AN OUTLINE OF STATEMENT ON AUDITING STANDARDS NO. 82,
CONSIDERATION OF FRAUD IN A FINANCIAL STATEMENT AUDIT

Note: The requirements of the SAS are highlighted in boldface italics.

INTRODUCTION

  1. Section 110 of Statement on Auditing Standards (SAS) No. 1, "Responsibilities and Functions of the Independent Auditor"), states that "the auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud."

DESCRIPTION AND CHARACTERISTICS OF FRAUD

  1. Although fraud is a broad legal concept, the auditor's interest specifically relates to fraudulent acts that cause a material misstatement of financial statements.

  2. Two types of misstatements are relevant to the auditor's consideration in a financial statement audit:

      A. Misstatements arising from fraudulent financial reporting.

      B. Misstatements arising from misappropriation of assets.

  3. Fraudulent financial reporting and misappropriation of assets differ in that fraudulent financial reporting is committed, usually by management, to deceive financial statement users while misappropriation of assets is committed against an entity, most often by employees.

  4. Fraud frequently involves the following:

      A. A pressure or an incentive to commit fraud and

      B. A perceived opportunity to do so.

  5. These two conditions usually are present for both types of fraud.

  6. Although fraud usually is concealed, the presence of risk factors or other conditions may alert the auditor to its possible existence.

  7. An auditor cannot obtain absolute assurance that material misstatements in the financial statements will be detected.

  8. Because of (A) the concealment aspects of fraudulent activity, including the fact that fraud often involves collusion or falsified documentation, and (B) the need to apply professional judgment in the identification and evaluation of fraud risk factors and other conditions, even a properly planned and performed audit may not detect material misstatements resulting from fraud.

  9. The auditor is able to obtain only reasonable assurance that material misstatements in the financial statements are detected.

ASSESSMENT OF THE RISK OF MATERIAL MISSTATEMENT DUE TO FRAUD

  1. The auditor should specifically assess the risk of material misstatement of the financial statements due to fraud and should consider that assessment in designing the audit procedures to be performed.

  2. In making this assessment, the auditor should consider fraud risk factors that relate to fraudulent financial reporting and misappropriation of assets in each of the related categories presented in 15 and 16 below.

  3. The auditor also should inquire of management to obtain management's understanding regarding the risk of fraud in the entity. The auditor also should inquire of management to determine if they have knowledge of fraud that has been perpetrated on or within the entity.

  4. Although the fraud risk factors described in the SAS cover a broad range of situations typically faced by auditors, they are only examples. Some may be of greater or lesser significance in entities of different size, with different ownership characteristics, in different industries or because of other differing characteristics or circumstances. Accordingly, the auditor should use professional judgment when assessing the significance and relevance of fraud risk factors and determining the appropriate audit response.

  5. Risk factors that relate to fraudulent financial reporting may be grouped in the following three categories:

    1. Management's Characteristics and Influence over the Control Environment. These pertain to management's abilities, pressures, style, and attitude relating to internal control and the financial reporting process. For example, strained relationship between management and the current or predecessor auditor.

    2. Industry Conditions. These involve the economic and regulatory environment in which the entity operates. For example, declining industry with increasing business failures.

    3. Operating Characteristics and Financial Stability. These pertain to the nature and complexity of the entity and its transactions, the entity's financial condition, and its profitability. For example, significant related-party transactions not in the ordinary course of business or with related entities not audited or audited by another firm.

  6. Risk factors that relate to misappropriation of assets may be grouped in the two categories below.

    1. Susceptability of Assets to Miappropriation. These pertain to the nature of an entity's assets and the degree to which they are subject to theft. For example, easily convertible assets, such as bearer bonds, diamonds, or computer chips.

    2. Controls. These involve the lack of controls designed to prevent or detect misappropriation of assets. For example, an accounting system in disarray.

  7. Although the auditor is not required to plan the audit to discover information that is indicative of financial stress of employees or adverse relationships between the entity and its employees, nevertheless, the auditor may become aware of such information. For example, anticipated future employee layoffs that are known to the work force. If the auditor becomes aware of such information, he or she should consider it in assessing the risk of material misstatement arising from misappropriation of assets.

  8. Fraud risk factors cannot easily be ranked in order of importance or combined into effective predictive models.

  9. The auditor should exercise professional judgment when considering risk factors individually or in combination and whether there are specific controls that mitigate the risk.

  10. If the entity has established a program that includes proactive steps to prevent, deter and detect fraud, the auditor may consider its effectiveness.

  11. The auditor also should inquire of those persons overseeing such programs as to whether the program has identified any fraud risk factors.

  12. Fraud risk factors may come to the auditor's attention while performing procedures relating to acceptance or continuance of clients, during engagement planning or obtaining an understanding of an entity's internal control, or while conducting field work.

  13. Accordingly, the assessment of the risk of material misstatement due to fraud is a cumulative process that includes a consideration of risk factors individually and in combination.

  14. Other conditions may be identified during field work that change or support a judgment regarding the assessment such as unavailability of other than photocopied documents when documents in original form are expected to exist or auditors are denied access to records, facilities, certain employees, customers, vendors, or others from whom audit evidence might be sought.

  15. Accordingly, the assessment is an ongoing process as work is performed because other conditions may be identified during field work that change or support a judgment regarding the assessment.

    THE AUDITOR'S RESPONSE TO THE RESULTS OF THE ASSESSMENT

    1. A risk of material misstatement due to fraud is always present to some degree; consequently, the auditor's response is influenced by the degree of risk assessed.

    2. The auditor should consider whether the assessment of the risk of material misstatement due to fraud indicates a need for an overall response, one that is specific to a particular account balance, class of transactions or assertion or both.

    3. In some cases, even though some of the fraud risk factors are identified as being present, the auditor's judgment may be that audit procedures otherwise planned are sufficient to respond to the risk factors, individually or in combination. In other circumstances, the auditor may conclude that the conditions indicate a need to modify procedures.

    4. The auditor also may conclude that it is not practicable to modify the procedures sufficiently to address the risk, in which case withdrawal and communication to the appropriate parties may be appropriate.

    5. Judgments about the risk of material misstatement due to fraud may affect the audit in the following ways:

      1. Professional Skepticism. Due professional care requires the auditor to exercise professional skepticism-that is, an attitude that includes a questioning mind and critical assessment of audit evidence.

      2. Assignment of Personnel. The knowledge, skill, and ability of personnel assigned significant engagement responsibilities should be commensurate with the assessment of the level of risk of the engagement. In addition, the extent of supervision should recognize the risk of material misstatement due to fraud and the qualifications of persons performing the work.

      3. Accounting Principles and Policies. The auditor may conclude that there is a risk of fraudulent financial reporting that requires the auditor to consider further management's selection and application of significant accounting policies, particularly those related to revenue recognition, asset valuation, or capitalizing versus expensing.

      4. Controls. When a risk of material misstatement due to fraud relates to risk factors that have control implications, the auditor's ability to assess control risk below the maximum may be reduced.

    6. The nature, timing and extent of procedures may need to be modified in the following ways:

      1. The nature of audit procedures performed may need to be changed to obtain evidence that is more reliable or obtain additional corroborative information.

      2. The timing of substantive tests may need to be altered to be closer to or at year end.

      3. The extent of the procedures applied should reflect the assessment of the risk of material misstatement due to fraud.

      EVALUATION OF AUDIT TEST RESULTS

      1. Prior to the completion of the audit, the auditor should consider whether the accumulated results of audit procedures and other observations affect the assessment of the risk of material misstatement due to fraud made when planning the audit.

      2. When audit test results identify misstatements in the financial statements, the auditor should consider whether such misstatements may be indicative of fraud.

      3. When the auditor has determined that a misstatement is or may be the result of fraud, but the effect of the misstatement is not material to the financial statements, the auditor nevertheless should evaluate the implications, especially those dealing with the organizational position of the employee(s) involved.

      4. When the matter involves higher level management even though the amount itself is not material to the financial statements, it may be indicative of a more pervasive problem In such circumstances, the auditor should reevaluate the assessment of the risk of material misstatement due to fraud and its resulting impact on the audit.

      5. If the auditor has determined that the misstatement is, or may be, the result of fraud, and either has determined that the effect could be material to the financial statements or has been unable to evaluate whether the effect is material, the auditor should-

        1. Consider the implications for other aspects of the audit.

        2. Discuss the matter and the approach to further investigation with an appropriate level of management that is at least one level above those involved and with senior management.

        3. Attempt to obtain sufficient competent evidential matter to determine whether, in fact, material fraud exists, and, if so, its effect.

        4. If appropriate, suggest that the client consult with legal counsel.

      6. The auditor's consideration of the risk of material misstatement due to fraud and the results of audit tests may indicate such a significant risk of fraud that the auditor should consider withdrawing from the engagement and communicating the reasons for withdrawal to the audit committee or others with equivalent authority and responsibility.

        DOCUMENTATION OF THE AUDITOR'S RISK ASSESSMENT AND RESPONSE

        1. In planning the audit, the auditor should document in the working papers evidence of the performance of the assessment of the risk of material misstatement due to fraud, including how fraud risk factors were considered, Where risk factors are identified, the documentation should include:

          1. Risk factors identified.

          2. The auditor's response to those risk factors, individually or in combination.

        2. If during the performance of the audit fraud risk factors or other conditions are identified that cause the auditor to believe that an additional response is required, such risk factors or other conditions, and any further response that the auditor concluded was appropriate, also should be documented.

          COMMUNICATIONS ABOUT FRAUD TO MANAGEMENT, THE AUDIT COMMITTEE AND OTHERS

          1. Whenever the auditor has determined that there is evidence that a fraud may exist, that matter should be brought to the attention of an appropriate level of management.

          2. Fraud involving senior management and fraud that "causes a material misstatement of the financial statements should be reported directly to the audit committee.

          3. In addition, the auditor should reach an understanding with the audit committee regarding the expected nature and extent of communications about misappropriations perpetrated by lower level employees.

          4. When the auditor has identified risk factors that have continuing control implications, the auditor should consider whether these risk factors represent reportable conditions that should be reported to senior management and the audit committee. (Reportable conditions are defined in SAS No. 60, Communication of Internal Control Matters Noted in an Audit, as significant deficiencies in the design or operation of internal control which could adversely affect the organization's ability to produce reliable financial statements.)

          5. The disclosure of fraud to parties other than the client's senior management and its audit committee ordinarily is not part of the auditor's responsibility and ordinarily would be precluded by the auditor's ethical or legal obligations of confidentiality.

          6. The auditor should recognize, however, that in the following circumstances a duty to disclose outside the entity may exist:

            1. To comply with certain legal and regulatory requirements.

            2. To a successor auditor when the successor makes inquiries in accordance with SAS No. 7, Communications Between Predecessor and Successor Auditors.

            3. In response to a subpoena.

            4. To a funding agency or other specified agency in accordance with requirements for the audits of entities that receive governmental financial assistance.

            EFFECTIVE DATE

            1. This Statement is effective for audits of financial statements for periods ending on or after December 15, 1997. Early application of the provisions of this Statement is permissible.