The fifth concept covered in ISA (NZ) 315 (revised 2019) as expressed in Paragraph 6 relates to both fraud and error.
Errors are misstatements that happen by accident, but fraud results from misstatements that happen on purpose. We have to consider both. Note that our standard audit approach is to look for material misstatements – which may be caused by fraud, or it may be caused by error.
Same-sized net to catch both
It’s like we have a fishing net – the gaps in the net correspond with materiality. Some fish are error fish and some are fraud fish. We are not using a smaller mesh for fraud – it is the same size. So while we are not specifically forensic auditors we must consider that we have a responsibility to catch all the fish that are over a certain size.
Errors are more likely to affect individual assertions, but fraud may well impact the financial statement level – the pervasive or global level. Errors, especially in IT systems, are likely to recur, so will affect the same thing over and over – say a bug that values the stock at the wrong value. So the scope will likely be narrower.
Human error may be systematic also – say through poor training where an admin person consistently miscodes things. Or it may be random because someone is off sick or having a bad day and just makes a mistake.
Fraud does not just mean misappropriation of assets – but it is any deliberate misrepresentation. In the words of ISA 240 (3):
Two types of intentional misstatements are relevant to the auditor— misstatements resulting from fraudulent financial reporting and misstatements resulting from misappropriation of assets
Paragraph A27 says that:
Analytical procedures help identify inconsistencies, unusual transactions or events, and amounts, ratios, and trends that indicate matters that may have audit implications. Unusual or unexpected relationships that are identified may assist the auditor in identifying risks of material misstatement, especially risks of material misstatement due to fraud.
Note that there are two types of Analytical Procedures – those that are part of our planning where we identify risk, and Procedures used as a response to risk – where we develop expectations etc. This is more about Planning Analytical Review.
Paragraph A42 tells us that the team discussion:
Allows the engagement team members to exchange information about the business risks to which the entity is subject, how inherent risk factors may affect the susceptibility to misstatement of classes of transactions, account balances and disclosures, and about how and where the financial statements might be susceptible to material misstatement due to fraud or error…
ISA (NZ) 240 requires the engagement team discussion to place particular emphasis on how and where the entity’s financial statements may be susceptible to material misstatement due to fraud, including how fraud may occur.
So although this mentions both fraud and error, the emphasis is on how fraud could occur. And this must be specifically recorded in the meeting.
Paragraph A50 tells us that: Understanding the entity and environment helps with identifying the risks of fraud. How? Here it is useful to put ourselves in the shoes of the fraudster. If I was going to defraud this entity how would I do it?
A common approach is to use the “Fraud Triangle”
According to the US National Whistleblower Center:
To predict the conditions that lead to a high risk of fraud, anti-fraud professionals and researchers frequently rely on a concept called the “fraud triangle.”
The fraud triangle assumes that:
...individuals are motivated to commit fraud when three elements come together: (1) some kind of perceived pressure, (2) some perceived opportunity, and (3) some way to rationalize the fraud as not being inconsistent with one’s values.
To identify motivations, we search for financial pressure or incentives.
In the corporate world, the pressure to engage in fraud can be high, for example, when organizations or employees feel pressure to meet financial targets, to catch up to competitors, or to make up for poor past performance. Economic conditions such as a financial crisis can make pressure particularly acute, increasing the temptation for fraud. In these cases - to identify incentives that are conducive to fraud, we look at the relationship between structural incentives, such as executive compensation structures, and incentives to engage in fraud.
Common cases of fraud that hit our media are those carried out for personal gain, say because someone has a gambling problem or other debt issue. These kinds of frauds are more common with charities and clubs.
Opportunities for fraud are high when there is a lack of division of duties and other poor controls, or collusion. To identify opportunities for fraud, we look at internal structural factors including internal controls or monitoring of controls. Economic conditions such as a financial crisis may also increase opportunities. For example, opportunity could be greater at a company that has recently laid off employees, making it harder to maintain a segregation of duties. Or in a charity where there is reliance on volunteers, or a high turnover of board members, or just getting so busy that no one has time to run the organisation properly.
Rationalisation must exist for the perpetrators of the fraud to justify their choices. People act in accordance with their values, so they have to reconcile their actions with their values somehow.
So the fraud triangle suggests that a third, necessary component for fraud is the ability for employees to justify fraud. Employees may have an easy time rationalizing fraud, for example, when they perceive that executives condone fraud or believe that fraud is widespread across an industry. “Everybody does it.” “It’s just how you have to do business.” “My bosses expect me to get creative – this is what they hired me to do.”
Or negatively there can be a sense that “they’ll just waste this money anyway”, or “they don’t pay me enough for what I do – I deserve this.” Or “Here is my chance to impress people that I can live the high life too.”
So we look to economic factors that can be used to rationalize fraud, such as the belief that fraud is necessary to help a business survive a financial crisis. Personal rationalisations are much harder to spot until after the fact.
So as part of our team brainstorming it will be useful to consider the fraud triangle and document where there could be potential risks of fraud.
Understand how financial performance is measured
Paragraph A74 tells us that understanding the measures used to assess financial performance also helps with identifying the risks of fraud.
This relates to the opportunity part of the triangle. ENRON used an accounting method that, while technically not illegal, was probably inappropriate for many of its business activities. This is why the areas of estimates, fair value measurement, treatment of leases, financial instruments and impairment need such careful scrutiny. They affect both financial performance and the asset position of the entity.
Understanding the measures used to assess financial performance helps us to understand the pressures on the entity to achieve performance targets. These pressures may motivate management to take actions that increase the susceptibility to misstatement due to management bias or fraud. What are their KPIs? What incentives may exist that might incentivise fraudulent misstatement?
Just as in a small for-profit, there might be the incentive to include private expenditure to reduce tax, so in a charity, the incentive is more likely to find ways to make performance look better so that grants may continue to flow in – by overstating receivables by the wrong cut-off of prepaid income say.
When the control environment fails
Paragraph A107 says that
Although the control environment may provide an appropriate foundation for the system of internal control and may help reduce the risk of fraud, an appropriate control environment is not necessarily an effective deterrent to fraud.
The example given is an entity that has good controls around hiring the right people to run the financial systems, good supervision and other procedures. But this will not stop the override of controls of senior management say, to overstate earnings.
Understand how they assess risk
Paragraph A109 says that understanding the entity’s risk assessment process (Ref: Para. 22(a)) helps us consider whether management or governance has considered the potential for fraud when considering the risks to achieving the entity’s objectives.
If they have done this process before us we can check whether we think they have been thorough in their own risk assessment. What have they missed? What have they considered that we might have missed?
Fraud Risks are significant risks
Paragraph A159 says that:
ISA (NZ) 240 requires the auditor to understand controls related to assessed risks of material misstatement due to fraud (which are treated as significant risks) and further explains that it is important for the auditor to obtain an understanding of the controls that management has designed, implemented and maintained to prevent and detect fraud.
So we must ask the client what controls they have to detect fraud and identify any risks related to these controls as significant. This relates to the requirement of Para. 26(a)(i)) that requires us to
...obtain an understanding of the control activities component, through performing risk assessment procedures, by… identifying controls that address risks of material misstatement at the assertion level in the control activities component … Controls that address risks that are determined to be a significant risk.