraud resulting from transactions and activities among these components is adequately addressed.
- If the work of a specialist becomes particularly significant with respect to its potential impact on the financial statements, perform additional procedures with respect to some or all of the specialist's assumptions, methods, or findings to determine that the findings are not unreasonable or engage another specialist for that purpose. (See section 336, Using the Work of a Specialist, paragraph .12.)
Specific Responses—Misstatements Arising From Fraudulent Financial Reporting
Some examples of responses to the auditor's assessment of the risk of material misstatements arising from fraudulent financial reporting are—
- Revenue recognition. If there is a risk of material misstatement due to fraud that may involve or result in improper revenue recognition, it may be appropriate to confirm with customers certain relevant contract terms and the absence of side agreements—in as much as the appropriate accounting is often influenced by such terms or agreements. fn 15 For example, acceptance criteria, delivery and payment terms and the absence of future or continuing vendor obligations, the right to return the product, guaranteed resale amounts, and cancellation or refund provisions often are relevant in such circumstances.
- Inventory quantities. If a risk of material misstatement due to fraud exists in inventory quantities, reviewing the entity's inventory records may help to identify locations, areas, or items for specific attention during or after the physical inventory count. Such a review may lead to a decision to observe inventory counts at certain locations on an unannounced basis (see paragraph .29). In addition, where the auditor has a concern about the risk of material misstatement due to fraud in the inventory area, it may be particularly important that the entity counts are conducted at all locations subject to count on the same date. Furthermore, it also may be appropriate for the auditor to apply additional procedures during the observation of the count—for example, examining more rigorously the contents of boxed items, the manner in which the goods are stacked (for example, hollow squares) or labeled, and the quality (that is, purity, grade, or concentration) of liquid substances such as perfumes or specialty chemicals. Finally, additional testing of count sheets, tags or other records, or the retention of copies may be warranted to minimize the risk of subsequent alteration or inappropriate compilation.
Specific Responses—Misstatements Arising From Misappropriations of Assets
The auditor may have identified a risk of material misstatement due to fraud relating to misappropriation of assets. For example, the auditor may conclude that such a risk of asset misappropriation at a particular operating location is significant. This may be the case when a specific type of asset is particularly susceptible to such a risk of misappropriation—for example, a large amount of easily accessible cash, or inventory items such as jewelry, that can be easily moved and sold. Control risk may be evaluated differently in each of these situations. Thus, differing circumstances necessarily would dictate different responses.
Usually the audit response to a risk of material misstatement due to fraud relating to misappropriation of assets will be directed toward certain account balances and classes of transactions. Although some of the audit responses noted in paragraphs .29 and .30 may apply in such circumstances, the scope of the work should be linked to the specific information about the misappropriation risk that has been identified. For example, where a particular asset is highly susceptible to misappropriation that is potentially material to the financial statements, obtaining an understanding of the control activities related to the prevention and detection of such misappropriation and testing the operating effectiveness of such controls may be warranted. In certain circumstances, physical inspection of such assets (for example, counting cash or securities) at or near year end may be appropriate. In addition, the use of substantive analytical procedures, including the development by the auditor of an expected dollar amount, at a high level of precision, to be compared with a recorded amount, may be effective in certain circumstances.
Evaluation of Audit Test Results
As indicated in paragraph .25, the assessment of the risk of material misstatement due to fraud is a cumulative process and one that should be ongoing throughout the audit. At the completion of the audit, the auditor should consider whether the accumulated results of audit procedures and other observations (for example, conditions noted in paragraph.25) affect the assessment of the risk of material misstatement due to fraud he or she made when planning the audit. This accumulation is primarily a qualitative matter based on the auditor's judgment. Such an accumulation may provide further insight into the risk of material misstatement due to fraud and whether there is a need for additional or different audit procedures to be performed.
When audit test results identify misstatements in the financial statements, the auditor should consider whether such misstatements may be indicative of fraud. fn 16 If the auditor has determined that misstatements are or may be the result of fraud, but the effect of the misstatements is not material to the financial statements, the auditor nevertheless should evaluate the implications, especially those dealing with the organizational position of the person(s) involved. For example, fraud involving misappropriations of cash from a small petty cash fund normally would be of little significance to the auditor in assessing the risk of material misstatement due to fraud because both the manner of operating the fund and its size would tend to establish a limit on the amount of potential loss and the custodianship of such funds is normally entrusted to a relatively low-level employee. fn 17 Conversely, when the matter involves higher level management, even though the amount itself is not material to the financial statements, it may be indicative of a more pervasive problem. In such circumstances, the auditor should re-evaluate the assessment of the risk of material misstatement due to fraud and its resulting impact on (a) the nature, timing, and extent of the tests of balances or transactions, (b) the assessment of the effectiveness of controls if control risk was assessed below the maximum, and (c) the assignment of personnel that may be appropriate in the circumstances.
If the auditor has determined that the misstatement is, or may be, the result of fraud, and either has determined that the effect could be material to the financial statements or has been unable to evaluate whether the effect is material, the auditor should—
- Consider the implications for other aspects of the audit (see previous paragraph).
- Discuss the matter and the approach to further investigation with an appropriate level of management that is at least one level above those involved and with senior management.
- Attempt to obtain additional evidential matter to determine whether material fraud has occurred or is likely to have occurred, and, if so, its effect on the financial statements and the auditor's report thereon. fn 18
- If appropriate, suggest that the client consult with legal counsel.
The auditor's consideration of the risk of material misstatement due to fraud and the results of audit tests may indicate such a significant risk of fraud that the auditor should consider withdrawing from the engagement and communicating the reasons for withdrawal to the audit committee or others with equivalent authority and responsibility (hereafter referred to as the audit committee). fn 19, fn 20 Whether the auditor concludes that withdrawal from the engagement is appropriate may depend on the diligence and cooperation of senior management or the board of directors in investigating the circumstances and taking appropriate action. Because of the variety of circumstances that may arise, it is not possible to describe definitively when withdrawal is appropriate. The auditor may wish to consult with his or her legal counsel when considering withdrawal from an engagement.
Documentation of the Auditor's Risk Assessment and Response
In planning the audit, the auditor should document in the working papers evidence of the performance of the assessment of the risk of material misstatement due to fraud (see paragraphs .12 through .14). Where risk factors are identified as being present, the documentation should include (a) those risk factors identified and (b) the auditor's response (see paragraphs .26 through .32) to those risk factors, individually or in combination. In addition, if during the performance of the audit fraud risk factors or other conditions are identified that cause the auditor to believe that an additional response is required (paragraph .33), such risk factors or other conditions, and any further response that the auditor concluded was appropriate, also should be documented.
Communications About Fraud to Management, the Audit Committee, fn 21 and Others fn 22
Whenever the auditor has determined that there is evidence that fraud may exist, that matter should be brought to the attention of an appropriate level of management. This is generally appropriate even if the matter might be considered inconsequential, such as a minor defalcation by an employee at a low level in the entity's organization. Fraud involving senior management and fraud (whether caused by senior management or other employees) that causes a material misstatement of the financial statements should be reported directly to the audit committee. In addition, the auditor should reach an understanding with the audit committee regarding the expected nature and extent of communications about misappropriations perpetrated by lower-level employees.
When the auditor, as a result of the assessment of the risk of material misstatement due to fraud, has identified risk factors that have continuing control implications (whether or not transactions or adjustments that could be the result of fraud have been detected), the auditor should consider whether these risk factors represent reportable conditions relating to the entity's internal control that should be communicated to senior management and the audit committee. fn 23 (See section 325, Communication of Internal Control Related Matters Noted in an Audit.) The auditor also may wish to communicate other risk factors identified when actions can be reasonably taken by the entity to address the risk.
The disclosure of possible fraud to parties other than the client's senior management and its audit committee ordinarily is not part of the auditor's responsibility and ordinarily would be precluded by the auditor's ethical or legal obligations of confidentiality unless the matter is reflected in the auditor's report. The auditor should recognize, however, that in the following circumstances a duty to disclose outside the entity may exist:
- To comply with certain legal and regulatory requirements fn 24
- To a successor auditor when the successor makes inquiries in accordance with section 315, Communications Between Predecessor and Successor Auditors fn 25
- In response to a subpoena
- To a funding agency or other specified agency in accordance with requirements for the audits of entities that receive governmental financial assistance
Because potential conflicts with the auditor's ethical and legal obligations for confidentiality may be complex, the auditor may wish to consult with legal counsel before discussing matters covered by paragraphs .38 through .40 with parties outside the client.
This section is effective for audits of financial statements for periods ending on or after December 15, 1997. Early application of the provisions of this section is permissible.
Footnotes (AU Section 316A — Consideration of Fraud in a Financial Statement Audit):
fn 1 The auditor's consideration of illegal acts and responsibility for detecting misstatements resulting from illegal acts is defined in section 317, Illegal Acts by Clients. For those illegal acts that are defined in that section as having a direct and material effect on the determination of financial statement amounts, the auditor's responsibility to detect misstatements resulting from such illegal acts is the same as that for errors (seesection 312, Audit Risk and Materiality in Conducting an Audit) or fraud.
fn 2 In its October 1987 report, the National Commission on Fraudulent Financial Reporting, also known as the Treadway Commission, noted that "The responsibility for reliable financial reporting resides first and foremost at the corporate level. Top management—starting with the chief executive officer—sets the tone and establishes the financial reporting environment. Therefore, reducing the risk of fraudulent financial reporting must start with the reporting company."
fn 3 Intent is often difficult to determine, particularly in matters involving accounting estimates and the application of accounting principles. For example, unreasonable accounting estimates may be unintentional or may be the result of an intentional attempt to misstate the financial statements. Although the auditor has no responsibility to determine intent, the auditor's responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement is relevant in either case.
fn 4 Unauthorized transactions also are relevant to the auditor when they could cause a misstatement in financial statements. When such transactions are intentional and result in material misstatement of the financial statements, they would fall into one of the two types of fraud discussed in this section. Also see the guidance in section 317.
fn 5 Reference to generally accepted accounting principles includes, where applicable, a comprehensive basis of accounting other than generally accepted accounting principles as defined in section 623, Special Reports, paragraph .04.
fn 6 The auditor should assess the risk of material misstatement due to fraud regardless of whether the auditor otherwise plans to assess inherent or control risk at the maximum (see section 312.29 and .30). An auditor may meet this requirement using different categories of risk factors as long as the assessment embodies the substance of each of the risk categories described in paragraphs .16 and .18. Also, since these risk categories encompass both inherent and control risk attributes, the specific assessment of the risk of material misstatement due to fraud may be performed in conjunction with the assessment of audit risk required by section 312.13 through .33, and section 319, Consideration of Internal Control in a Financial Statement Audit, paragraphs .62 through .82. Furthermore, the assessment of audit risk may identify the presence of additional fraud risk factors that the auditor should consider. [Footnote revised, May 2001, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 94.]
fn 7 Section 312.18 provides guidance on the auditor's consideration of the extent to which auditing procedures should be performed at selected locations or components.
[fn 8] [Footnote deleted to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 94.]
fn 9 See Statement on Quality Control Standards No. 2, System of Quality Control for a CPA Firm's Accounting and Auditing Practice, paragraphs .14 through .16 [QC section 20.14–.16].
fn 10 The auditor also obtains written representations from management on information concerning fraud involving (a) management, (b) employees who have significant roles in internal control, or (c) others where the fraud could have a material effect on the financial statements (see section 333A, Management Representations).
fn 11 Denial of access to information may constitute a limitation on the scope of the audit that may require the auditor to consider qualifying or disclaiming an opinion on the financial statements (see section 508, Reports on Audited Financial Statements, paragraphs .22 through .32).
fn 12 Section 312 requires the auditor to limit audit risk to a low level that is, in the auditor's professional judgment, appropriate for expressing an opinion on the financial statements.
fn 13 Section 334, Related Parties, provides guidance with respect to the identification of related-party relationships and transactions, including transactions that may be outside the ordinary course of business (see section 334.06).
fn 14 Section 329, Analytical Procedures, provides guidance on performing analytical procedures used as substantive tests.
fn 15 Section 330, The Confirmation Process, provides guidance about the confirmation process in audits performed in accordance with generally accepted auditing standards. Among other considerations, that guidance discusses the types of respondents from whom confirmations may be requested, and what the auditor should consider if information about the respondent's competence, knowledge, motivation, ability, or willingness to respond, or about the respondent's objectivity and freedom from bias with respect to the audited entity comes to his or her attention (section 330.27). It also provides that the auditor maintain control over the confirmation requests and responses in order to minimize the possibility that the results will be biased because of interception and alteration of the confirmation requests or responses (section 330.28). Further, when confirmation responses are other than in written communications mailed to the auditor, additional evidence, such as verifying the source and contents of a facsimile response in a telephone call to the purported sender, may be required to support their validity (section 330.29).
fn 16 See footnote 3.
fn 17 However, see paragraph .38 for a discussion of the auditor's communication responsibilities.
fn 18 See section 508 for guidance on auditors' reports issued in connection with audits of financial statements.
fn 19 Examples of "others with equivalent authority and responsibility" may include the board of directors, the board of trustees, or the owner in owner-managed entities, as appropriate.
fn 20 If the auditor, subsequent to the date of the report on the audited financial statements, becomes aware that facts existed at that date which might have affected the report had the auditor then been aware of such facts, the auditor should refer to section 561, Subsequent Discovery of Facts Existing at the Date of the Auditor's Report, for guidance. Furthermore, section 315, Communications Between Predecessor and Successor Auditors, paragraphs .21 and .22, provide guidance regarding communication to the predecessor auditor.
fn 21 See footnote 19.
fn 22 The requirements to communicate noted in paragraphs .38 through .40 extend to any intentional misstatement of financial statements (see paragraph .03). However, the communication may utilize terms other than fraud—for example, irregularity, intentional misstatement, misappropriation, defalcation—if there is possible confusion with a legal definition of fraud or other reason to prefer alternative terms.
fn 23 Alternatively, the auditor may decide to communicate solely with the audit committee.
fn 24 These requirements include reports in connection with the termination of the engagement, such as when the entity reports an auditor change under the appropriate securities law on Form 8-K and the fraud or related risk factors constitute a "reportable event" or is the source of a "disagreement," as these terms are defined in Item 304 of Regulation S-K. These requirements also include reports that may be required, under certain circumstances, pursuant to the Private Securities Litigation Reform Act of 1995 (codified in section 10A(b)1 of the Securities Exchange Act of 1934) relating to an illegal act that has a material effect on the financial statements.
fn 25 In accordance with section 315, communication between predecessor and successor auditors requires the specific permission of the client.