Scope and objectives
The SA 240 defines fraud as a deliberate action resulting in misstatements in financial statements. The standard distinguishes between two types of intentional misstatements relevant to the auditor: misstatements resulting from fraudulent financial reporting and misstatements resulting from misappropriation of assets.
The standard describes the characteristics of fraud, which includes incentive or pressure to commit fraud, a perceived opportunity to do so, and some rationalization of the act. The auditor is concerned with fraud that causes a material misstatement in the financial statements, and although the auditor may suspect or identify the occurrence of fraud, they do not make legal determinations of whether fraud has actually occurred.
The standard also provides examples of fraudulent financial reporting, which involves intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. Fraudulent financial reporting can be caused by the efforts of management to manage earnings to deceive financial statement users by influencing their perceptions as to the entity’s performance and profitability. Fraudulent financial reporting may involve manipulation, falsification, or alteration of accounting records, misrepresentation or intentional omission of significant information in the financial statements, or intentional misapplication of accounting principles.
SA 240 also discusses misappropriation of assets, which involves the theft of an entity’s assets and is often perpetrated by employees in relatively small and immaterial amounts. Misappropriation of assets can be accomplished in a variety of ways, including embezzlement of receipts, stealing physical assets or intellectual property, causing an entity to pay for goods and services not received, or using an entity’s assets for personal use. Misappropriation of assets is often accompanied by false or misleading records or documents to conceal the fact that the assets are missing or have been pledged without proper authorization.
Overall, the SA 240 provides guidance to auditors on how to identify and assess the risks of material misstatement due to fraud and how to respond to those risks in an audit of financial statements.
Requirements
The requirements for professional scepticism in auditing are outlined in SA 2003. Professional scepticism is defined as maintaining a questioning mindset and recognizing the possibility that a material misstatement due to fraud could exist, even if the auditor has had positive experiences with the honesty and integrity of the entity’s management and those charged with governance.
The auditor must consider the reliability of the information used as audit evidence and the controls over its preparation and maintenance. This is particularly important when considering the risks of material misstatement due to fraud, as fraud is often characterized by deception and concealment.
The auditor may accept records and documents as genuine unless there is reason to believe otherwise. If the auditor identifies conditions that cause them to doubt the authenticity or accuracy of a document, they should investigate further, such as by confirming directly with a third party or using the work of an expert to assess the document’s authenticity.
When responses to inquiries of management or those charged with governance are inconsistent, the auditor must investigate the inconsistencies.
SA 315 requires a discussion among the engagement team members, with a particular emphasis on how and where the entity’s financial statements may be susceptible to material misstatement due to fraud, even if team members believe that management and those charged with governance are honest and have integrity. The discussion may cover topics such as exchange of ideas about how and where financial statements may be susceptible to fraud, consideration of circumstances indicative of earnings management, and consideration of known factors that may create an incentive or pressure for fraud to occur. The discussion also considers how audit procedures will be selected and what to do if allegations of fraud are discovered. The auditor should consider the risk of management override of controls.
Risk Assessment Procedures and Related Activities
The procedures and activities that the auditors should perform when conducting a risk assessment for the purpose of identifying and responding to the risks of material misstatement due to fraud in an entity. The audit standard SA 3155 requires auditors to perform risk assessment procedures to gain an understanding of the entity, its environment, and its internal controls.
The auditor is required to inquire with management about their assessment of the risks of material misstatement due to fraud, including the nature, extent, and frequency of such assessments. This helps the auditor to understand the entity’s control environment, and whether management places importance on internal control. Management is responsible for the entity’s internal control and the preparation of the financial statements, so their input is valuable for the auditor’s understanding of fraud risks.
The auditor is also required to make inquiries of management and others within the entity, where appropriate, to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity. The auditor may direct inquiries to various individuals, including those not directly involved in the financial reporting process, employees with different levels of authority, in-house legal counsel, chief ethics officer, or persons charged with dealing with allegations of fraud.
If the entity has an internal audit function, the auditor is required to make inquiries of internal audit to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity, and to obtain their views about the risks of fraud.
Finally, the auditor is required to obtain an understanding of how those charged with governance exercise oversight of management’s processes for identifying and responding to the risks of fraud in the entity and the internal control that management has established to mitigate these risks. Understanding the oversight exercised by those charged with governance provides insights into the susceptibility of the entity to management fraud, the adequacy of internal control over risks of fraud, and the competency and integrity of management. The auditor may obtain this understanding in a number of ways, such as by attending meetings where such discussions take place or reading the minutes from such meetings.
Evaluation of Fraud Risk Factors
The auditor’s responsibility to evaluate the risk of fraud when auditing a company’s financial statements. The auditor needs to evaluate whether the information obtained from other risk assessment procedures and related activities performed indicates that one or more fraud risk factors are present. Fraud risk factors are events or conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud.
SA 230 explains that the significance of fraud risk factors varies widely and cannot easily be ranked in order of importance. Some factors will be present in entities where the specific conditions do not present risks of material misstatement. Therefore, the auditor needs to exercise professional judgment to determine whether a fraud risk factor is present and whether it is to be considered in assessing the risks of material is statement of the financial statements due to fraud.
SA 240 also provides examples of fraud risk factors related to fraudulent financial reporting and misappropriation of assets, which are classified based on the three conditions that are generally present when fraud exists: an incentive or pressure to commit fraud, a perceived opportunity to commit fraud, and an ability to rationalize the fraudulent action.
The size, complexity, and ownership characteristics of the entity have a significant influence on the consideration of relevant fraud risk factors. In the case of a small entity, some considerations may be inapplicable or less relevant, such as a written code of conduct. The SA 240 also discusses the risks of material misstatement due to fraud in revenue recognition and the auditor’s responsibility to assess those risks.
Overall, the emphasizes the importance of the auditor’s professional judgment when evaluating fraud risk factors and assessing the risks of material misstatement due to fraud. The auditor needs to be aware of the various factors that may indicate the presence of fraud, as well as the specific circumstances of the entity being audited.
Responses to the Assessed Risks of Material Misstatement Due to Fraud Overall Responses
The responses that auditors should take to address the risks of material misstatement due to fraud in financial statements. The auditor must determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level. This includes considering how the overall conduct of the audit can reflect increased professional scepticism, such as increased sensitivity in the selection of the nature and extent of documentation to be examined in support of material transactions, and increased recognition of the need to corroborate management explanations or representations concerning material matters.
The auditor must assign and supervise personnel, taking account of their knowledge, skill, and ability, to evaluate whether the selection and application of accounting policies by the entity may be indicative of fraudulent financial reporting, and incorporate an element of unpredictability in the selection of the nature, timing, and extent of audit procedures.
In addition, the auditor must design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed risks of material misstatement due to fraud at the assertion level. This may include changing the nature, timing, and extent of audit procedures in various ways, such as physical observation or inspection of certain assets, designing procedures to obtain additional corroborative information, and modifying the timing of substantive procedures.
SA 240 also gives examples of how auditors can respond to identified risks of material misstatement due to fraud, such as assigning additional individuals with specialized skill and knowledge, performing substantive procedures on selected account balances and assertions not otherwise tested due to their materiality or risk, adjusting the timing of audit procedures, using different sampling methods, and performing audit procedures at different locations or at locations on an unannounced basis.
Audit Procedures Responsive to Risks Related to Management Override of Controls
The audit procedures that auditors should undertake to address the risks of management override of controls, which can result in material misstatements due to fraud in financial statements. Management is in a unique position to perpetrate fraud because they have the ability to manipulate accounting records and prepare fraudulent financial statements by overriding controls that appear to be operating effectively.
SA 240 emphasizes that irrespective of the auditor’s assessment of the risks of management override of controls, the auditor shall design and perform audit procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of financial statements. The auditor shall make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments, select journal entries and other adjustments made at the end of a reporting period, and consider the need to test journal entries and other adjustments throughout the period.
SA 240 also highlights the importance of the auditor’s consideration of the risks of material misstatement associated with inappropriate override of controls over journal entries. When IT is used to transfer information automatically, there may be little or no visible evidence of such intervention in the information systems.
Moreover, when identifying and selecting journal entries and other adjustments for testing and determining the appropriate method of examining the underlying support for the items selected, the auditor should consider several factors, including the risks of material misstatement due to fraud, the entity’s financial reporting process, and the characteristics of fraudulent journal entries or other adjustments.
SA 240 also highlights the auditor’s responsibility to review accounting estimates for biases and evaluate whether the circumstances producing the bias, if any, represent a risk of material misstatement due to fraud.
In conclusion, the emphasizes the need for auditors to remain vigilant and proactive in addressing the risks of management override of controls and material misstatements due to fraud in financial statements. The auditor must use professional judgment in determining the nature, timing, and extent of testing of journal entries, other adjustments, and accounting estimates to provide reasonable assurance that financial statements are free from material misstatements.
Evaluation of Audit Evidence
The audit evidence and how auditors should evaluate whether the assessments of the risks of material misstatement remain appropriate. The evaluation is primarily based on the auditor’s judgment and can provide insight into the risks of material misstatement due to fraud and whether additional or different audit procedures are needed.
SA 240 provides examples of circumstances that may indicate the possibility of fraud, such as unusual relationships involving year-end revenue and income, uncharacteristically large amounts of income being reported in the last few weeks of the reporting period, or income that is inconsistent with trends in cash flow from operations.
The auditor should also evaluate whether a misstatement is indicative of fraud if one is identified. If there is such an indication, the auditor should evaluate the implications of the misstatement in relation to other aspects of the audit, particularly the reliability of management representations, recognizing that an instance of fraud is unlikely to be an isolated occurrence.
If the auditor identifies a misstatement and has reason to believe that it may be the result of fraud and that management is involved, the auditor should re-evaluate the assessment of the risks of material misstatement due to fraud and its resulting impact on the nature, timing, and extent of audit procedures. The auditor should also consider whether circumstances or conditions indicate possible collusion involving employees, management, or third parties.
Finally, the t notes that when the auditor confirms or is unable to conclude whether the financial statements are materially misstated as a result of fraud, the auditor should evaluate the implications for the audit. SA 450 and SA 700(Revised) establish requirements and provide guidance on the evaluation and disposition of misstatements and the effect on the auditor’s opinion in the auditor’s report.
Auditor Unable to Continue the Engagement
The actions that an auditor should take if they encounter exceptional circumstances during an audit that bring into question their ability to continue performing the audit. Such exceptional circumstances could include encountering fraud or suspected fraud that could result in a misstatement, where the entity does not take appropriate action regarding fraud, or where there is significant concern about the competence or integrity of management or those charged with governance.
The auditor’s first step should be to determine the professional and legal responsibilities applicable in the circumstances. They should consider whether there is a requirement for them to report to the person or persons who made the audit appointment or, in some cases, to regulatory authorities. If the auditor determines that they cannot continue with the audit, they should consider whether it is appropriate to withdraw from the engagement, where withdrawal from the engagement is legally permitted.
If the auditor decides to withdraw from the engagement, they should discuss with the appropriate level of management and those charged with governance, the auditor’s withdrawal from the engagement and the reasons for the withdrawal. The auditor should also determine whether there is a professional or legal requirement to report to the person or persons who made the audit appointment or, in some cases, to regulatory authorities, the auditor’s withdrawal from the engagement and the reasons for the withdrawal.
Because of the variety of the circumstances that may arise, it is not possible to describe definitively when withdrawal from an engagement is appropriate. Factors that affect the auditor’s conclusion include the implications of the involvement of a member of management or of those charged with governance and the effects on the auditor of a continuing association with the entity.
The auditor has professional and legal responsibilities in such circumstances, and these responsibilities may vary under different legislations and regulations and accordingly, the clients. Therefore, the auditor may consider it appropriate to seek legal advice when deciding whether to withdraw from an engagement and in determining an appropriate course of action, including the possibility of reporting to shareholders, regulators, or others. In some cases, the option of withdrawing from the engagement may not be available to the auditor due to the nature of the terms of appointment or public interest considerations.
Management Representations
The requirement for auditors to obtain written representations from management and those charged with governance during an audit engagement. The representations should include the following acknowledgments:
(a) That management and those charged with governance acknowledge their responsibility for the design, implementation, and maintenance of internal control to prevent and detect fraud.
(b) That management has disclosed to the auditor the results of its assessment of the risk that the financial statements may be materially misstated as a result of fraud.
(c) That management has disclosed to the auditor any knowledge of fraud or suspected fraud affecting the entity involving management, employees with significant roles in internal control, or others where the fraud could have a material effect on the financial statements.
(d) That management has disclosed to the auditor any knowledge of allegations of fraud or suspected fraud affecting the entity’s financial statements communicated by employees, former employees, analysts, regulators, or others.
The emphasizes that obtaining these written representations is important because of the nature of fraud and the difficulties that auditors face in detecting material misstatements in financial statements resulting from fraud. The auditor needs to obtain a written confirmation from management and those charged with governance that they have disclosed the necessary information about fraud to the auditor. SA 580 provides guidance on obtaining appropriate representations from management and those charged with governance in the audit.
Communications to Management and with Those Charged with Governance
The responsibilities of an auditor to communicate with management and those charged with governance in case of suspected or identified fraud in an entity. The auditor is required to inform the appropriate level of management as soon as possible if there is evidence of fraud or even if there is a suspicion of fraud, regardless of its significance. The appropriate level of management depends on various factors, such as the likelihood of collusion and the nature and magnitude of the suspected fraud.
If fraud involves management, employees with significant roles in internal control, or others where fraud results in a material misstatement in the financial statements, the auditor shall communicate these matters to those charged with governance in a timely manner. If the auditor suspects fraud involving management, the auditor shall communicate these suspicions to those charged with governance and discuss with them the nature, timing, and extent of audit procedures necessary to complete the audit.
The auditor shall also communicate any other matters related to fraud that are relevant to the responsibilities of those charged with governance. Such matters may include concerns about the nature, extent, and frequency of management’s assessments of controls in place to prevent and detect fraud, a failure by management to appropriately address significant deficiencies in internal control, and actions by management that may be indicative of fraudulent financial reporting.
If the auditor identifies or suspects fraud, the auditor shall determine whether there is a responsibility to report the occurrence or suspicion to a party outside the entity. The auditor’s professional duty to maintain the confidentiality of client information may preclude such reporting, but the auditor’s legal responsibilities may override the duty of confidentiality in some circumstances. The auditor may consider it appropriate to obtain legal advice to determine the appropriate course of action in the circumstances. The requirements for reporting fraud may be subject to specific provisions of the audit mandate or related legislation or regulation in some cases.
Documentation
The documentation requirements for auditors regarding the assessment of fraud risks in an entity’s financial statements. SA 315 and SA 330 are both auditing standards that provide guidance on how auditors should assess and respond to the risk of material misstatement due to fraud.
In SA 240 states that the auditor’s documentation of their understanding of the entity and its environment and the assessment of fraud risks must include significant decisions made during the discussion among the engagement team regarding the susceptibility of the entity’s financial statements to material misstatement due to fraud, as well as identified and assessed risks of material misstatement due to fraud at both the financial statement level and the assertion level.
The documentation of the auditor’s responses to the assessed risks of material misstatement due to fraud, which must include overall responses at the financial statement level and the nature, timing, and extent of audit procedures, as well as the linkage of those procedures with the assessed risks of material misstatement due to fraud at the assertion level. Additionally, the results of the audit procedures, including those designed to address the risk of management override of controls, must also be documented.
The auditor to document all communications made to management, those charged with governance, regulators, and others regarding fraud.
Finally, it specifies that when the auditor concludes that the presumption of a risk of material misstatement due to fraud related to revenue recognition is not applicable in the engagement, they must document the reasons for that conclusion.
The Auditor’s Responsibility relating to Fraud in an Audit of Financial Statements
The modifications made to ISA 240, which is a standard that outlines the auditor’s responsibility relating to fraud in an audit of financial statements. The modifications include both additions and deletions.
The addition to the standard is that guidance has been made more entity-specific in the context of Indian legal requirements, by way of an example.
The first deletion relates to the Application Section of ISA 240, which dealt with the application of the requirements of ISA 240 to the audits of public sector entities. As per the “Preface to the Standards on Quality Control, Auditing, Review, Other Assurance and Related Services,” the standards issued by the Auditing and Assurance Standards Board apply equally to all entities, irrespective of their form, nature, and size. Therefore, the specific reference to the applicability of the standard to public sector entities has been deleted. However, the spirit of Paragraph A6 in ISA, highlighting the fact that in some cases, auditors may be required by the legislature or the regulator to specifically report on instances of actual or suspected fraud in the client entity has been retained, and examples of such situations have also been added.
The second deletion also relates to the considerations specific to public sector entities. The specific reference to the applicability of the standard to public sector entities has been deleted because the standards apply equally to all entities. However, the spirit of Paragraph A57 in ISA has been retained, highlighting that in some cases, auditors may not have the option to withdraw from the engagement.
The third deletion is also related to the Application Section of ISA 240, which dealt with the application of the requirements of ISA 240 to the audits of public sector entities. As per the “Preface to the Standards on Quality Control, Auditing, Review, Other Assurance and Related Services,” the standards issued by the Auditing and Assurance Standards Board apply equally to all entities, irrespective of their form, nature, and size. Therefore, the specific reference to the applicability of the standard to public sector entities has been deleted. However, the spirit of Paragraph A66 in ISA has been retained, highlighting that in some cases, requirements for reporting fraud, whether or not discovered through the audit process, may be subject to specific provisions of the audit mandate or related legislation or regulation.
Objective type questions
1. What are the two types of intentional misstatements relevant to the auditor, as defined by SA 240?
A) Misstatements resulting from fraudulent financial reporting and misstatements resulting from misappropriation of assets.
B) Misstatements resulting from honest mistakes and misstatements resulting from negligence.
C) Misstatements resulting from errors in financial reporting and misstatements resulting from errors in internal controls.
D) Misstatements resulting from incorrect accounting principles and misstatements resulting from intentional misapplication of accounting standards.
Answer: A)
2. According to SA 240, what are the characteristics of fraud that the auditor is concerned with?
A) Incentive or pressure to commit fraud, perceived opportunity to do so, and rationalization of the act.
B) Incentive or pressure to commit fraud, lack of internal controls, and concealment of fraudulent activities.
C) Incentive or pressure to commit fraud, intentional misapplication of accounting principles, and manipulation of financial records.
D) Incentive or pressure to commit fraud, lack of financial statement users’ trust, and manipulation of accounting policies.
Answer: A)
3. What are some examples of fraudulent financial reporting mentioned in SA 240?
A) Manipulation, falsification, or alteration of accounting records; intentional misapplication of accounting principles.
B) Theft of an entity’s assets, embezzlement of receipts, and stealing physical assets.
C) Misrepresentation or intentional omission of significant information in financial statements; using entity’s assets for personal use.
D) Misstatements resulting from errors in financial reporting; misstatements resulting from errors in internal controls.
Answer: A)
4. According to SA 315, what is the auditor’s responsibility regarding the risks of material misstatement due to fraud?
A) To have positive experiences with the honesty and integrity of the entity’s management.
B) To determine whether a fraud risk factor is present and assess the risks of material misstatement due to fraud.
C) To conduct risk assessment procedures to gain an understanding of the entity, its environment, and its internal controls.
D) To assign and supervise personnel to evaluate the selection and application of accounting policies by the entity.
Answer: B)
5. What are the overall responses that auditors should take to address the risks of material misstatement due to fraud, as stated in SA 240?
A) Increased professional scepticism, assigning additional individuals with specialized skills, and modifying the timing of audit procedures.
B) Increasing the reliance on management’s representations, conducting physical observations, and using different sampling methods.
C) Performing risk assessment procedures, discussing the risks with those charged with governance, and obtaining an understanding of internal control.
D) Accepting records and documents as genuine, making inquiries of management, and reviewing accounting estimates for biases.
Answer: A)
6. When evaluating audit evidence, auditors should consider circumstances that may indicate the possibility of fraud. Which of the following is an example of such a circumstance as mentioned in SA 240?
A) Consistent year-end revenue and income relationships.
B) Uncharacteristically small amounts of income reported in the last few weeks of the reporting period.
C) Income trends that align with cash flow from operations.
D) Unusual relationships involving year-end revenue and income.
Answer: D)
7. If auditors identify a misstatement and have reason to believe it may be the result of fraud involving management, what should they do according to the text?
A) Re-evaluate the assessment of the risks of material misstatement due to fraud and consider possible collusion.
B) Notify regulatory authorities immediately.
C) Proceed with the audit as planned and address the misstatement in the final report.
D) Ignore the misstatement unless it is material to the financial statements.
Answer: A)
Statement on Auditing Standards – SA 210
Statement on Auditing Standards – SA 220
Statement on Auditing Standards – SA 230
Statement on Auditing Standards – SA 240
Statement on Auditing Standards – SA 250
Statement on Auditing Standards – SA 260
Statement on Auditing Standards – SA 265
Statement on Auditing Standards – SA 299
Statement on Auditing Standards – SA 300
Statement on Auditing Standards – SA 315
Statement on Auditing Standards – SA 320
Statement on Auditing Standards – SA 330
Statement on Auditing Standards – SA 402
Statement on Auditing Standards – SA 450
Statement On Auditing Standards – SA 500
Statement on Auditing Standards – SA 501
Statement on Auditing Standards – SA 505
Statement on Auditing Standards – SA 510
Statement on Auditing Standards – SA 520
Statement on Auditing Standards – SA 530
Statement on Auditing Standards – SA 540
Statement on Auditing Standards – SA 560
Statement on Auditing Standards – SA 570
Statement on Auditing Standards – SA 580
Statement on Auditing Standards – SA 600
Statement on Auditing Standards – SA 610
Statement on Auditing Standards – SA 620
Statement on Auditing Standards – SA 700
Statement on Auditing Standards – SA 701
Statement on Auditing Standards – SA 705
Statement on Auditing Standards – SA 706
Statement on Auditing Standards – SA 710
Statement on Auditing Standards – SA 720
Statement on Auditing Standards – SA 800
Statement on Auditing Standards – SA 805
Statement on Auditing Standards – SA 810
Statement on Auditing Standards – SAE 3400
Statement on Auditing Standards – SAE 3402
Statement on Auditing Standards – SRE 2400
Statement on Auditing Standards – SRE 2410
Statement on Auditing Standards – SRS 4400
Statement on Auditing Standards – SRS 4410