Detecting fraud and error

By David Selley and Eric Turner
Illustration: Randy Butterfield

New standards require auditors to change their mindset to respond to concerns about their ability to detect fraud

In April, the Auditing and Assurance Standards Board (AASB) issued a revised Handbook Section 5135, The Auditor's Responsibility to Consider Fraud and Error, effective for 2004 calendar year-end audits. Significant changes were also made to Section 5090, Audit of Financial Statements — An Introduction, in particular to remove references to the auditor's assumption of management's good faith. Other such references were also removed from the rest of the Handbook.

The nature of an auditor's responsibility to detect fraud in clients' financial statements has been a hot topic on and off for more than 100 years. What CA is not familiar with the 1896 legal judgment that the auditor is a watchdog, not a bloodhound? The auditor's role in fraud detection was a key component of the so-called expectation gap identified in the 1988 Macdonald Commission Report and elsewhere. Since then, there have been further highly publicized failures resulting from major management and employee frauds of catastrophic scale. Auditors faced increased pressure to improve the likelihood they will detect such frauds during their audits. As a result, in 1997 the US Auditing Standards Board (ASB) issued revised auditing standards, and the AASB and the international Auditing and Assurance Standards Board (IAASB) followed suit in 2002.

In 2002, the ASB issued further changes in the form of Statement on Auditing Standard (SAS) 99, Consideration of Fraud in a Financial Statement Audit. The IAASB responded with a revised International Statement on Auditing (ISA) 240 this past April, and the AASB issued the revised sections 5135 and 5090, which are based on ISA240. All three jurisdictions now require essentially the same degree of alertness and work effort when identifying, assessing and responding to the risks of material fraud, particularly fraud perpetrated by management. However, the standards do not alter the auditor's fundamental responsibility to obtain reasonable assurance that financial statements taken as a whole are free from material misstatement, whether caused by fraud or error.

The new standard
Canadian auditors need to be aware of, and respond to, the significant changes in the standards, which will change the way audits are performed, including requiring additional work. The most significant aspect of the new Canadian standard is that it will require increased professional skepticism on the part of the auditor.

This will require an important mindset change that cannot be overemphasized. Although auditors cannot be expected to fully disregard past experience with the entity about the honesty and integrity of management and those charged with governance, the maintenance of an attitude of professional skepticism is important as there may have been changes in circumstances. Auditors should not be satisfied with less-than-persuasive audit evidence based on a belief that management and those charged with governance are honest and have integrity. The new section reminds auditors that they need to ensure that their familiarity with management, which will naturally occur over time, will not result in a tendency for the auditors to over-rely on management representations or a failure to corroborate those representations with other audit evidence. The new section also for the first time in Canada specifically requires auditors to maintain professional skepticism when considering information obtained from those charged with governance.

Flowing from increased professional skepticism are three key new features of Section 5135. The first is a requirement to recognize that the risk of management override of internal controls is such that it cannot be adequately addressed without mandatory substantive procedures. Required procedures are:

• testing the appropriateness of journal entries and other adjustments;
• identifying bias in management's accounting estimates, including a retrospective review of management's judgments and significant assumptions reflected in the financial statements of the prior year; and
• understanding the business rationale for significant transactions and considering whether the rationale (or lack thereof) suggests that the transactions may have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets.

The second key feature responds to the many high-profile problems that have occurred due to improper revenue recognition. Section 5135 now requires auditors to presume there is a risk of fraudulent revenue recognition. Auditors are specifically required to perform analytical procedures when planning the audit that are aimed at identifying unusual or unexpected relationships that may indicate risks of fraud due to improper revenue recognition. When auditors identify such risks, they are required to consider the design of the entity's policies and procedures to prevent and detect fraud, and whether they have been implemented. They are also required to design further audit procedures that are responsive to those risks.

The third key feature is expanded requirements and guidance for discussions among the engagement team on the susceptibility of the client's financial statements to material misstatement due to fraud. These discussions will provide the engagement team with a good understanding of:

• information that experienced engagement team members have about their experiences with the client;
• how a fraud might be perpetrated and concealed at the entity; and
• the procedures the team might perform to detect any material misstatements that result.

It is also hoped that the discussions will serve to remind team members that the possibility of fraud does exist in every audit engagement, and thereby set a tone of professional skepticism throughout the team.

Other changes to Section 5135 include:

• greater emphasis on enquiries of the audit committee concerning their knowledge of fraud risks and actual fraud;
• expanded guidance in the appendices on fraud risk factors and responses to the risk, with particular emphasis on revenue rec-ognition, inventory quantities and management estimates; and
• classification of fraud risk factors into those relating to incentives or pressures to commit fraud, perceived opportunity to do so without getting caught, and ability to rationalize the act.

Notwithstanding the enhanced requirements, the new standard still emphasizes that there are some frauds that even a properly conducted audit may not detect. For example, auditors are not expected to identify cleverly forged documents unless they have reason to be suspicious. Section 5135 continues to point out that fraud is less likely to be uncovered during an audit than error, and that fraud perpetrated by management is less likely to be uncovered than employee fraud.

Readers who compare the US and international standards with Section 5135 will notice that Section 5135 deals with auditor considerations concerning both error and fraud, whereas SAS99 and ISA240 deal only with fraud. The IAASB has recently issued three new ISAs, collectively forming

a new "risk model." While its guidance on error is dealt with in the new ISAs, ISA240 deals only with fraud. The AASB is in the process of adopting the new international risk model, but until it does so, sections 5135 and 5090 reflect the existing Canadian risk model and deal with fraud and error in one place in the Handbook.

Some respondents to the Exposure Draft of this standard suggested that additional guidance material would assist practitioners in complying. The CICA is developing a fraud resource on the Knotia part of its website. Until the resource is fully developed, auditors may refer to the AICPA's Antifraud Resource Center at www.aicpa.org/antifraud/homepage.htm.

All the references, of course, are to SAS 99 but the two standards are sufficiently similar that the guidance may nevertheless be useful.

CONCLUSION These new standards require auditors to change their mindset to respond to public concerns about the auditor's ability to detect fraud, especially management fraud. Simply updating audit manuals and using revised checklists will not suffice. Leaders of public accounting firms will need to promote the change to their audit personnel. Firms must also review their auditing guidance and training programs to ensure that their audit partners and staff are not only fully informed of the new standards, but also have a greater awareness of fraud risks at their clients and how to respond to them. Responding to changes in the standards is urgent because they will apply to 2004 calendar year-end audits.