AS 2401, Consideration of Fraud in a Financial Statement Audit (effective for fiscal years beginning both on or after 6/16/2024 and before 12/15/2024)
The following standard as amended is effective for audits of financial statements for fiscal years ending on or after June 15, 2025 (i.e., for audits for fiscal years beginning on or after June 16, 2024). The amendments are also illustrated in the marked text illustration of the amendments in Appendix 2 of PCAOB Release No. 2023-008.
Amendments to paragraph .01, .04, .12, and .13 have been adopted by the PCAOB and approved by the U.S. Securities and Exchange Commission. The amendments will be effective for fiscal years beginning on or after December 15, 2024. See PCAOB Release No. 2024-004, SEC Release No. 34-100773. View the standard as amended.
The gray boxes highlight amended portions of the standard.
Amendments: Amending releases and related SEC approval orders
Guidance on AS 2401: Staff Audit Practice Alerts No. 1, No. 2, No. 5, No. 8, No. 9, No. 10, No. 12, and No. 15 and Staff Guidance for Auditors of SEC-Registered Brokers and Dealers
Summary Table of Contents
- .01 Introduction and Overview
- .05 Description and Characteristics of Fraud
- .13 The Importance of Exercising Professional Skepticism
- .51 Responses Involving the Nature, Timing, and Extent of Procedures to be Performed
- .57 Audit Procedures Performed to Specifically Address the Risk of Management Override of Controls
- .79 Communicating About Possible Fraud to Management, the Audit Committee, the Securities and Exchange Commission, and Others
- .83 Documenting the Auditor's Consideration of Fraud
- .85 Appendix: Examples of Fraud Risk Factors
Introduction and Overview
.01 Paragraph .02 of AS 1001, Responsibilities and Functions of the Independent Auditor, states, "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. [footnote omitted]"1 This section establishes requirements and provides direction relevant to fulfilling that responsibility, as it relates to fraud, in an audit of financial statements.2
Note: When performing an integrated audit of financial statements and internal control over financial reporting, refer to paragraphs .14-.15 of AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, regarding fraud considerations, in addition to the fraud consideration set forth in this section.
.01A AS 2110, Identifying and Assessing Risks of Material Misstatement, establishes requirements regarding the process of identifying and assessing risks of material misstatement of the financial statements. AS 2301, The Auditor's Responses to the Risks of Material Misstatement, establishes requirements regarding designing and implementing appropriate responses to the risks of material misstatement. AS 2810, Evaluating Audit Results, establishes requirements regarding the auditor's evaluation of audit results and determination of whether he or she has obtained sufficient appropriate audit evidence.
.02 The following is an overview of the organization and content of this section:
- Description and characteristics of fraud. This section describes fraud and its characteristics. (See paragraphs .05 through .12.)
- The importance of exercising professional skepticism. This section discusses the need for auditors to exercise professional skepticism when considering the possibility that a material misstatement due to fraud could be present. (See paragraph .13.)
- Responding to fraud risks. This section discusses certain responses to fraud risks involving the nature, timing, and extent of audit procedures, including:
- Responses to assessed fraud risks relating to fraudulent financial reporting and misappropriation of assets (see paragraphs .52 through .56).
- Responses to specifically address the fraud risks arising from management override of internal controls (see paragraphs .57 through .67).
- Communicating about fraud to management, the audit committee, and others. This section provides guidance regarding the auditor's communications about fraud to management, the audit committee, and others. (See paragraphs .79 through .82.)
- Documenting the auditor's consideration of fraud. This section describes related documentation requirements. (See paragraph .83.)
.04 Although this section focuses on the auditor's consideration of fraud in an audit of financial statements, it is management's responsibility to design and implement programs and controls to prevent, deter, and detect fraud.3 That responsibility is described in AS 1001.03, which states, "Management is responsible for adopting sound accounting policies and for establishing and maintaining internal control that will, among other things, initiate, record, process, and report transactions (as well as events and conditions) consistent with management's assertions embodied in the financial statements." Management, along with those who have responsibility for oversight of the financial reporting process (such as the audit committee, board of trustees, board of directors, or the owner in owner-managed entities), should set the proper tone; create and maintain a culture of honesty and high ethical standards; and establish appropriate controls to prevent, deter, and detect fraud. When management and those responsible for the oversight of the financial reporting process fulfill those responsibilities, the opportunities to commit fraud can be reduced significantly.
Description and Characteristics of Fraud
.05 Fraud is a broad legal concept and auditors do not make legal determinations of whether fraud has occurred. Rather, the auditor's interest specifically relates to acts that result in a material misstatement of the financial statements. The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional. For purposes of the section, fraud is an intentional act that results in a material misstatement in financial statements that are the subject of an audit.4
.06 Two types of misstatements are relevant to the auditor's consideration of fraud—misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets.
- Misstatements arising from fraudulent financial reporting are intentional misstatements or omissions of amounts or disclosures in financial statements designed to deceive financial statement users where the effect causes the financial statements
not to be presented, in all material respects, in conformity with generally accepted accounting principles (GAAP).5 Fraudulent financial reporting may be accomplished by the following:
- Manipulation, falsification, or alteration of accounting records or supporting documents from which financial statements are prepared
- Misrepresentation in or intentional omission from the financial statements of events, transactions, or other significant information
- Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure
Fraudulent financial reporting need not be the result of a grand plan or conspiracy. It may be that management representatives rationalize the appropriateness of a material misstatement, for example, as an aggressive rather than indefensible interpretation of complex accounting rules, or as a temporary misstatement of financial statements, including interim statements, expected to be corrected later when operational results improve.
- Misstatements arising from misappropriation of assets (sometimes referred to as theft or defalcation) involve the theft of an entity's assets where the effect of the theft causes the financial statements not to be presented, in all material respects, in conformity with GAAP. Misappropriation of assets can be accomplished in various ways, including embezzling receipts, stealing assets, or causing an entity to pay for goods or services that have not been received. Misappropriation of assets may be accompanied by false or misleading records or documents, possibly created by circumventing controls. The scope of this section includes only those misappropriations of assets for which the effect of the misappropriation causes the financial statements not to be fairly presented, in all material respects, in conformity with GAAP.
.07 Three conditions generally are present when fraud occurs. First, management or other employees have an incentive or are under pressure, which provides a reason to commit fraud. Second, circumstances exist—for example, the absence of controls, ineffective controls, or the ability of management to override controls—that provide an opportunity for a fraud to be perpetrated. Third, those involved are able to rationalize committing a fraudulent act. Some individuals possess an attitude, character, or set of ethical values that allow them to knowingly and intentionally commit a dishonest act. However, even otherwise honest individuals can commit fraud in an environment that imposes sufficient pressure on them. The greater the incentive or pressure, the more likely an individual will be able to rationalize the acceptability of committing fraud.
.08 Management has a unique ability to perpetrate fraud because it frequently is in a position to directly or indirectly manipulate accounting records and present fraudulent financial information. Fraudulent financial reporting often involves management override of controls that otherwise may appear to be operating effectively.6 Management can either direct employees to perpetrate fraud or solicit their help in carrying it out. In addition, management personnel at a component of the entity may be in a position to manipulate the accounting records of the component in a manner that causes a material misstatement in the consolidated financial statements of the entity. Management override of controls can occur in unpredictable ways.
.09 Typically, management and employees engaged in fraud will take steps to conceal the fraud from the auditors and others within and outside the organization. Fraud may be concealed by withholding evidence or misrepresenting information in response to inquiries or by falsifying documentation. For example, management that engages in fraudulent financial reporting might alter shipping documents. Employees or members of management who misappropriate cash might try to conceal their thefts by forging signatures or falsifying electronic approvals on disbursement authorizations. An audit conducted in accordance with the standards of the PCAOB rarely involves the authentication of such documentation, nor are auditors trained as or expected to be experts in such authentication. In addition, an auditor may not discover the existence of a modification of documentation through a side agreement that management or a third party has not disclosed.
.10 Fraud also may be concealed through collusion among management, employees, or third parties. Collusion may cause the auditor who has properly performed the audit to conclude that evidence provided is persuasive when it is, in fact, false. For example, through collusion, false evidence that controls have been operating effectively may be presented to the auditor, or consistent misleading explanations may be given to the auditor by more than one individual within the entity to explain an unexpected result of an analytical procedure. As another example, the auditor may receive a false confirmation from a third party that is in collusion with management.
.11 Although fraud usually is concealed and management's intent is difficult to determine, the presence of certain conditions may suggest to the auditor the possibility that fraud may exist. For example, an important contract may be missing, a subsidiary ledger may not be satisfactorily reconciled to its control account, or the results of an analytical procedure performed during the audit may not be consistent with expectations. However, these conditions may be the result of circumstances other than fraud. Documents may legitimately have been lost or misfiled; the subsidiary ledger may be out of balance with its control account because of an unintentional accounting error; and unexpected analytical relationships may be the result of unanticipated changes in underlying economic factors. Even reports of alleged fraud may not always be reliable because an employee or outsider may be mistaken or may be motivated for unknown reasons to make a false allegation.
.12 As indicated in paragraph .01, the auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error.7 However, absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud. A material misstatement may not be detected because of the nature of audit evidence or because the characteristics of fraud as discussed above may cause the auditor to rely unknowingly on audit evidence that appears to be valid, but is, in fact, false and fraudulent. Furthermore, audit procedures that are effective for detecting an error may be ineffective for detecting fraud.
The Importance of Exercising Professional Skepticism
.13 Due professional care requires the auditor to exercise professional skepticism. See AS 1015.07 through .09. Because of the characteristics of fraud, the auditor's exercise of professional skepticism is important when considering the fraud risks. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. The auditor should conduct the engagement with a mindset that recognizes the possibility that a material misstatement due to fraud could be present, regardless of any past experience with the entity and regardless of the auditor's belief about management's honesty and integrity. Furthermore, professional skepticism requires an ongoing questioning of whether the information and evidence obtained suggests that a material misstatement due to fraud has occurred. In exercising professional skepticism in gathering and evaluating evidence, the auditor should not be satisfied with less-than-persuasive evidence because of a belief that management is honest.
[.14-.45] [Paragraphs deleted.]
Responding to Assessed Fraud Risks
[.46-.50] [Paragraphs deleted.]
Responses Involving the Nature, Timing, and Extent of Procedures to Be Performed
.52 AS 2301.08 states that "[t]he auditor should design and perform audit procedures in a manner that addresses the assessed risks of material misstatement due to error or fraud for each relevant assertion of each significant account and disclosure." AS 2301.12 states that "the audit procedures that are necessary to address the assessed fraud risks depend upon the types of risks and the relevant assertions that might be affected."
Note: AS 2110.71b states that a fraud risk is a significant risk. Accordingly, the requirement for responding to significant risks also applies to fraud risks.
.53 The following are examples of responses to assessed fraud risks involving the nature, timing, and extent of audit procedures:
- Performing procedures at locations on a surprise or unannounced basis, for example, observing inventory on unexpected dates or at unexpected locations or counting cash on a surprise basis.
- Requesting that inventories be counted at the end of the reporting period or on a date closer to period end to minimize the risk of manipulation of balances in the period between the date of completion of the count and the end of the reporting period.
- Making oral inquiries of major customers and suppliers in addition to sending written confirmations, or sending confirmation requests to a specific party within an organization.
- Performing substantive analytical procedures using disaggregated data, for example, comparing gross profit or operating margins by location, line of business, or month to auditor-developed expectations.20
- Interviewing personnel involved in activities in areas in which a fraud risk has been identified to obtain their insights about the risk and how controls address the risk. (See AS 2110.54)
- If other auditors or referred-to auditors20A are auditing the financial statements of one or more of the company’s locations or business units,20B where applicable, discussing with them the extent of work that needs to be performed to address the fraud risk resulting from transactions and activities relating to these locations or business units.
Additional Examples of Audit Procedures Performed to Respond to Assessed Fraud Risks Relating to Fraudulent Financial Reporting
.54 The following are additional examples of audit procedures that might be performed in response to assessed fraud risks relating to fraudulent financial reporting:
- Revenue recognition. Because revenue recognition is dependent on the particular facts and circumstances, as well as accounting principles and practices that can vary by industry, the auditor ordinarily will develop auditing procedures based
on the auditor's understanding of the entity and its environment, including the composition of revenues, specific attributes of the revenue transactions, and unique industry considerations. If there is an identified fraud risk that involves improper
revenue recognition, the auditor also may want to consider:
- Performing substantive analytical procedures relating to revenue using disaggregated data, for example, comparing revenue reported by month and by product line or business segment during the current reporting period with comparable prior periods. Computer-assisted audit techniques may be useful in identifying unusual or unexpected revenue relationships or transactions.
- Confirming with customers certain relevant contract terms and the absence of side agreements, because the appropriate accounting often is influenced by such terms or agreements.21 For example, acceptance criteria, delivery and payment terms, the absence of future or continuing vendor obligations, the right to return the product, guaranteed resale amounts, and cancellation or refund provisions often are relevant in such circumstances.
- Inquiring of the entity's sales and marketing personnel or in-house legal counsel regarding sales or shipments near the end of the period and their knowledge of any unusual terms or conditions associated with these transactions.
- Being physically present at one or more locations at period end to observe goods being shipped or being readied for shipment (or returns awaiting processing) and performing other appropriate sales and inventory cutoff procedures.
- For those situations for which revenue transactions are electronically initiated, processed, and recorded, testing controls to determine whether they provide assurance that recorded revenue transactions occurred and are properly recorded.
Inventory quantities. If there is an identified fraud risk that affects inventory quantities, examining the entity's inventory records may help identify locations or items that require specific attention during or after the physical inventory count. Such a review may lead to a decision to observe inventory counts at certain locations on an unannounced basis (see paragraph .53) or to conduct inventory counts at all locations on the same date. In addition, it may be appropriate for inventory counts to be conducted at or near the end of the reporting period to minimize the risk of inappropriate manipulation during the period between the count and the end of the reporting period.
It also may be appropriate for the auditor to perform additional procedures during the observation of the count, for example, more rigorously examining the contents of boxed items, the manner in which the goods are stacked (for example, hollow squares) or labeled, and the quality (that is, purity, grade, or concentration) of liquid substances such as perfumes or specialty chemicals. Using the work of a specialist may be helpful in this regard.22 Furthermore, additional testing of count sheets, tags, or other records, or the retention of copies of these records, may be warranted to minimize the risk of subsequent alteration or inappropriate compilation.
Following the physical inventory count, the auditor may want to employ additional procedures directed at the quantities included in the priced out inventories to further test the reasonableness of the quantities counted—for example, comparison of quantities for the current period with prior periods by class or category of inventory, location or other criteria, or comparison of quantities counted with perpetual records. The auditor also may consider using computer-assisted audit techniques to further test the compilation of the physical inventory counts—for example, sorting by tag number to test tag controls or by item serial number to test the possibility of item omission or duplication.
Management estimates. The auditor may identify a fraud risk involving the development of management estimates. This risk may affect a number of accounts and assertions, including asset valuation, estimates relating to specific transactions (such as acquisitions, restructurings, or disposals of a segment of the business), and other significant accrued liabilities (such as pension and other postretirement benefit obligations, or environmental remediation liabilities). The risk may also relate to significant changes in assumptions relating to recurring estimates.
In addressing an identified fraud risk involving accounting estimates, the auditor may want to supplement the audit evidence otherwise obtained (see AS 2501, Auditing Accounting Estimates, Including Fair Value Measurements). In certain circumstances (for example, evaluating the reasonableness of management's estimate of the fair value of an intangible asset), it may be appropriate to use the work of an auditor-employed specialist or an auditor-engaged specialist or develop an independent estimate for comparison to management's estimate. Information gathered about the entity and its environment may help the auditor evaluate the reasonableness of such management estimates and underlying judgments and assumptions.
A retrospective review of similar management judgments and assumptions applied in prior periods (see paragraphs .63 through .65) may also provide insight about the reasonableness of judgments and assumptions supporting management estimates.
Examples of Audit Procedures Performed to Respond to Fraud Risks Relating to Misappropriations of Assets
.55 The auditor may have identified a fraud risk relating to misappropriation of assets. For example, the auditor may conclude that the risk of asset misappropriation at a particular operating location is significant because a large amount of easily accessible cash is maintained at that location, or there are inventory items such as laptop computers at that location that can easily be moved and sold.
.56 The audit procedures performed in response to a fraud risk relating to misappropriation of assets usually will be directed toward certain account balances. Although some of the audit procedures noted in paragraphs .53 and .54 and in AS 2301.08 through .15 may apply in such circumstances, such as the procedures directed at inventory quantities, the scope of the work should be linked to the specific information about the misappropriation risk that has been identified. For example, if a particular asset is highly susceptible to misappropriation and a potential misstatement would be material to the financial statements, obtaining an understanding of the controls related to the prevention and detection of such misappropriation and testing the design and operating effectiveness of such controls may be warranted. In certain circumstances, physical inspection of such assets (for example, counting cash or securities) at or near the end of the reporting period may be appropriate. In addition, the use of substantive analytical procedures, such as the development by the auditor of an expected dollar amount at a high level of precision, to be compared with a recorded amount, may be effective in certain circumstances.
Audit Procedures Performed to Specifically Address the Risk of Management Override of Controls
.57 As noted in paragraph .08, management is in a unique position to perpetrate fraud because of its ability to directly or indirectly manipulate accounting records and prepare fraudulent financial statements by overriding established controls that otherwise appear to be operating effectively. By its nature, management override of controls can occur in unpredictable ways. Accordingly, as part of the auditor's responses that address fraud risks, the procedures described in paragraphs .58 through .67 should be performed to specifically address the risk of management override of controls.
.58 Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud. Material misstatements of financial statements due to fraud often involve the manipulation of the financial reporting process by (a) recording inappropriate or unauthorized journal entries throughout the year or at period end, or (b) making adjustments to amounts reported in the financial statements that are not reflected in formal journal entries, such as through consolidating adjustments, report combinations, and reclassifications. Accordingly, the auditor should design procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments (for example, entries posted directly to financial statement drafts) made in the preparation of the financial statements. More specifically, the auditor should:
- Obtain an understanding of the entity's financial reporting process23 and the controls over journal entries and other adjustments. (See paragraphs .59 and .60.)
- Identify and select journal entries and other adjustments for testing. (See paragraph .61.)
- Determine the timing of the testing. (See paragraph .62.)
- Inquire of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments.
.59 The auditor's understanding of the entity's financial reporting process may help in identifying the type, number, and monetary value of journal entries and other adjustments that typically are made in preparing the financial statements. For example, the auditor's understanding may include the sources of significant debits and credits to an account, who can initiate entries to the general ledger or transaction processing systems, what approvals are required for such entries, and how journal entries are recorded (for example, entries may be initiated and recorded online with no physical evidence, or may be created in paper form and entered in batch mode).
.60 An entity may have implemented specific controls over journal entries and other adjustments. For example, an entity may use journal entries that are preformatted with account numbers and specific user approval criteria, and may have automated controls to generate an exception report for any entries that were unsuccessfully proposed for recording or entries that were recorded and processed outside of established parameters. The auditor should obtain an understanding of the design of such controls over journal entries and other adjustments and determine whether they are suitably designed and have been placed in operation.
.61 The auditor should use professional judgment in determining the nature, timing, and extent of the testing of journal entries and other adjustments. For purposes of identifying and selecting specific entries and other adjustments for testing, and determining the appropriate method of examining the underlying support for the items selected, the auditor should consider:
- The auditor's assessment of the fraud risk. The presence of fraud risk factors or other conditions may help the auditor to identify specific classes of journal entries for testing and indicate the extent of testing necessary.
- The effectiveness of controls that have been implemented over journal entries and other adjustments. Effective controls over the preparation and posting of journal entries and adjustments may affect the extent of substantive testing necessary, provided that the auditor has tested the controls. However, even though controls might be implemented and operating effectively, the auditor's substantive procedures for testing journal entries and other adjustments should include the identification and substantive testing of specific items.
- The entity's financial reporting process and the nature of the evidence that can be examined. The auditor's procedures for testing journal entries and other adjustments will vary based on the nature of the financial reporting process. For many entities, routine processing of transactions involves a combination of manual and automated steps and procedures. Similarly, the processing of journal entries and other adjustments might involve both manual and automated procedures and controls. Regardless of the method, the auditor's procedures should include selecting from the general ledger journal entries to be tested and examining support for those items. In addition, the auditor should be aware that journal entries and other adjustments might exist in either electronic or paper form. When information technology (IT) is used in the financial reporting process, journal entries and other adjustments might exist only in electronic form. Electronic evidence often requires extraction of the desired data by an auditor with IT knowledge and skills or the use of an IT specialist. In an IT environment, it may be necessary for the auditor to employ computer-assisted audit techniques (for example, report writers, software or data extraction tools, or other systems-based techniques) to identify the journal entries and other adjustments to be tested.
- The characteristics of fraudulent entries or adjustments. Inappropriate journal entries and other adjustments often have certain unique identifying characteristics. Such characteristics may include entries (a) made to unrelated, unusual, or seldom-used accounts, (b) made by individuals who typically do not make journal entries, (c) recorded at the end of the period or as post-closing entries that have little or no explanation or description, (d) made either before or during the preparation of the financial statements that do not have account numbers, or (e) containing round numbers or a consistent ending number.
- The nature and complexity of the accounts. Inappropriate journal entries or adjustments may be applied to accounts that (a) contain transactions that are complex or unusual in nature, (b) contain significant estimates and period-end adjustments, (c) have been prone to errors in the past, (d) have not been reconciled on a timely basis or contain unreconciled differences, (e) contain intercompany transactions, or (f) are otherwise associated with an identified fraud risk. The auditor should recognize, however, that inappropriate journal entries and adjustments also might be made to other accounts. In audits of entities that have multiple locations or business units, the auditor should determine whether to select journal entries from locations or business units based on factors set forth in AS 2101.11–.14.
- Journal entries or other adjustments processed outside the normal course of business. Standard journal entries used on a recurring basis to record transactions such as monthly sales, purchases, and cash disbursements, or to record recurring periodic accounting estimates generally are subject to the entity's internal controls. Nonstandard entries (for example, entries used to record nonrecurring transactions, such as a business combination, or entries used to record a nonrecurring estimate, such as an asset impairment) might not be subject to the same level of internal control. In addition, other adjustments such as consolidating adjustments, report combinations, and reclassifications generally are not reflected in formal journal entries and might not be subject to the entity's internal controls. Accordingly, the auditor should consider placing additional emphasis on identifying and testing items processed outside of the normal course of business.
.62 Because fraudulent journal entries often are made at the end of a reporting period, the auditor's testing ordinarily should focus on the journal entries and other adjustments made at that time. However, because material misstatements in financial statements due to fraud can occur throughout the period and may involve extensive efforts to conceal how it is accomplished, the auditor should consider whether there also is a need to test journal entries throughout the period under audit.
.63 Reviewing accounting estimates for biases that could result in material misstatement due to fraud. In preparing financial statements, management is responsible for making a number of judgments or assumptions that affect accounting estimates and for monitoring the reasonableness of such estimates on an ongoing basis. Fraudulent financial reporting often is accomplished through intentional misstatement of accounting estimates. AS 2810.24–.27 discuss the auditor's responsibilities for assessing bias in accounting estimates and the effect of bias on the financial statements.
.64 The auditor should perform a retrospective review of accounting estimates in significant accounts and disclosures24 by comparing the prior year's estimates to actual results, if any, to determine whether management's judgments and assumptions relating to the estimates indicate a possible bias on the part of management. The accounting estimates selected for testing should be those for which there is an assessed fraud risk. With the benefit of hindsight, a retrospective review should provide the auditor with additional information about whether there may be a possible bias on the part of management in making the current-year estimates. This review, however, is not intended to call into question the auditor's professional judgments made in the prior year that were based on information available at the time.
.65 If the auditor identifies a possible bias on the part of management in making accounting estimates, the auditor should evaluate whether circumstances producing such a bias represent a risk of a material misstatement due to fraud. For example, information coming to the auditor's attention may indicate a risk that adjustments to the current-year estimates might be recorded at the instruction of management to arbitrarily achieve a specified earnings target.
.66 Evaluating whether the business purpose for significant unusual transactions indicates that the transactions may have been entered into to engage in fraud. Significant transactions that are outside the normal course of business for the company or that otherwise appear to be unusual due to their timing, size, or nature ("significant unusual transactions") may be used to engage in fraudulent financial reporting or conceal misappropriation of assets.
Note: The auditor's identification of significant unusual transactions should take into account information obtained from: (a) the risk assessment procedures required by AS 2110 (e.g., inquiring of management and others, obtaining an understanding of the methods used to account for significant unusual transactions, and obtaining an understanding of internal control over financial reporting) and (b) other procedures performed during the audit (e.g., reading minutes of the board of directors meetings and performing journal entry testing).
Note: The auditor should take into account information that indicates that related parties or relationships or transactions with related parties previously undisclosed to the auditor might exist when identifying significant unusual transactions. See paragraphs .14-.16 of AS 2410, Related Parties. Appendix A of AS 2410, includes examples of such information and examples of sources of such information.
.66A The auditor should design and perform procedures to obtain an understanding of the business purpose (or the lack thereof) of each significant unusual transaction that the auditor has identified. The procedures should include:
- Reading the underlying documentation and evaluating whether the terms and other information about the transaction are consistent with explanations from inquiries and other audit evidence about the business purpose (or the lack thereof) of the transaction;
- Determining whether the transaction has been authorized and approved in accordance with the company's established policies and procedures;
- Evaluating the financial capability of the other parties with respect to significant uncollected balances, loan commitments, supply arrangements, guarantees, and other obligations, if any;24A and
- Performing other procedures as necessary depending on the identified and assessed risks of material misstatement.
Note: AS 2301.11A requires the auditor to take into account the types of potential misstatements that could result from significant unusual transactions in designing and performing further audit procedures. Additionally, AS 2310.30 states that for significant risks of material misstatement associated with either a complex transaction or a significant unusual transaction, the auditor should consider confirming those terms of the transaction that are associated with a significant risk of material misstatement, including a fraud risk. Examples of such terms may include terms related to: (i) oral side agreements, or undisclosed written or oral side agreements, where the auditor has reason to believe that such agreements may exist, (ii) bill and hold sales, and (iii) supplier discounts or concessions.
.67 The auditor should evaluate whether the business purpose (or the lack thereof) indicates that the significant unusual transaction may have been entered into to engage in fraudulent financial reporting or conceal misappropriation of assets. In making that evaluation, the auditor should evaluate whether:
- The form of the transaction is overly complex (e.g., the transaction involves multiple entities within a consolidated group or unrelated third parties);
- The transaction involves unconsolidated related parties, including variable interest entities;
- The transaction involves related parties or relationships or transactions with related parties previously undisclosed to the auditor;25A
- The transaction involves other parties that do not appear to have the financial capability to support the transaction without assistance from the company, or any related party of the company;
- The transaction lacks commercial or economic substance, or is part of a larger series of connected, linked, or otherwise interdependent arrangements that lack commercial or economic substance individually or in the aggregate (e.g., the transaction is entered into shortly prior to period end and is unwound shortly after period end);
- The transaction occurs with a party that falls outside the definition of a related party (as defined by the accounting principles applicable to that company), with either party able to negotiate terms that may not be available for other, more clearly independent, parties on an arm's-length basis;
- The transaction enables the company to achieve certain financial targets;
- Management is placing more emphasis on the need for a particular accounting treatment than on the underlying economic substance of the transaction (e.g., accounting-motivated structured transaction); and
- Management has discussed the nature of and accounting for the transaction with the audit committee or another committee of the board of directors or the entire board.
Note: AS 2810.20—.23 provide requirements regarding the auditor's evaluation of whether identified misstatements might be indicative of fraud.
.67A The auditor must evaluate whether significant unusual transactions that the auditor has identified have been properly accounted for and disclosed in the financial statements. This includes evaluating whether the financial statements contain the information regarding significant unusual transactions essential for a fair presentation of the financial statements in conformity with the applicable financial reporting framework.25B
Note: The auditor considers management's disclosure regarding significant unusual transactions in other parts of the company's Securities and Exchange Commission filing containing the audited financial statements in accordance with AS 2710, Other Information in Documents Containing Audited Financial Statements.
[.68-.78] [Paragraphs deleted.]
Communicating About Possible Fraud to Management, the Audit Committee, the Securities and Exchange Commission, and Others37
.79 Whenever the auditor has determined that there is evidence that fraud may exist, that matter should be brought to the attention of an appropriate level of management. This is appropriate even if the matter might be considered inconsequential, such as a minor defalcation by an employee at a low level in the entity's organization. Fraud involving senior management and fraud (whether caused by senior management or other employees) that causes a material misstatement of the financial statements should be reported directly to the audit committee in a timely manner and prior to the issuance of the auditor's report. In addition, the auditor should reach an understanding with the audit committee regarding the nature and extent of communications with the committee about misappropriations perpetrated by lower-level employees.
.80 If the auditor, as a result of the assessment of the risks of material misstatement, has identified fraud risks that have continuing control implications (whether or not transactions or adjustments that could be the result of fraud have been detected), the auditor should consider whether these risks represent significant deficiencies that must be communicated to senior management and the audit committee. 38 (See paragraph .04 of AS 1305, Communications About Control Deficiencies in an Audit of Financial Statements). The auditor also should evaluate whether the absence of or deficiencies in controls that address fraud risks or otherwise help prevent, deter, and detect fraud (see AS 2110.72-.73) represent significant deficiencies or material weaknesses that should be communicated to senior management and the audit committee.
.81 The auditor also should consider communicating other fraud risks, if any, identified by the auditor. Such a communication may be a part of an overall communication to the audit committee of business and financial statement risks affecting the entity and/or in conjunction with the auditor communication about the qualitative aspects of the entity's accounting policies and practices (see paragraphs .12-.13 of AS 1301, Communications with Audit Committees). The auditor should communicate these matters to the audit committee in a timely manner and prior to the issuance of the auditor's report.
.81A The auditor has a responsibility, under certain conditions, to disclose possible fraud to the Securities and Exchange Commission to comply with certain legal and regulatory requirements. These requirements include reports in connection with the termination of the engagement, such as when the entity reports an auditor change and the fraud or related risk factors constitute a reportable event or are the source of a disagreement, as these terms are defined in Item 304 of Regulation S-K and Item 16F of Form 20-F. These requirements also include reports that may be required pursuant to Section 10A(b) of the Securities Exchange Act of 1934 relating to an illegal act that the auditor concludes has a material effect on the financial statements.
.82 The auditor also may have a duty to disclose the existence of possible fraud to parties outside the entity in the following circumstances:
- To a successor auditor when the successor makes inquiries in accordance with AS 2610, Initial Audits—Communications Between Predecessor and Successor Auditors.40
- In response to a subpoena.
- To a funding agency or other specified agency in accordance with requirements for the audits of companies that receive governmental financial assistance.
Documenting the Auditor's Consideration of Fraud
.83 The auditor should document the following:
- The discussion among engagement personnel in planning the audit regarding the susceptibility of the entity's financial statements to material misstatement due to fraud, including how and when the discussion occurred, the audit team members who participated, and the subject matter discussed (See AS 2110.52 and .53.)
- The procedures performed to obtain information necessary to identify and assess the fraud risks (See AS 2110.47, AS 2110.56 through .58, and AS 2110.65 through .69.)
- The fraud risks that were identified at the financial statement and assertion levels (see AS 2110.59 through .69.), and the linkage of those risks to the auditor's response (see
AS 2301.05 through .15.) - If the auditor has not identified in a particular circumstance, improper revenue recognition as a fraud risk, the reasons supporting the auditor's conclusion (See AS 2110.68.)
- The results of the procedures performed to address the assessed fraud risks, including those procedures performed to further address the risk of management override of controls (See AS 2301.15.)
- Other conditions and analytical relationships that caused the auditor to believe that additional auditing procedures or other responses were required and any further responses the auditor concluded were appropriate, to address such risks or other conditions (See AS 2810.05 through .09.)
- The nature of the communications about fraud made to management, the audit committee, and others (See paragraphs .79 through .82.)
[.84] [Paragraph deleted.]
Appendix
Examples of Fraud Risk Factors
.85 A.1 This appendix contains examples of risk factors discussed in AS 2110.65 through .69. Separately presented are examples relating to the two types of fraud relevant to the auditor's consideration—that is, fraudulent financial reporting and misappropriation of assets. For each of these types of fraud, the risk factors are further classified based on the three conditions generally present when material misstatements due to fraud occur: (a) incentives/pressures, (b) opportunities, and (c) attitudes/rationalizations. Although the risk factors cover a broad range of situations, they are only examples and, accordingly, the auditor may wish to consider additional or different risk factors. Not all of these examples are relevant in all circumstances, and some may be of greater or lesser significance in entities of different size or with different ownership characteristics or circumstances. Also, the order of the examples of risk factors provided is not intended to reflect their relative importance or frequency of occurrence.
Risk Factors Relating to Misstatements Arising From Fraudulent Financial Reporting
A.2 The following are examples of risk factors relating to misstatements arising from fraudulent financial reporting.
Incentives/Pressures
- Financial stability or profitability is threatened by economic, industry, or entity operating conditions, such as (or as indicated by):
- High degree of competition or market saturation, accompanied by declining margins
- High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates
- Significant declines in customer demand and increasing business failures in either the industry or overall economy
- Operating losses making the threat of bankruptcy, foreclosure, or hostile takeover imminent
- Recurring negative cash flows from operations or an inability to generate cash flows from operations while reporting earnings and earnings growth
- Rapid growth or unusual profitability, especially compared to that of other companies in the same industry
- New accounting, statutory, or regulatory requirements
- Excessive pressure exists for management to meet the requirements or expectations of third parties due to the following:
- Profitability or trend level expectations of investment analysts, institutional investors, significant creditors, or other external parties (particularly expectations that are unduly aggressive or unrealistic), including expectations created by management in, for example, overly optimistic press releases or annual report messages
- Need to obtain additional debt or equity financing to stay competitive—including financing of major research and development or capital expenditures
- Marginal ability to meet exchange listing requirements or debt repayment or other debt covenant requirements
- Perceived or real adverse effects of reporting poor financial results on significant pending transactions, such as business combinations or contract awards
- Information available indicates that management or the board of directors' personal financial situation is threatened by the entity's financial performance arising from the following:
- Significant financial interests in the entity
- Significant portions of their compensation (for example, bonuses, stock options, and earn-out arrangements) being contingent upon achieving aggressive targets for stock price, operating results, financial position, or cash flow1
- Personal guarantees of debts of the entity
- There is excessive pressure on management or operating personnel to meet financial targets set up by the board of directors or management, including sales or profitability incentive goals.
Opportunities
- The nature of the industry or the entity's operations provides opportunities to engage in fraudulent financial reporting that can arise from the following:
- Related party transactions that are also significant unusual transactions (e.g., a significant related party transaction outside the normal course of business)
- Significant transactions with related parties whose financial statements are not audited or are audited by another firm
- A strong financial presence or ability to dominate a certain industry sector that allows the entity to dictate terms or conditions to suppliers or customers that may result in inappropriate or non-arm's-length transactions
- Assets, liabilities, revenues, or expenses based on significant estimates that involve subjective judgments or uncertainties that are difficult to corroborate
- Significant or highly complex transactions or significant unusual transactions, especially those close to period end, that pose difficult "substance-over-form" questions
- Significant operations located or conducted across international borders in jurisdictions where differing business environments and cultures exist
- Significant bank accounts or subsidiary or branch operations in tax-haven jurisdictions for which there appears to be no clear business justification
- Contractual arrangements lacking a business purpose
- There is ineffective monitoring of management as a result of the following:
- Domination of management by a single person or small group (in a nonowner-managed business) without compensating controls
- Ineffective board of directors or audit committee oversight over the financial reporting process and internal control
- The exertion of dominant influence by or over a related party
- There is a complex or unstable organizational structure, as evidenced by the following:
- Difficulty in determining the organization or individuals that have controlling interest in the entity
- Overly complex organizational structure involving unusual legal entities or managerial lines of authority
- High turnover of senior management, counsel, or board members
- Internal control components are deficient as a result of the following:
- Inadequate monitoring of controls, including automated controls and controls over interim financial reporting (where external reporting is required)
- High turnover rates or employment of ineffective accounting, internal audit, or information technology staff
- Ineffective accounting and information systems, including situations involving reportable conditions
Attitudes/Rationalizations
Risk factors reflective of attitudes/rationalizations by board members, management, or employees, that allow them to engage in and/or justify fraudulent financial reporting, may not be susceptible to observation by the auditor. Nevertheless, the auditor who becomes aware of the existence of such information should consider it in identifying the risks of material misstatement arising from fraudulent financial reporting. For example, auditors may become aware of the following information that may indicate a risk factor:
- Ineffective communication, implementation, support, or enforcement of the entity's values or ethical standards by management or the communication of inappropriate values or ethical standards
- Nonfinancial management's excessive participation in or preoccupation with the selection of accounting principles or the determination of significant estimates
- Known history of violations of securities laws or other laws and regulations, or claims against the entity, its senior management, or board members alleging fraud or violations of laws and regulations
- Excessive interest by management in maintaining or increasing the entity's stock price or earnings trend
- A practice by management of committing to analysts, creditors, and other third parties to achieve aggressive or unrealistic forecasts
- Management failing to correct known reportable conditions on a timely basis
- An interest by management in employing inappropriate means to minimize reported earnings for tax-motivated reasons
- Recurring attempts by management to justify marginal or inappropriate accounting on the basis of materiality
- The relationship between management and the current or predecessor auditor is strained, as exhibited by the following:
- Frequent disputes with the current or predecessor auditor on accounting, auditing, or reporting matters
- Unreasonable demands on the auditor, such as unreasonable time constraints regarding the completion of the audit or the issuance of the auditor's report
- Formal or informal restrictions on the auditor that inappropriately limit access to people or information or the ability to communicate effectively with the board of directors or audit committee
- Domineering management behavior in dealing with the auditor, especially involving attempts to influence the scope of the auditor's work or the selection or continuance of personnel assigned to or consulted on the audit engagement
Risk Factors Relating to Misstatements Arising From Misappropriation of Assets
A.3 Risk factors that relate to misstatements arising from misappropriation of assets are also classified according to the three conditions generally present when fraud exists: incentives/pressures, opportunities, and attitudes/rationalizations. Some of the risk factors related to misstatements arising from fraudulent financial reporting also may be present when misstatements arising from misappropriation of assets occur. For example, ineffective monitoring of management and weaknesses in internal control may be present when misstatements due to either fraudulent financial reporting or misappropriation of assets exist. The following are examples of risk factors related to misstatements arising from misappropriation of assets.
Incentives/Pressures
- Personal financial obligations may create pressure on management or employees with access to cash or other assets susceptible to theft to misappropriate those assets.
- Adverse relationships between the entity and employees with access to cash or other assets susceptible to theft may motivate those employees to misappropriate those assets. For example, adverse relationships may be created by the following:
- Known or anticipated future employee layoffs
- Recent or anticipated changes to employee compensation or benefit plans
- Promotions, compensation, or other rewards inconsistent with expectations
Opportunities
- Certain characteristics or circumstances may increase the susceptibility of assets to misappropriation. For example, opportunities to misappropriate assets increase when there are the following:
- Large amounts of cash on hand or processed
- Inventory items that are small in size, of high value, or in high demand
- Easily convertible assets, such as bearer bonds, diamonds, or computer chips
- Fixed assets that are small in size, marketable, or lacking observable identification of ownership
- Inadequate internal control over assets may increase the susceptibility of misappropriation of those assets. For example, misappropriation of assets may occur because there is the following:
- Inadequate segregation of duties or independent checks
- Inadequate management oversight of employees responsible for assets, for example, inadequate supervision or monitoring of remote locations
- Inadequate job applicant screening of employees with access to assets
- Inadequate recordkeeping with respect to assets
- Inadequate system of authorization and approval of transactions (for example, in purchasing)
- Inadequate physical safeguards over cash, investments, inventory, or fixed assets
- Lack of complete and timely reconciliations of assets
- Lack of timely and appropriate documentation of transactions, for example, credits for merchandise returns
- Lack of mandatory vacations for employees performing key control functions
- Inadequate management understanding of information technology, which enables information technology employees to perpetrate a misappropriation
- Inadequate access controls over automated records, including controls over and review of computer systems event logs.
Attitudes/Rationalizations
Risk factors reflective of employee attitudes/rationalizations that allow them to justify misappropriations of assets, are generally not susceptible to observation by the auditor. Nevertheless, the auditor who becomes aware of the existence of such information should consider it in identifying the risks of material misstatement arising from misappropriation of assets. For example, auditors may become aware of the following attitudes or behavior of employees who have access to assets susceptible to misappropriation:
- Disregard for the need for monitoring or reducing risks related to misappropriations of assets
- Disregard for internal control over misappropriation of assets by overriding existing controls or by failing to correct known internal control deficiencies
- Behavior indicating displeasure or dissatisfaction with the company or its treatment of the employee
- Changes in behavior or lifestyle that may indicate assets have been misappropriated
Amendment to Section 230, Due Professional Care in the Performance of Work
Amendment to Section 333, Management Representations, paragraph .06 and Appendix A [paragraph .16]
Exhibit - Management Antifraud Programs and Controls
[.88] [Paragraph deleted.]
Footnotes (AS 2401 - Consideration of Fraud in a Financial Statement Audit):
1 The auditor's consideration of illegal acts and responsibility for detecting misstatements resulting from illegal acts is defined in AS 2405, Illegal Acts by Clients . For those illegal acts that are defined in that section as having a direct and material effect on the determination of financial statement amounts, the auditor's responsibility to detect misstatements resulting from such illegal acts is the same as that for errors or fraud.
2 For purposes of this standard, the term "audit of financial statements" refers to the financial statement portion of the integrated audit and to the audit of financial statements only.
3 In its October 1987 report, the National Commission on Fraudulent Financial Reporting, also known as the Treadway Commission, noted, "The responsibility for reliable financial reporting resides first and foremost at the corporate level. Top management, starting with the chief executive officer, sets the tone and establishes the financial reporting environment. Therefore, reducing the risk of fraudulent financial reporting must start with the reporting company."
4 Intent is often difficult to determine, particularly in matters involving accounting estimates and the application of accounting principles. For example, unreasonable accounting estimates may be unintentional or may be the result of an intentional attempt to misstate the financial statements. Although an audit is not designed to determine intent, the auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether the misstatement is intentional or not.
5The auditor should look to the requirements of the Securities and Exchange Commission for the company under audit with respect to accounting principles applicable to that company.
6Frauds have been committed by management override of existing controls using such techniques as (a) recording fictitious journal entries, particularly those recorded close to the end of an accounting period to manipulate operating results, (b) intentionally biasing assumptions and judgments used to estimate account balances, and (c) altering records and terms related to significant and unusual transactions.
7For a further discussion of the concept of reasonable assurance, see paragraphs .10 through .13 of AS 1015, Due Professional Care in the Performance of Work.
[8-19][Footnotes deleted.]
20AS 2305, Substantive Analytical Procedures, establishes requirements regarding performing analytical procedures as substantive tests.
20AThe terms “other auditor” and “referred-to auditor,” as used in this standard, have the same meaning as defined in Appendix A of AS 2101, Audit Planning.
20BThe term “business units” includes subsidiaries, divisions, branches, components, or investments.
21AS 2310, The Auditor’s Use of Confirmation, establishes requirements regarding the use of confirmation
in audits of financial statements.
22Appendix C of AS 1201, Supervision of the Audit Engagement, and AS 1210, Using the Work of an Auditor-Engaged Specialist, establish requirements for an auditor using the work of an auditor-employed specialist and an auditor-engaged specialist, respectively, in performing an audit of financial statements.
23See AS 2110.28 through .32.
24See AS 2110.60–.64, which describes requirements related to the identification of significant accounts and disclosures.
24AExamples of information that might be relevant to the auditor's evaluation of the other party's financial capability include, among other things, the audited financial statements of the other party, reports issued by regulatory agencies, financial publications, and income tax returns of the other party, to the extent available.
[25] [Footnote deleted.]
25ARelated parties or relationships or transactions with related parties previously undisclosed to the auditor includes, to the extent not disclosed to the auditor by management: (1) related parties; (2) relationships or transactions with known related parties; and (3) relationships or transactions with previously unknown related parties. AS 2410 requires the auditor to perform certain procedures in circumstances in which the auditor determines that related parties or relationships or transactions with related parties previously undisclosed to the auditor exist.
25BSee AS 2810.30—.31.
[26-36][Footnotes deleted.]
37 The requirements to communicate noted in paragraphs .79 through .82 extend to any intentional misstatement of financial statements (see paragraph .03). However, the communication may use terms other than fraud—for example, irregularity, intentional misstatement, misappropriation, or defalcations—if there is possible confusion with a legal definition of fraud or other reason to prefer alternative terms.
38 Alternatively, the auditor may decide to communicate solely with the audit committee.
[39][Footnote deleted.]
40AS 2610 requires the specific permission of the client.
Footnote (Appendix - Examples of Fraud Risk Factors):
1Management incentive plans may be contingent upon achieving targets relating only to certain accounts or selected activities of the entity, even though the related accounts or activities may not be material to the entity as a whole.