ISAs – Summaries and Application Guide ISA 240

ISA 240
FRAUD IN AN AUDIT OF FINANCIAL
STATEMENTS

LO # LEARNING OBJECTIVE

LO 1 FRAUD, TYPES OF FRAUD, AND RESPONSIBILITIES FOR FRAUD

LO 2 RISK ASSESSMENT PROCEDURES AND RISK OF FRAUD
LO 3 AUDITOR’S COURSE OF ACTION RELATING TO FRAUD
MANAGEMENT OVERRIDE OF CONTROL AND AUDITOR’S COURSE OF
LO 4
ACTION

1
ISAs – Summaries and Application Guide ISA 240

LO 1: FRAUD, TYPES OF FRAUD, AND RESPONSIBILITIES FOR FRAUD:

Distinction between Error and Fraud:
Misstatements in the financial statements can arise from either fraud or error.
 Error: an unintentional misstatement in financial statements.
 Fraud: An intentional act by one or more individuals involving the use of deception to
obtain an unjust or illegal advantage.

Types of Fraud:
There are two types of fraud i.e. Misappropriation of Assets and Fraudulent Financial Reporting.

Misappropriation of Assets:
Misappropriation of assets involves the theft of an entity’s assets and is often committed by
employees.

Misappropriation of assets includes:

 Embezzling receipts (e.g. depositing cash received from customers into personal account).
 Stealing physical assets or intellectual property (e.g. stealing inventory or scrap, selling
trade secrets to competitors).
 Causing an entity to pay for goods and services not received (e.g. payments to fictitious
suppliers or fictitious employees).
 Using an entity’s assets for personal use.

Fraudulent Financial Reporting:

Fraudulent financial reporting involves intentional misstatements in financial statements to deceive
financial statements’ users.

Fraudulent financial reporting includes:

 Recording fictitious journal entries, particularly close to year-end to achieve targets.
 Inappropriately changing assumptions and judgments used to estimate account balances.
 Advancing or delaying recognition of events and transactions.
 Altering records and terms related to significant transactions.
 Engaging in complex transactions that are structured to misrepresent the financial statements.
 Concealing facts that could affect the amounts recorded in the financial statements.

Fraudulent financial reporting is often committed by management through override of controls:

Responsibilities of Management and Auditor Regarding Fraud:

Responsibility of Management (& TCWG) regarding Fraud:
The primary responsibility for the prevention and detection of fraud rests with both TCWG and
management.
 Management should establish systems and controls to prevent and detect fraud.
 TCWG should monitor the systems and controls, and should also consider potential for
management override of control.

Responsibility of Auditor regarding Fraud:

Auditor’s primary responsibility is to express an opinion on financial statements (i.e. whether
financial statements are free from material misstatement).
Auditor is not primarily responsible to prevent or detect frauds, because fraud may involve
sophisticated techniques, and collusion.

2
 ISAs – Summaries and Application Guide ISA 240

Regarding fraud, auditor is responsible to:

 Perform procedures to identify risk of material misstatement due to fraud,
 Respond to risk of fraud.
 Maintain professional skepticism throughout the audit recognizing the possibility that a
misstatement due to fraud may exist.

LO 2: RISK ASSESSMENT PROCEDURES AND RISK OF FRAUD:

Risk Assessment Procedures to identify risk of fraud:
ISAs require the auditor to perform the following procedures to identify the risks of material
misstatement due to fraud:
1. Make inquiries of management in respect of:
a) their process in place for identifying and responding to the risks of fraud.
b) their assessment of the risk of fraud.
c) any specific risks of fraud identified or likely to exist.
d) any communications within the entity in respect of fraud (e.g. code of conduct).
2. Make inquiries of management and others within the entity as to whether they have
knowledge of any actual, suspected or alleged frauds.
3. Evaluate any unusual or unexpected relationships identified in performing analytical
procedures which may indicate a risk of material fraud.
4. Evaluate information obtained from other risk assessment procedures whether any fraud
risk factors are present.

Fraud Risk Factors:

Misappropriation of Assets Fraudulent Financial Reporting
1. Personal Financial Obligations. 1. Intended sale of shares/ business, or acquiring loan.
2. Adverse Relationships between entity and 2. Management holds majority shareholding.
Incentives or
employee having access to cash and other 3. Management’s bonuses based on financial performance.
Pressures
portable and precious assets. 4. Pressure on management to achieve financial targets.
(i.e. Motives)
5. Financial stability or profitability of entity is threatened
(e.g. increased competition, going concern issues).
1. Existence of precious and movable items 1. Significant related party transactions.
(e.g. cash, inventory). 2. Income, Expenses, Assets, and Liabilities are based on
2. Deficiencies in internal control over assets significant estimates.
( e.g. inadequate physical safeguards, 3. Deficiencies in internal control over financial
inadequate record keeping and reporting.
Opportunity reconciliations, or inadequate segregation of 4. Domination of management by a single person or
duties). small group without audit committee or internal audit
function.
5. Ineffective oversight by BOD or audit committee or
internal audit function (e.g. due to lack of
independence from management).
1. Failing to correct known internal control 1. Ineffective communication or ineffective
deficiencies. implementation of entity’s values or ethical standards.
2. Overriding existing controls. 2. Lack of integrity in management (e.g. known history of
Attitudes/ 3. Tolerance on petty theft. violation of laws).
Rationalizations 4. Behavior indicating dissatisfaction or 3. Low morale among senior management.
(of management & displeasure with entity. 4. The practice by management of committing to bankers,
employees) 5. Change in lifestyle. creditors, and other third parties to achieve aggressive
or unrealistic targets.
5. Not providing information or providing wrong
information to auditor.

3
ISAs – Summaries and Application Guide ISA 240

Circumstances that indicate the possibility of fraud in Financial Statements:

Discrepancies in accounting records:
 Unsupported or unauthorized balances or transactions.
 Last minute adjustments that significantly affect financial statements.
 Transactions that are not recorded in a complete or timely manner or improperly recorded
as to amount, or period.
 Tips or complaints to the auditor about the alleged fraud.
 Employees’ access to systems and records is more than what is necessary to do their job.

Conflicting or missing evidence:

 Missing accounting records.
 Documents that appear to have been altered.
 Unavailability of original documents when they are expected to exist.
 Significant unexplained items on reconciliations.
 Unusual changes in ratios, relationships and trends in financial statements.
 Inconsistent or vague responses of inquiries or analytical procedures from management
 Unusual discrepancies between the entity’s record and confirmation replies.
 Large amount of credit entries and other adjustments at year end.
 Missing inventory or physical assets of significant value.
 Non-availability of evidence of system development and program changes during the year.

Problematic or unusual relationships between the auditor and management:

 Denial of access to records, facilities, certain employees, customers, vendors, or others from
whom audit evidence might be sought.
 Undue time pressure by management to resolve complex or contentious issues.
 Complaints by management about the conduct of the audit or management intimidation.
 Unusual delays by entity in providing requested information.
 Denial of access to key IT operations staff, facilities, and electronic files for testing through
CAAT.
 An unwillingness to address identified deficiencies in internal control on a timely basis.
 An unwillingness to correct misstatements in financial statements.

Others:
 Accounting policies at variance with industry norms.
 Frequent changes in accounting estimates without changes in circumstances.
 Unwillingness by management to permit the auditor to meet privately with those charged with
governance.
 Tolerance of violations of the entity’s code of conduct.

4
ISAs – Summaries and Application Guide ISA 240

LO 3: AUDITOR’S COURSE OF ACTION RELATING TO FRAUD:

Course of Action if there is a fraud risk factor:
Auditor shall revise risk of fraud, and shall modify his audit procedures to respond to revised risk of
material misstatement due to fraud e.g.
 Increased level of professional skepticism specially during audit of judgmental areas.
 Adequate planning, and reduced materiality level.
 Assigning more experienced and specialized staff e.g. use of experts if necessary.
 Increased supervision and review of the audit work performed (e.g. quality control
review of the engagement).
 Incorporating unpredictability in nature, timing and extent of audit procedures.
 Making changes to audit procedures.
 More audit procedures at period end rather than at interim date.
 Obtaining more reliable audit evidence (e.g. from external sources).
Course of Action if auditor identifies (or suspects) a fraud:
1. Auditor shall communicate fraud to appropriate level of management (i.e. atleast one level
above the persons involved in fraud) on timely basis.
2. Auditor shall communicate fraud to TCWG if amount involved is significant, or management
is involved.
3. Auditor shall communicate fraud to regulatory authority only if such communication is
required by law.
4. If due to involvement in fraud, there are doubts on integrity of management (e.g.
management is involved in fraud, and TCWG do not take appropriate actions), auditor may
consider withdrawal.
5. If fraud results in misstatement in financial statements, auditor shall also consider its
impact on report.

5
ISAs – Summaries and Application Guide ISA 240

LO 4: MANAGEMENT OVERRIDE OF CONTROL AND AUDITOR’S COURSE OF ACTION:

Definition:
The term ‘management override of control’ means ability of management to overrule prescribed
policies and procedures to prepare fraudulent financial statements, even where controls otherwise
appear to operate effectively.

This risk exists in every entity.

Techniques:
Fraudulent financial reporting can be committed by management overriding controls using
techniques such as:
 Recording fictitious journal entries, particularly close to year-end to achieve targets.
 Inappropriately changing assumptions and judgments used to estimate account balances.
 Advancing or delaying recognition of events and transactions.
 Altering records and terms related to significant transactions.
 Engaging in complex transactions that are structured to misrepresent the financial statements.
 Concealing facts that could affect the amounts recorded in the financial statements.

Audit Procedures to address risk of Management override of control:

Irrespective of the auditor’s assessment of the risks of management override of controls, the
auditor shall design and perform following audit procedures:

1. Test the appropriateness of journal entries.

Auditor shall:
 Make inquiries about inappropriate or unusual activity relating to the processing of journal
entries and other adjustments;
 Select journal entries and other adjustments made at the end of a reporting period; and
 Consider the need to test journal entries and other adjustments throughout the period.

2. Review accounting estimates for possible biases.

In performing this review, the auditor shall:
 Evaluate whether judgments and assumptions by management in making estimates,
indicate a possible bias (even if they are individually reasonable). If so, the auditor shall re-
evaluate the accounting estimates taken as a whole; and
 Perform a retrospective review of management judgments and assumptions related to
significant accounting estimates reflected in the financial statements of the prior year.

3. Evaluate business rationale for significant transactions outside the normal course of
business.