Transcript Slide 1

Chapter 8
Auditing for Fraud
1
Fraud & Auditor Responsibilities:
Historical Evolution
"The detection of material fraud is a reasonable expectation of users
of audited financial statements. Society needs and expects
assurance that financial information has not been material
misstated because of fraud. Unless an independent audit can
provide this assurance, it has little if any value to society"
This statement by the Public Companies Accounting Oversight
Board represents a dramatic change in auditors' responsibility for
detecting fraudulent financial reporting
Previously, AICPA auditing standards required auditors to plan and
perform an audit to provide reasonable assurance of detecting
material misstatements, including those caused by fraud
Today, the message is clear: auditors must assume greater
responsibility for detecting fraud
2
Comment on the Magnitude of
Fraud
According to a 2002 study by the Association of
Certified Fraud Examiners (ACFE)- Six percent of revenues will be lost as a result of
fraud
 Estimated at losses of $600 Billion per year
These estimates cover all types of fraud, but do
not include the losses investors incurred on
major financial reporting frauds such as Enron or
WorldCom
3
Fraud - Defined
Intentional concealment or
misrepresentation of material facts in order
to deceive
Differentiated from errors by the intent to
deceive
Traditionally defined into broad categories:
 Defalcations
 Fraudulent financial reporting
4
Defalcation?
Employee takes assets from the organization for personal
gain. Examples: theft, embezzlement
ACFE divides into frauds due to
 Corruption



Fraudsters use their influence in a transaction to gain personal
benefit
Examples: kickbacks, conflict of interest, bribery, economic
extortion
Asset misappropriation


Theft or misuse of organization's assets
Common schemes: skimming revenues, cash schemes,
fraudulent disbursement, inventory theft, payroll fraud
Defalcation may create misleading financial statements if
stolen assets are reported on the statements
5
Fraudulent Financial Reporting Defined
Intentional manipulation of financial statements
Typically committed by management
 Has opportunity to override internal controls
 Often evaluated and compensated based on financial results
Usually involves:
 Manipulation, falsification, or alteration of accounting records or
supporting documents
 Misrepresentation or omission of events, transactions, or
significant information
 Intentional misapplication of accounting principles
The most common types are
 Overstate assets and understate expenses
 Overstate revenues and assets
 Understate liabilities
6
Lessons Learned From Fraud
Cases
Auditors take risk whenever they do not audit the entire
company
 Auditors need to look at economic assumptions
underlying a company’s growth
 Auditors need to assess risk factors and when the risk of
fraud is high, they must demand stronger evidence
 Computer errors should be viewed as a risk factor
 Dominant clients can be a problem
 Auditors need to know what motivates management
 Auditors should not assume all people are honest
 When fraud risk indicators are discovered, they must be
thoroughly investigated
7
The Second COSO Report
Report of the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO) identified major characteristics of
companies that had perpetrated fraud:
 Involved smaller companies - under $200 million
in revenues
 Board of directors dominated by management
 Audit committees non-existent or inactive
 Overstated revenues and corresponding assets
in over half the frauds
 Most revenue frauds involved premature
recognition or fictitious revenues
8
The Second COSO Report
(Continued)
No internal audit department
 Perpetrated over relatively long-terms (average
period 2 years)
 Companies were in loss situations or near
break-even prior to the fraud
 CEO and /or CFO involved in 83% of the cases
Auditors realized there are signs that fraud might
be taking place and that auditors would have to
identify and investigate these signs

9
Auditing Standards on Fraud
SAS 99, "Fraud Detection in a Financial Statement
Audit" issued in 2002
 Requires auditors to search for risk factors
related to fraud
 If these risk factors are present, auditor needs to
modify audit to
 Actively search for fraud
 Require more substantive audit evidence
 In some cases, assign forensic (fraud) auditors
to the
engagement

Emphasizes the need for professional
skepticism
10
A Proactive Approach to Fraud
Detection - Planning the Audit
The audit must be planned to detect material
misstatements - whether the misstatements are due to
errors or fraud
The auditor must
 Understand the business
 Understand how changes in the economy might affect
the business
 Understand management's motivations for committing a
fraud
 Identify opportunities for other employees to commit
defalcation
 Analyze changes in company's financial results for
reasonableness
 Identify areas that might suggest fraud
11
Proactive Approach to Fraud Detection
- Conducting the Audit
Overview of the process to integrate fraud risk assessment
and fraud procedures into the audit includes ten major
steps:
 Understand the nature of fraud, motivations to commit
fraud, and how fraud may be committed
 Develop and implement an approach based on
professional skepticism
 Brainstorm and share knowledge within the audit team
 Obtain information useful in identifying and assessing
fraud risk
 Identify specific fraud risks and areas likely to be
affected by fraud
12
Proactive Approach to Fraud Detection Conducting the Audit





Evaluate the quality and effectiveness of
company controls in mitigating the risk of fraud
Adjust audit procedures to address the risk of
fraud and gather evidence specifically related
to the possibility of fraud
Evaluate findings; if evidence signals fraud might
exist, consider whether specialists are needed
for the audit team
Communicate possibility of fraud to
management and audit committee
Document all steps related to fraud
13
The motivations to commit fraud
Research consistently shows three factors
associated with fraud
These factors are referred to as the fraud triangle
1. Incentives or pressures to commit fraud
2. Opportunities to commit fraud
3. Rationalization of the fraud as acceptable
14
Motivations to Commit Fraud – 1.
Incentives or Pressures
The pressures to commit fraud include:
 Management compensation schemes
 Personal wealth ties to financial results or
survival of the company
 Other financial pressures to improve
earnings or the balance sheet
 Example:

to avoid violating debt covenant
Personal factors, including personal
financial needs
15
Motivations to Commit Fraud – 2.
Opportunities
Warning signs indicating opportunities for fraud:








Weak or non-existent internal controls
Complex or unstable organizational structure
Ineffective monitoring of management, either because
board of directors is not effective, or management is
dominant
Significant accounting estimates made by management
Significant related party transactions
Industry dominance, including ability to dictate terms to
suppliers or customers
Simple transactions made complex through disjointed
recording process
Complex or difficult to understand transactions
16
Motivations to Commit Fraud – 3.
Rationalizations
The nature of fraud rationalization often differs depending
on the type of fraud
For defalcations, rationalizations often revolve around
personal issues:
 Personal financial problems
 Mistreatment by the company
 Sense of entitlement
 Everyone does it
For fraudulent financial reporting, the rationalizations may
involve personal or organizational issues:
 Compensation based on financial results (personal)
 Ego (personal)
 Necessary for organization to survive
17
Audit team brainstorming
SAS 99 requires members of the audit team to discuss the risk of
material misstatement due to fraud
This brainstorming is designed to:
 Allow experienced auditors to educate less experienced auditors
 Set the proper level of professional skepticism for the audit
Topics covered during the brainstorming should include:
 Consider how fraud can be perpetrated and concealed
 Presume fraud in revenue recognition
 Consider incentives, opportunities, and rationalization for fraud
 Consider industry conditions
 Consider operating characteristics and financial stability
18
Audit Procedures
When there is a possibility of fraud, the auditor should
consider that evidence might not be what it seems
SAS 99 suggests the auditor consider the following:
 Greater susceptibility of evidence manipulation
 Greater skepticism of management responses
 Journal entries are important
 New technology provides new ways to commit fraud
 Recognition that collusion may be likely
 Predictability of audit procedures
 Analytical procedures should tie to operational or
industry data
19
Obtaining Information about
Fraud Risk
The auditor should specify procedures that could
signal the possibility of fraud including
 Making inquires of management and others to
obtain their views about the risk and fraud and
controls set up to address those risks
 Perform analytical procedures and consider any
unusual relationships
 Review risk factors identified earlier (pressure,
opportunity, rationalization)
 Review management responses to
recommendations for control improvements and
internal audit reports
20
What are some analytical
indicators
of
fraud
risk?
Some of the key analytical factors the auditor should









develop include:
Large revenue increase at the end of the period
Sales increasing faster than industry sales which don't
seem justified
Unusually large increase in gross margin
Large number of sales returns after year-end
Increase in number of day's sales in receivables
Increase in number of day's sales in inventory
Significant increase in debt/equity ratio
Cash flow or liquidity problems
Significant changes in non-financial performance
measures
21
Identifying Risks of Fraud
The auditor should examine each of the fraud risk conditions pressure, opportunity, rationalization
During this examination, the auditor should consider
 The type of fraud that might occur
 The potential significance of the fraud in both quantitative
and qualitative terms
 The likelihood of fraud occurring
 The pervasiveness of the risk that fraud might occur
SAS 99 requires the auditor presume there are risks with
revenue recognition and management override of internal
controls
22
Relate Internal Control and Fraud
Risk
Internal control weaknesses are a strong indicator of fraud risk
The auditor will examine a variety of control areas including:
 Corporate governance
 Management control and influence
 Audit committee
 Corporate culture
 Internal auditing
 Monitoring controls
 Whistle blowing
 Codes of ethics
 Related party transactions
23
Developing a Revised Audit Plan
Auditor should develop hypotheses about how fraud could be
committed and concealed
The audit team should then develop and implement audit
procedures that are directly responsive to the fraud risks
Depending on the hypothesized fraud risks the auditor may
change the
 Audit procedures in order to gather additional corroborative
and/or direct evidence
 Timing of audit procedures
 Staffing of the engagement to include more experience
auditors or specialists
24
Developing a Revised Audit Plan
(Continued)

Extent of audit procedures; examples include:
 Performing procedures on a surprise or unannounced
basis
 Requiring inventories be counted and observed at
year-end (instead of at an interim date)
 Making oral inquiries of major customers and
suppliers
 Performing analytics using disaggregated data
 Examining details of major sales contracts
 Examining financial viability of customers
 Examining, in detail, reciprocal or similar transactions
between two entities
 Detailed examination of journal entries, particularly
those at year-end
25
Evaluating Audit Evidence
The auditor's skepticism should be
heightened whenever
 There are discrepancies in the accounting
records
 The auditor finds conflicting or missing
evidential matter
 The relationship with management is
strained
 There are significant or unusual
transactions around year-end
26
Communicating the Existence of
Fraud
Fraud should be communicated to a level at which
effective action can be taken
 The auditor must communicate the existence of
fraud to management, the Board, and the audit
committee
 If fraud involves top management, the auditor
must assess the actions taken by the Board
 If sufficient actions are not taken, the auditor
must consider the control environment and the
possible need to resign the engagement
27
Communicating the Existence of
Fraud (Cont’d)
The auditor must determine that the financial
statements have been corrected and the fraud
adequately disclosed
 If the statements are not corrected, the auditor
should issue a qualified or adverse opinion
In some cases, the auditor may be required to
report the fraud to outside parties, such as to
meet regulatory requirements
For public companies, material fraud reflects a
weakness in internal controls and may need be
reported
28
Audit Documentation
The audit team should document the full extent of
the process described
That documentation should include:
 Discussion among audit team members
including the assessment of fraud risk and how
such frauds might take place
 Discussion of the factors that affected the risk
assessment
 Audit procedures performed
 Need for corroborating evidence
 Evaluation of audit evidence and communication
to required parties
29
Characteristics of Financial
Reporting Frauds
Historically, there are patterns in financial reporting frauds:
 Complex revenue recognition schemes
 Incorrect billings to the government
 Holding the books open (accelerated revenue recognition)
 Capitalizing expenses
The implications for audit procedures is clear:
 The auditor must understand complex transactions to
determine their economic substance
 The auditor cannot be pressured to complete the audit early;
there must be sufficient time to examine year-end
transactions
 The auditor must use necessary procedures to gather
sufficient reliable evidence including
30
Characteristics of defalcations?
ACFE reports 90% of defalcations involve thefts of cash;
remaining 10% were thefts of inventory and other assets
Cash misappropriation schemes include:
 Larceny: stealing cash after it has been recorded on the
books
 Skimming: stealing cash before it is recorded on the
books
 Fraudulent disbursements





Most common: 70% of defalcation schemes
Billing: set up false vendors and pay for fictitious goods
Payroll: add fictitious employees to payroll
Expense reimbursement: submit overstated reimbursement
requests
Check tampering: alter check, e.g. change payee or amount
31
Audit Procedures & Evidence
Considerations
The procedures used by the auditor should
reflect
(1) the internal control weaknesses and
(2) fraud risk indicators found with the
client
32
1. Linking Audit Procedures to
Control Deficiencies


Audit procedures used are based on specific control deficiencies
Linkage process from control deficiencies to audit procedures:



What errors or fraud could occur because of the control deficiencies
What account balances would be affected and how
What audit procedures would provide evidence on whether the account
balance is misstated
 Do the audit procedures provide objective evidence independent of the
parties who have access to the assets

Examples listed in Exhibit 8.11
33
2. Linking Audit Procedures to Fraud
Risk Indicators
As with control deficiencies, audit procedures will
depend on the fraud risk indicators and auditor's
preliminary analytical review of account balances
Existence of fraud risk indicators should cause the
auditor to
 Expand audit testing to more detailed sampling
 Review all major sales
 Place more emphasis on independent outside
evidence
 Perform more procedures at year-end (instead of
interim testing)
 Examples listed in Exhibits 8.12 and 8.13
34
Using Computers to Analyze the
Possibility of Fraud
Audit software can read a file and perform a number of
procedures to analyze the possibility of fraud:
 Test mechanical accuracy: footing, mathematical
extensions, and logical relationships
 Statistical selection
 Search for duplicate entries
 Analyze unusual patterns in data
 Analysis of logical relationships among data sets
 Identify unusual sources of entries to an account
 Search for missing data
35
Responsibilities for Detecting
and Reporting Illegal Acts
Illegal acts are violations of laws or governmental
regulations...by management or employees
acting on behalf of the entity (AU 317.02)
Illegal acts often have a direct impact on financial
statements
Audit must be designed to identify illegal acts that
have a direct, material effect on the financial
statements; audit procedures include:
 Reading corporate minutes
 Inquiries of management and legal counsel
36
Responsibilities for Detecting and
Reporting Illegal Acts (continued)

Tests of details to support transactions or account
balances




Large payments to consultants or employees for unspecified
services
Excessively large sales commissions
Unexplained governmental payments
Unauthorized or unnecessarily complex transactions
If illegal acts are discovered, the auditor should
 Consult with the client's legal counsel
 Report the acts to management and the audit committee
 Make the financial statements present fairly including
proper disclosure
37
Forensic Accounting
Forensic accounting is an extension of auditing, but with a
number of differences:
 Detailed investigation where fraud has been identified or
is suspected
 Focuses on identifying perpetrators and getting a
confession
 Builds support for legal action against the perpetrator
 May provide litigation support such as expert testimony
 Extensive use of interviews
 100% examination of fraud-related documents
 Reconstruction of account balances
 Broader scope than auditing
38