The old regime
Broadly speaking, an auditor’s duty to detect fraud relates to two types of fraud: fraudulent financial reporting and the misappropriation of company funds and assets. The FRC and the public at large have a reasonable expectation that directors of public and private companies will act solely in the interests of shareholders, and not for personal financial gain. In this context, the auditor’s roles are to act as an impartial supervisor of companies’ financial dealings and to call out fraudulent activity.
The statutory auditor’s broad duties were:
To obtain reasonable assurance that the financial statements taken as a whole are free from material misstatement;
To maintain professional scepticism throughout the audit, considering the potential for management override of controls and recognizing the fact that audit procedures that are effective for detecting error may not be effective in detecting fraud;
To respond to identified or suspected non-compliance with laws and regulations and to communicate with management and those charged with governance;
To document instances of identified or suspected non-compliance with laws and regulations;
To report suspected instances of fraud to the client and/or regulatory authorities, and to cease an engagement where necessary and appropriate.
The revised ISA (UK) 240
The new rules confirm that “reasonable assurance is a high, but not absolute, level of assurance”.
That standard defines “reasonable assurance” as “when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated) to an acceptably low level.”
When assessing “the risks of material misstatement of the financial statements due to fraud”, auditors must now record their risk assessments and their review of controls for susceptibility to fraud. The new standard encourages evidence-gathering and requires auditors to make inquiries of individuals “at all levels” of an entity’s financial reporting process.
The need to demonstrate professional scepticism underpins the new requirements and involves a constant state of alertness to fraud risk factors, and must now be exercised by “undertaking risk assessment procedures and designing and performing further audit procedures in a manner that is not biased towards obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory.” The auditor mush demonstrate an understanding of fraud risk factors relevant to a particular entity and evidence frank discussions around the susceptibility of financial reports to material misstatement. Where “those charged with governance” within an entity are not also “management”, auditors must also make inquiries of them and assess whether their responses corroborate or contradict the responses of management. The new standard encourages a more interactive and pro-active approach to risk assessment amongst the audit team - both with management staff of the audited entity. Evidence-gathering requires auditors to make inquiries of individuals “at all levels” of an entity’s financial reporting process, and to obtain audit evidence from “multiple sources within and outside the entity” if necessary.
Additional to general reporting requirements is a new duty to explain, in the auditor’s report, the extent to which an audit was capable of detecting fraud. ISA (UK) 240 states that this report “shall be specific to the circumstances of the audited entity and take account of how the auditor planned and performed procedures to address the identification and assessment of the risks of material misstatement.”
Other changes of note include:
Changes to guidance around assessing material misstatements (to include both qualitative and quantitative considerations);
Additions to the list of fraud indicators of which an auditor must be aware;
Examples of areas which may require “specialized skills or knowledge” on an audit team; and
Specific points around the audits of public interest entities (“PIEs”) and group audits.
As PI solicitors who often act for accountancy firms, we have never been great fans of ISA (UK) 240. With its lists of activities which amount to fraud, and its checklist of steps to be taken by auditors to put them in a position to spot fraud, it often provides a route map to an audit negligence claim if these steps are not both taken and evidenced on the audit file. What’s more, the guidance does not necessarily increase the likelihood of the auditor spotting a sophisticated fraud.
Spotting fraud is, in our view, more about mindset than adherence to checklists. Be that as it may, the revised ISA (UK) 240 is the applicable guidance and the additional audit work it requires to reduce the risk of fraud going unnoticed may influence the auditors’, and more importantly, managements’, mindset in detecting fraudulent activities.
Under the new guidance, the audit planning “checklist” should now include discussions between the audit team and management in which all levels of staff must be included. This strikes us as a sensible addition to the armoury of steps an auditor must take, and it may even lessen the likelihood of fraud going undetected. What we would stress is the necessity of all such discussions being evidenced on the audit file; following ISA (UK) 240 to the letter will be critical to a successful defence against a claim for losses caused by undetected fraud.
The new standard will be effective for audits of financial statements for periods commencing on or after 15 December 2021. Early adoption is “permitted” – though we suggest that “important” would be a more appropriate word.