Auditing for Fraud Risks: Management's Responsibility and the Auditor's Role, Study Guides, Projects, Research of Auditing

Download Auditing for Fraud Risks: Management's Responsibility and the Auditor's Role and more Study Guides, Projects, Research Auditing in PDF only on Docsity! Consideration of Fraud in a Financial Statement Audit 1719 AU Section 316 Consideration of Fraud in a Financial Statement Audit (Supersedes SAS No. 82.) Source: SAS No. 99; SAS No. 113. Effective for audits of financial statements for periods beginning on or after December 15, 2002, unless otherwise indicated. Introduction and Overview .01 Section 110, Responsibilities and Functions of the Independent Audi- tor, paragraph .02, states, "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial state- ments are free of material misstatement, whether caused by error or fraud. [footnote omitted]"1 This section establishes standards and provides guidance to auditors in fulfilling that responsibility, as it relates to fraud, in an audit of financial statements conducted in accordance with generally accepted auditing standards (GAAS).2 .02 The following is an overview of the organization and content of this section: • Description and characteristics of fraud. This section describes fraud and its characteristics. (See paragraphs .05 through .12.) • The importance of exercising professional skepticism. This section dis- cusses the need for auditors to exercise professional skepticism when considering the possibility that a material misstatement due to fraud could be present. (See paragraph .13.) • Discussion among engagement personnel regarding the risks of mate- rial misstatement due to fraud. This section requires, as part of plan- ning the audit, that there be a discussion among the audit team mem- bers to consider how and where the entity's financial statements might be susceptible to material misstatement due to fraud and to reinforce the importance of adopting an appropriate mindset of professional skepticism. (See paragraphs .14 through .18.) 1 The auditor's consideration of illegal acts and responsibility for detecting misstatements result- ing from illegal acts is defined in section 317, Illegal Acts by Clients. For those illegal acts that are defined in that section as having a direct and material effect on the determination of financial state- ment amounts, the auditor's responsibility to detect misstatements resulting from such illegal acts is the same as that for errors (see section 312, Audit Risk and Materiality in Conducting an Audit, or fraud). 2 Auditors are sometimes requested to perform other services related to fraud detection and pre- vention, for example, special investigations to determine the extent of a suspected or detected fraud. These other services usually include procedures that extend beyond or are different from the proce- dures ordinarily performed in an audit of financial statements in accordance with generally accepted auditing standards (GAAS). AT section 101, Attest Engagements, and CS section 100, Consulting Ser- vices: Definitions and Standards, provide guidance to accountants relating to the performance of such services. AU §316.02 1720 The Standards of Field Work • Obtaining the information needed to identify risks of material mis- statement due to fraud. This section requires the auditor to gather information necessary to identify risks of material misstatement due to fraud, by a. Inquiring of management and others within the entity about the risks of fraud. (See paragraphs .20 through .27.) b. Considering the results of the analytical procedures performed in planning the audit. (See paragraphs .28 through .30.) c. Considering fraud risk factors. (See paragraphs .31 through .33, and the Appendix, "Examples of Fraud Risk Factors" [para- graph .85].) d. Considering certain other information. (See paragraph .34.) • Identifying risks that may result in a material misstatement due to fraud. This section requires the auditor to use the information gath- ered to identify risks that may result in a material misstatement due to fraud. (See paragraphs .35 through .42.) • Assessing the identified risks after taking into account an evaluation of the entity's programs and controls. This section requires the auditor to evaluate the entity's programs and controls that address the identified risks of material misstatement due to fraud, and to assess the risks taking into account this evaluation. (See paragraphs .43 through .45.) • Responding to the results of the assessment. This section emphasizes that the auditor's response to the risks of material misstatement due to fraud involves the application of professional skepticism when gath- ering and evaluating audit evidence. (See paragraph .46 through .49.) The section requires the auditor to respond to the results of the risk assessment in three ways: a. A response that has an overall effect on how the audit is con- ducted, that is, a response involving more general considerations apart from the specific procedures otherwise planned. (See para- graph .50.) b. A response to identified risks that involves the nature, timing, and extent of the auditing procedures to be performed. (See para- graphs .51 through .56.) c. A response involving the performance of certain procedures to further address the risk of material misstatement due to fraud involving management override of controls. (See paragraphs .57 through .67.) • Evaluating audit evidence. This section requires the auditor to assess the risks of material misstatement due to fraud throughout the audit and to evaluate at the completion of the audit whether the accumu- lated results of auditing procedures and other observations affect the assessment. (See paragraphs .68 through .74.) It also requires the au- ditor to consider whether identified misstatements may be indicative of fraud and, if so, directs the auditor to evaluate their implications. (See paragraphs .75 through .78.) • Communicating about fraud to management, those charged with gover- nance, and others. This section provides guidance regarding the audi- tor's communications about fraud to management, those charged with governance, and others. (See paragraphs .79 through .82.) • Documenting the auditor's consideration of fraud. This section de- scribes related documentation requirements. (See paragraph .83.) AU §316.02 Consideration of Fraud in a Financial Statement Audit 1723 .08 Management has a unique ability to perpetrate fraud because it fre- quently is in a position to directly or indirectly manipulate accounting records and present fraudulent financial information. Fraudulent financial reporting often involves management override of controls that otherwise may appear to be operating effectively.6 Management can either direct employees to perpetrate fraud or solicit their help in carrying it out. In addition, management personnel at a component of the entity may be in a position to manipulate the accounting records of the component in a manner that causes a material misstatement in the consolidated financial statements of the entity. Management override of controls can occur in unpredictable ways. .09 Typically, management and employees engaged in fraud will take steps to conceal the fraud from the auditors and others within and outside the orga- nization. Fraud may be concealed by withholding evidence or misrepresenting information in response to inquiries or by falsifying documentation. For exam- ple, management that engages in fraudulent financial reporting might alter shipping documents. Employees or members of management who misappro- priate cash might try to conceal their thefts by forging signatures or falsifying electronic approvals on disbursement authorizations. An audit conducted in ac- cordance with GAAS rarely involves the authentication of such documentation, nor are auditors trained as or expected to be experts in such authentication. In addition, an auditor may not discover the existence of a modification of doc- umentation through a side agreement that management or a third party has not disclosed. .10 Fraud also may be concealed through collusion among management, employees, or third parties. Collusion may cause the auditor who has properly performed the audit to conclude that evidence provided is persuasive when it is, in fact, false. For example, through collusion, false evidence that controls have been operating effectively may be presented to the auditor, or consistent mis- leading explanations may be given to the auditor by more than one individual within the entity to explain an unexpected result of an analytical procedure. As another example, the auditor may receive a false confirmation from a third party that is in collusion with management. .11 Although fraud usually is concealed and management's intent is diffi- cult to determine, the presence of certain conditions may suggest to the auditor the possibility that fraud may exist. For example, an important contract may be missing, a subsidiary ledger may not be satisfactorily reconciled to its con- trol account, or the results of an analytical procedure performed during the audit may not be consistent with expectations. However, these conditions may be the result of circumstances other than fraud. Documents may legitimately have been lost or misfiled; the subsidiary ledger may be out of balance with its control account because of an unintentional accounting error; and unexpected analytical relationships may be the result of unanticipated changes in underly- ing economic factors. Even reports of alleged fraud may not always be reliable because an employee or outsider may be mistaken or may be motivated for unknown reasons to make a false allegation. .12 As indicated in paragraph .01, the auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the finan- cial statements are free of material misstatement, whether caused by fraud or 6 Frauds have been committed by management override of existing controls using such techniques as (a) recording fictitious journal entries, particularly those recorded close to the end of an accounting period to manipulate operating results, (b) intentionally biasing assumptions and judgments used to estimate account balances, and (c) altering records and terms related to significant and unusual transactions. AU §316.12 1724 The Standards of Field Work error.7 However, absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud. A material misstatement may not be detected because of the na- ture of audit evidence or because the characteristics of fraud as discussed above may cause the auditor to rely unknowingly on audit evidence that appears to be valid, but is, in fact, false and fraudulent. Furthermore, audit procedures that are effective for detecting an error may be ineffective for detecting fraud. The Importance of Exercising Professional Skepticism .13 Due professional care requires the auditor to exercise professional skepticism. See section 230, Due Professional Care in the Performance of Work, paragraphs .07 through .09. Because of the characteristics of fraud, the audi- tor's exercise of professional skepticism is important when considering the risk of material misstatement due to fraud. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. The auditor should conduct the engagement with a mindset that recognizes the possibility that a material misstatement due to fraud could be present, regard- less of any past experience with the entity and regardless of the auditor's belief about management's honesty and integrity. Furthermore, professional skepti- cism requires an ongoing questioning of whether the information and evidence obtained suggests that a material misstatement due to fraud has occurred. In exercising professional skepticism in gathering and evaluating evidence, the auditor should not be satisfied with less-than-persuasive evidence because of a belief that management is honest. Discussion Among Engagement Personnel Regarding the Risks of Material Misstatement Due to Fraud .14 Prior to or in conjunction with the information-gathering procedures described in paragraphs .19 through .34 of this section, members of the audit team should discuss the potential for material misstatement due to fraud. The discussion should include: • An exchange of ideas or "brainstorming" among the audit team mem- bers, including the auditor with final responsibility for the audit, about how and where they believe the entity's financial statements might be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated. (See paragraph .15.) • An emphasis on the importance of maintaining the proper state of mind throughout the audit regarding the potential for material mis- statement due to fraud. (See paragraph .16.) .15 The discussion among the audit team members about the susceptibil- ity of the entity's financial statements to material misstatement due to fraud should include a consideration of the known external and internal factors af- fecting the entity that might (a) create incentives/pressures for management and others to commit fraud, (b) provide the opportunity for fraud to be perpe- trated, and (c) indicate a culture or environment that enables management to rationalize committing fraud. The discussion should occur with an attitude that includes a questioning mind as described in paragraph .16 and, for this purpose, 7 For a further discussion of the concept of reasonable assurance, see section 230, Due Professional Care in the Performance of Work, paragraphs .10 through .13. AU §316.13 Consideration of Fraud in a Financial Statement Audit 1725 setting aside any prior beliefs the audit team members may have that manage- ment is honest and has integrity. In this regard, the discussion should include a consideration of the risk of management override of controls.8 Finally, the discussion should include how the auditor might respond to the susceptibility of the entity's financial statements to material misstatement due to fraud. .16 The discussion among the audit team members should emphasize the need to maintain a questioning mind and to exercise professional skepticism in gathering and evaluating evidence throughout the audit, as described in para- graph .13. This should lead the audit team members to continually be alert for information or other conditions (such as those presented in paragraph .68) that indicate a material misstatement due to fraud may have occurred. It should also lead audit team members to thoroughly probe the issues, acquire additional ev- idence as necessary, and consult with other team members and, if appropriate, experts in the firm, rather than rationalize or dismiss information or other con- ditions that indicate a material misstatement due to fraud may have occurred. .17 Although professional judgment should be used in determining which audit team members should be included in the discussion, the discussion ordi- narily should involve the key members of the audit team. A number of factors will influence the extent of the discussion and how it should occur. For example, if the audit involves more than one location, there could be multiple discus- sions with team members in differing locations. Another factor to consider in planning the discussions is whether to include specialists assigned to the audit team. For example, if the auditor has determined that a professional possessing information technology skills is needed on the audit team (see section 311.31), it may be useful to include that individual in the discussion. [Revised, March 2006, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 108.] .18 Communication among the audit team members about the risks of ma- terial misstatement due to fraud also should continue throughout the audit—for example, in evaluating the risks of material misstatement due to fraud at or near the completion of the field work. (See paragraph .74 and footnote 28.) Obtaining the Information Needed to Identify the Risks of Material Misstatement Due to Fraud .19 Section 314 provides guidance about how the auditor obtains an un- derstanding of the entity and its environment, including its internal control. In performing that work, information may come to the auditor's attention that should be considered in identifying risks of material misstatement due to fraud. As part of this work, the auditor should perform the following procedures to ob- tain information that is used (as described in paragraphs .35 through .42) to identify the risks of material misstatement due to fraud: a. Make inquiries of management and others within the entity to obtain their views about the risks of fraud and how they are addressed. (See paragraphs .20 through .27.) b. Consider any unusual or unexpected relationships that have been identified in performing analytical procedures in planning the audit. (See paragraphs .28 through .30.) 8 See footnote 6. AU §316.19 1728 The Standards of Field Work has communicated standards of ethical behavior to individuals throughout the organization. .27 The auditor should be aware when evaluating management's responses to the inquiries discussed in paragraph .20 that management is often in the best position to perpetrate fraud. The auditor should use professional judgment in deciding when it is necessary to corroborate responses to inquiries with other information. However, when responses are inconsistent among inquiries, the auditor should obtain additional audit evidence to resolve the inconsistencies. Considering the Results of the Analytical Procedures Performed in Planning the Audit .28 Section 329, Analytical Procedures, paragraphs .04 and .06, requires that analytical procedures be performed in planning the audit with an objective of identifying the existence of unusual transactions or events, and amounts, ra- tios, and trends that might indicate matters that have financial statement and audit planning implications. In performing analytical procedures in planning the audit, the auditor develops expectations about plausible relationships that are reasonably expected to exist, based on the auditor's understanding of the en- tity and its environment. When comparison of those expectations with recorded amounts or ratios developed from recorded amounts yields unusual or unex- pected relationships, the auditor should consider those results in identifying the risks of material misstatement due to fraud. .29 In planning the audit, the auditor also should perform analytical pro- cedures relating to revenue with the objective of identifying unusual or unex- pected relationships involving revenue accounts that may indicate a material misstatement due to fraudulent financial reporting. An example of such an an- alytical procedure that addresses this objective is a comparison of sales volume, as determined from recorded revenue amounts, with production capacity. An excess of sales volume over production capacity may be indicative of recording fictitious sales. As another example, a trend analysis of revenues by month and sales returns by month during and shortly after the reporting period may in- dicate the existence of undisclosed side agreements with customers to return goods that would preclude revenue recognition.13 .30 Analytical procedures performed during planning may be helpful in identifying the risks of material misstatement due to fraud. However, because such analytical procedures generally use data aggregated at a high level, the results of those analytical procedures provide only a broad initial indication about whether a material misstatement of the financial statements may exist. Accordingly, the results of analytical procedures performed during planning should be considered along with other information gathered by the auditor in identifying the risks of material misstatement due to fraud. Considering Fraud Risk Factors .31 Because fraud is usually concealed, material misstatements due to fraud are difficult to detect. Nevertheless, the auditor may identify events or conditions that indicate incentives/pressures to perpetrate fraud, opportunities to carry out the fraud, or attitudes/rationalizations to justify a fraudulent ac- tion. Such events or conditions are referred to as "fraud risk factors." Fraud risk factors do not necessarily indicate the existence of fraud; however, they often are present in circumstances where fraud exists. 13 See paragraph .70 for a discussion of the need to update these analytical procedures during the overall review stage of the audit. AU §316.27 Consideration of Fraud in a Financial Statement Audit 1729 .32 When obtaining information about the entity and its environment, the auditor should consider whether the information indicates that one or more fraud risk factors are present. The auditor should use professional judgment in determining whether a risk factor is present and should be considered in identifying and assessing the risks of material misstatement due to fraud. .33 Examples of fraud risk factors related to fraudulent financial reporting and misappropriation of assets are presented in the Appendix [paragraph .85]. These illustrative risk factors are classified based on the three conditions gen- erally present when fraud exists: incentive/pressure to perpetrate fraud, an opportunity to carry out the fraud, and attitude/rationalization to justify the fraudulent action. Although the risk factors cover a broad range of situations, they are only examples and, accordingly, the auditor may wish to consider ad- ditional or different risk factors. Not all of these examples are relevant in all circumstances, and some may be of greater or lesser significance in entities of different size or with different ownership characteristics or circumstances. Also, the order of the examples of risk factors provided is not intended to reflect their relative importance or frequency of occurrence. Considering Other Information That May Be Helpful in Identifying Risks of Material Misstatement Due to Fraud .34 The auditor should consider other information that may be helpful in identifying risks of material misstatement due to fraud. Specifically, the discussion among the engagement team members (see paragraphs .14 through .18) may provide information helpful in identifying such risks. In addition, the auditor should consider whether information from the results of (a) procedures relating to the acceptance and continuance of clients and engagements14 and (b) reviews of interim financial statements may be relevant in the identification of such risks. Finally, as part of the consideration of audit risk at the individual account balance or class of transaction level (see section 312.17 through .26), the auditor should consider whether identified inherent risks would provide useful information in identifying the risks of material misstatement due to fraud (see paragraph .39). [Revised, March 2006, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 107.] Identifying Risks That May Result in a Material Misstatement Due to Fraud15 Using the Information Gathered to Identify Risk of Material Misstatements Due to Fraud .35 In identifying risks of material misstatement due to fraud, it is helpful for the auditor to consider the information that has been gathered (see para- graphs .19 through .34) in the context of the three conditions present when a material misstatement due to fraud occurs—that is, incentives/pressures, 14 See paragraphs .27–.36 of QC section 10B, A Firm's System of Quality Control. [Footnote amended due to issuance of SQCS No. 7, December 2008.] 15 Section 314, Understanding the Entity and its Environment and Assessing the Risks of Mate- rial Misstatement, requires the auditor to identify and assess the risk of material misstatement at the financial statement level and at the relevant assertion level related to classes of transactions, ac- count balances and disclosures. See section 314.102. [Footnote added, effective for audits of financial statements for periods beginning on or after December 15, 2006, by Statement on Auditing Standards No. 113.] AU §316.35 1730 The Standards of Field Work opportunities, and attitudes/rationalizations (see paragraph .07). However, the auditor should not assume that all three conditions must be observed or evident before concluding that there are identified risks. Although the risk of material misstatement due to fraud may be greatest when all three fraud conditions are observed or evident, the auditor cannot assume that the inability to observe one or two of these conditions means there is no risk of material misstatement due to fraud. In fact, observing that individuals have the requisite attitude to commit fraud, or identifying factors that indicate a likelihood that management or other employees will rationalize committing a fraud, is difficult at best. .36 In addition, the extent to which each of the three conditions referred to above are present when fraud occurs may vary. In some instances the signifi- cance of incentives/pressures may result in a risk of material misstatement due to fraud, apart from the significance of the other two conditions. For example, an incentive/pressure to achieve an earnings level to preclude a loan default, or to "trigger" incentive compensation plan awards, may alone result in a risk of material misstatement due to fraud. In other instances, an easy opportunity to commit the fraud because of a lack of controls may be the dominant condition precipitating the risk of fraud, or an individual's attitude or ability to rational- ize unethical actions may be sufficient to motivate that individual to engage in fraud, even in the absence of significant incentives/pressures or opportunities. .37 The auditor's identification of fraud risks also may be influenced by characteristics such as the size, complexity, and ownership attributes of the entity. For example, in the case of a larger entity, the auditor ordinarily con- siders factors that generally constrain improper conduct by management, such as the effectiveness of the audit committee and the internal audit function, and the existence and enforcement of a formal code of conduct. In the case of a smaller entity, some or all of these considerations may be inapplicable or less important, and management may have developed a culture that emphasizes the importance of integrity and ethical behavior through oral communication and management by example. Also, the risks of material misstatement due to fraud may vary among operating locations or business segments of an entity, requiring an identification of the risks related to specific geographic areas or business segments, as well as for the entity as a whole.16 .38 The auditor should evaluate whether identified risks of material mis- statement due to fraud can be related to specific financial-statement account balances or classes of transactions and related assertions, or whether they re- late more pervasively to the financial statements as a whole. Relating the risks of material misstatement due to fraud to the individual accounts, classes of transactions, and assertions will assist the auditor in subsequently designing appropriate auditing procedures. .39 Certain accounts, classes of transactions, and assertions that have high inherent risk because they involve a high degree of management judgment and subjectivity also may present risks of material misstatement due to fraud be- cause they are susceptible to manipulation by management. For example, li- abilities resulting from a restructuring may be deemed to have high inherent risk because of the high degree of subjectivity and management judgment in- volved in their estimation. Similarly, revenues for software developers may be deemed to have high inherent risk because of the complex accounting principles 16 Section 312.16 provides guidance on the auditor's consideration of the extent to which auditing procedures should be performed at selected locations or components. [Footnote revised, March 2006, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 107. Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November 2006.] AU §316.36 Consideration of Fraud in a Financial Statement Audit 1733 .47 The auditor's response to the assessment of the risks of material mis- statement of the financial statements due to fraud is influenced by the nature and significance of the risks identified as being present (paragraphs .35 through .42) and the entity's programs and controls that address these identified risks (paragraphs .43 through .45). .48 The auditor responds to risks of material misstatement due to fraud in the following three ways: a. A response that has an overall effect on how the audit is conducted— that is, a response involving more general considerations apart from the specific procedures otherwise planned (see paragraph .50). b. A response to identified risks involving the nature, timing, and extent of the auditing procedures to be performed (see paragraphs .51 through .56). c. A response involving the performance of certain procedures to further address the risk of material misstatement due to fraud involving man- agement override of controls, given the unpredictable ways in which such override could occur (see paragraphs .57 through .67). .49 The auditor may conclude that it would not be practicable to design au- diting procedures that sufficiently address the risks of material misstatement due to fraud. In that case, withdrawal from the engagement with communi- cation to the appropriate parties may be an appropriate course of action (see paragraph .78). Overall Responses to the Risk of Material Misstatement .50 Judgments about the risk of material misstatement due to fraud have an overall effect on how the audit is conducted in the following ways: • Assignment of personnel and supervision. The knowledge, skill, and ability of personnel assigned significant engagement responsibilities should be commensurate with the auditor's assessment of the risks of material misstatement due to fraud for the engagement (see section 210, Training and Proficiency of the Independent Auditor, paragraph .03). For example, the auditor may respond to an identified risk of material misstatement due to fraud by assigning additional persons with specialized skill and knowledge, such as forensic and information technology (IT) specialists, or by assigning more experienced personnel to the engagement. In addition, the extent of supervision should reflect the risks of material misstatement due to fraud (see section 311.28). • Accounting principles. The auditor should consider management's se- lection and application of significant accounting principles, particu- larly those related to subjective measurements and complex transac- tions. In this respect, the auditor may have a greater concern about whether the accounting principles selected and policies adopted are being applied in an inappropriate manner to create a material mis- statement of the financial statements. In developing judgments about the quality of such principles (see section 380, The Auditor's Commu- nication With Those Charged With Governance, paragraph .11), the auditor should consider whether their collective application indicates a bias that may create such a material misstatement of the financial statements. • Predictability of auditing procedures. The auditor should incorpo- rate an element of unpredictability in the selection from year to AU §316.50 1734 The Standards of Field Work year of auditing procedures to be performed—for example, perform- ing substantive tests of selected account balances and assertions not otherwise tested due to their materiality or risk, adjusting the timing of testing from that otherwise expected, using differing sampling meth- ods, and performing procedures at different locations or at locations on an unannounced basis. [Revised, March 2006, to reflect conforming changes necessary due to the is- suance of Statement on Auditing Standards No. 108. Revised, April 2007, to reflect conforming changes necessary due to the issuance of Statement on Au- diting Standards No. 114.] Responses Involving the Nature, Timing, and Extent of Procedures to Be Performed to Address the Identified Risks .51 The auditing procedures performed in response to identified risks of material misstatement due to fraud will vary depending upon the types of risks identified and the account balances, classes of transactions, and related asser- tions that may be affected. These procedures may involve both substantive tests and tests of the operating effectiveness of the entity's programs and controls. However, because management may have the ability to override controls that otherwise appear to be operating effectively (see paragraph .08), it is unlikely that audit risk can be reduced to an appropriately low level by performing only tests of controls. .52 The auditor's responses to address specifically identified risks of mate- rial misstatement due to fraud may include changing the nature, timing, and extent of auditing procedures in the following ways: • The nature of auditing procedures performed may need to be changed to obtain evidence that is more reliable or to obtain additional corrob- orative information. For example, more audit evidence may be needed from independent sources outside the entity, such as public-record in- formation about the existence and nature of key customers, vendors, or counterparties in a major transaction. Also, physical observation or in- spection of certain assets may become more important (see section 326, Audit Evidence, paragraphs .06 through .13). Furthermore, the audi- tor may choose to employ computer-assisted audit techniques to gather more extensive evidence about data contained in significant accounts or electronic transaction files. Finally, inquiry of additional members of management or others may be helpful in identifying issues and cor- roborating other audit evidence (see paragraphs .24 through .26 and paragraph .53). • The timing of substantive tests may need to be modified. The auditor might conclude that substantive testing should be performed at or near the end of the reporting period to best address an identified risk of material misstatement due to fraud (see section 318, Performing Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained). That is, the auditor might conclude that, given the risks of intentional misstatement or manipulation, tests to extend audit conclusions from an interim date to the period-end reporting date would not be effective. In contrast, because an intentional misstatement—for example, a misstatement involving inappropriate revenue recognition—may have been initiated in an interim period, the auditor might elect to apply AU §316.51 Consideration of Fraud in a Financial Statement Audit 1735 substantive tests to transactions occurring earlier in or throughout the reporting period. • The extent of the procedures applied should reflect the assessment of the risks of material misstatement due to fraud. For example, increas- ing sample sizes or performing analytical procedures at a more detailed level may be appropriate (see section 350, Audit Sampling, paragraph .22, and section 329). Also, computer-assisted audit techniques may enable more extensive testing of electronic transactions and account files. Such techniques can be used to select sample transactions from key electronic files, to sort transactions with specific characteristics, or to test an entire population instead of a sample. [Revised, March 2006, to reflect conforming changes necessary due to the is- suance of Statements on Auditing Standards No. 105, No. 106, No. 110 and No. 111.] .53 The following are examples of modification of the nature, timing, and extent of tests in response to identified risks of material misstatements due to fraud. • Performing procedures at locations on a surprise or unannounced ba- sis, for example, observing inventory on unexpected dates or at unex- pected locations or counting cash on a surprise basis. • Requesting that inventories be counted at the end of the reporting period or on a date closer to period end to minimize the risk of manip- ulation of balances in the period between the date of completion of the count and the end of the reporting period. • Making oral inquiries of major customers and suppliers in addition to sending written confirmations, or sending confirmation requests to a specific party within an organization. • Performing substantive analytical procedures using disaggregated data, for example, comparing gross profit or operating margins by lo- cation, line of business, or month to auditor-developed expectations.22 • Interviewing personnel involved in activities in areas where a risk of material misstatement due to fraud has been identified to obtain their insights about the risk and how controls address the risk (also see paragraph .24). • If other independent auditors are auditing the financial statements of one or more subsidiaries, divisions, or branches, discussing with them the extent of work that needs to be performed to address the risk of material misstatement due to fraud resulting from transactions and activities among these components. Additional Examples of Responses to Identified Risks of Misstatements Arising From Fraudulent Financial Reporting .54 The following are additional examples of responses to identified risks of material misstatements relating to fraudulent financial reporting: • Revenue recognition. Because revenue recognition is dependent on the particular facts and circumstances, as well as accounting principles 22 Section 329, Analytical Procedures, provides guidance on performing analytical procedures as substantive tests. [Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November 2006.] AU §316.54 1738 The Standards of Field Work Examples of Responses to Identified Risks of Misstatements Arising From Misappropriations of Assets .55 The auditor may have identified a risk of material misstatement due to fraud relating to misappropriation of assets. For example, the auditor may conclude that the risk of asset misappropriation at a particular operating loca- tion is significant because a large amount of easily accessible cash is maintained at that location, or there are inventory items such as laptop computers at that location that can easily be moved and sold. .56 The auditor's response to a risk of material misstatement due to fraud relating to misappropriation of assets usually will be directed toward certain account balances. Although some of the audit responses noted in paragraphs .52 through .54 may apply in such circumstances, such as the procedures directed at inventory quantities, the scope of the work should be linked to the specific information about the misappropriation risk that has been identified. For ex- ample, if a particular asset is highly susceptible to misappropriation and a potential misstatement would be material to the financial statements, obtain- ing an understanding of the controls related to the prevention and detection of such misappropriation and testing the operating effectiveness of such controls may be warranted. In certain circumstances, physical inspection of such assets (for example, counting cash or securities) at or near the end of the reporting period may be appropriate. In addition, the use of substantive analytical pro- cedures, such as the development by the auditor of an expected dollar amount at a high level of precision, to be compared with a recorded amount, may be effective in certain circumstances. Responses to Further Address the Risk of Management Override of Controls .57 As noted in paragraph .08, management is in a unique position to per- petrate fraud because of its ability to directly or indirectly manipulate account- ing records and prepare fraudulent financial statements by overriding estab- lished controls that otherwise appear to be operating effectively. By its nature, management override of controls can occur in unpredictable ways. Accordingly, in addition to overall responses (paragraph .50) and responses that address specifically identified risks of material misstatement due to fraud (see para- graphs .51 through .56), the procedures described in paragraphs .58 through .67 should be performed to further address the risk of management override of controls. .58 Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud. Material misstatements of financial statements due to fraud often involve the manipulation of the finan- cial reporting process by (a) recording inappropriate or unauthorized journal entries throughout the year or at period end, or (b) making adjustments to amounts reported in the financial statements that are not reflected in formal journal entries, such as through consolidating adjustments, report combina- tions, and reclassifications. Accordingly, the auditor should design procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments (for example, entries posted directly to financial statement drafts) made in the preparation of the financial statements. More specifically, the auditor should: AU §316.55 Consideration of Fraud in a Financial Statement Audit 1739 a. Obtain an understanding of the entity's financial reporting process25 and the controls over journal entries and other adjustments. (See para- graphs .59 and .60.) b. Identify and select journal entries and other adjustments for testing. (See paragraph .61.) c. Determine the timing of the testing. (See paragraph .62.) d. Inquire of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments. .59 The auditor's understanding of the entity's financial reporting process may help in identifying the type, number, and monetary value of journal en- tries and other adjustments that typically are made in preparing the financial statements. For example, the auditor's understanding may include the sources of significant debits and credits to an account, who can initiate entries to the general ledger or transaction processing systems, what approvals are required for such entries, and how journal entries are recorded (for example, entries may be initiated and recorded online with no physical evidence, or may be created in paper form and entered in batch mode). .60 An entity may have implemented specific controls over journal entries and other adjustments. For example, an entity may use journal entries that are preformatted with account numbers and specific user approval criteria, and may have automated controls to generate an exception report for any entries that were unsuccessfully proposed for recording or entries that were recorded and processed outside of established parameters. The auditor should obtain an understanding of the design of such controls over journal entries and other adjustments and determine whether they are suitably designed and have been placed in operation. .61 The auditor should use professional judgment in determining the na- ture, timing, and extent of the testing of journal entries and other adjustments. For purposes of identifying and selecting specific entries and other adjustments for testing, and determining the appropriate method of examining the under- lying support for the items selected, the auditor should consider: • The auditor's assessment of the risk of material misstatement due to fraud. The presence of fraud risk factors or other conditions may help the auditor to identify specific classes of journal entries for testing and indicate the extent of testing necessary. • The effectiveness of controls that have been implemented over journal entries and other adjustments. Effective controls over the preparation and posting of journal entries and adjustments may affect the extent of substantive testing necessary, provided that the auditor has tested the operating effectiveness of those controls. However, even though controls might be implemented and operating effectively, the auditor's 25 Section 314 requires the auditor to obtain an understanding of the automated and manual procedures an entity uses to prepare financial statements and related disclosures, and how misstate- ments may occur. This understanding includes (a) the procedures used to enter transaction totals into the general ledger; (b) the procedures used to initiate, record, and process journal entries in the general ledger; and (c) other procedures used to record recurring and nonrecurring adjustments to the financial statements. [Footnote revised, March 2006, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 109. Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November 2006.] AU §316.61 1740 The Standards of Field Work procedures for testing journal entries and other adjustments should include the identification and testing of specific items. • The entity's financial reporting process and the nature of the evidence that can be examined. The auditor's procedures for testing journal en- tries and other adjustments will vary based on the nature of the finan- cial reporting process. For many entities, routine processing of trans- actions involves a combination of manual and automated steps and procedures. Similarly, the processing of journal entries and other ad- justments might involve both manual and automated procedures and controls. Regardless of the method, the auditor's procedures should in- clude selecting from the general ledger journal entries to be tested and examining support for those items. In addition, the auditor should be aware that journal entries and other adjustments might exist in either electronic or paper form. When information technology (IT) is used in the financial reporting process, journal entries and other adjustments might exist only in electronic form. Electronic evidence often requires extraction of the desired data by an auditor with IT knowledge and skills or the use of an IT specialist. In an IT environment, it may be necessary for the auditor to employ computer-assisted audit tech- niques (for example, report writers, software or data extraction tools, or other systems-based techniques) to identify the journal entries and other adjustments to be tested. • The characteristics of fraudulent entries or adjustments. Inappropri- ate journal entries and other adjustments often have certain unique identifying characteristics. Such characteristics may include entries (a) made to unrelated, unusual, or seldom-used accounts, (b) made by individuals who typically do not make journal entries, (c) recorded at the end of the period or as post-closing entries that have little or no explanation or description, (d) made either before or during the prepa- ration of the financial statements that do not have account numbers, or (e) containing round numbers or a consistent ending number. • The nature and complexity of the accounts. Inappropriate journal en- tries or adjustments may be applied to accounts that (a) contain trans- actions that are complex or unusual in nature, (b) contain significant estimates and period-end adjustments, (c) have been prone to errors in the past, (d) have not been reconciled on a timely basis or contain un- reconciled differences, (e) contain intercompany transactions, or (f) are otherwise associated with an identified risk of material misstatement due to fraud. The auditor should recognize, however, that inappro- priate journal entries and adjustments also might be made to other accounts. In audits of entities that have several locations or compo- nents, the auditor should consider the need to select journal entries from locations based on the factors set forth in section 312.16. • Journal entries or other adjustments processed outside the normal course of business. Standard journal entries used on a recurring ba- sis to record transactions such as monthly sales, purchases, and cash disbursements, or to record recurring periodic accounting estimates generally are subject to the entity's internal controls. Nonstandard entries (for example, entries used to record nonrecurring transactions, such as a business combination, or entries used to record a nonrecur- ring estimate, such as an asset impairment) might not be subject to the same level of internal control. In addition, other adjustments such as consolidating adjustments, report combinations, and reclassifications generally are not reflected in formal journal entries and might not be AU §316.61 Consideration of Fraud in a Financial Statement Audit 1743 — Unavailability of other than photocopied or electronically trans- mitted documents when documents in original form are expected to exist — Significant unexplained items on reconciliations — Inconsistent, vague, or implausible responses from management or employees arising from inquiries or analytical procedures (See paragraph .72.) — Unusual discrepancies between the entity's records and confirma- tion replies — Missing inventory or physical assets of significant magnitude — Unavailable or missing electronic evidence, inconsistent with the entity's record retention practices or policies — Inability to produce evidence of key systems development and pro- gram change testing and implementation activities for current- year system changes and deployments • Problematic or unusual relationships between the auditor and man- agement, including: — Denial of access to records, facilities, certain employees, cus- tomers, vendors, or others from whom audit evidence might be sought29 — Undue time pressures imposed by management to resolve complex or contentious issues — Complaints by management about the conduct of the audit or man- agement intimidation of audit team members, particularly in con- nection with the auditor's critical assessment of audit evidence or in the resolution of potential disagreements with management — Unusual delays by the entity in providing requested information — Unwillingness to facilitate auditor access to key electronic files for testing through the use of computer-assisted audit techniques — Denial of access to key IT operations staff and facilities, including security, operations, and systems development personnel — An unwillingness to add or revise disclosures in the financial state- ments to make them more complete and transparent [Revised, March 2006, to reflect conforming changes necessary due to the is- suance of Statement on Auditing Standards No. 105.] .69 Evaluating whether analytical procedures performed as sub- stantive tests or in the overall review stage of the audit indicate a pre- viously unrecognized risk of material misstatement due to fraud. As discussed in paragraphs .28 through .30, the auditor should consider whether analytical procedures performed in planning the audit result in identifying any unusual or unexpected relationships that should be considered in assessing the risks of material misstatement due to fraud. The auditor also should evaluate whether analytical procedures that were performed as substantive tests or in the overall review stage of the audit (see section 329) indicate a previously unrecognized risk of material misstatement due to fraud. 29 Denial of access to information may constitute a limitation on the scope of the audit that may require the auditor to consider qualifying or disclaiming an opinion on the financial statements. (See section 508, Reports on Audited Financial Statements, paragraph .24.) [Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November 2006.] AU §316.69 1744 The Standards of Field Work .70 If not already performed during the overall review stage of the au- dit, the auditor should perform analytical procedures relating to revenue, as discussed in paragraph .29, through the end of the reporting period. .71 Determining which particular trends and relationships may indicate a risk of material misstatement due to fraud requires professional judgment. Unusual relationships involving year-end revenue and income often are par- ticularly relevant. These might include, for example, (a) uncharacteristically large amounts of income being reported in the last week or two of the reporting period from unusual transactions, as well as (b) income that is inconsistent with trends in cash flow from operations. .72 Some unusual or unexpected analytical relationships may have been identified and may indicate a risk of material misstatement due to fraud be- cause management or employees generally are unable to manipulate certain information to create seemingly normal or expected relationships. Some exam- ples are as follows: • The relationship of net income to cash flows from operations may ap- pear unusual because management recorded fictitious revenues and receivables but was unable to manipulate cash. • Changes in inventory, accounts payable, sales, or cost of sales from the prior period to the current period may be inconsistent, indicating a possible employee theft of inventory, because the employee was unable to manipulate all of the related accounts. • A comparison of the entity's profitability to industry trends, which management cannot manipulate, may indicate trends or differences for further consideration when identifying risks of material misstatement due to fraud. • A comparison of bad debt write-offs to comparable industry data, which employees cannot manipulate, may provide unexplained relationships that could indicate a possible theft of cash receipts. • An unexpected or unexplained relationship between sales volume as determined from the accounting records and production statistics maintained by operations personnel—which may be more difficult for management to manipulate—may indicate a possible misstatement of sales. .73 The auditor also should consider whether responses to inquiries throughout the audit about analytical relationships have been vague or im- plausible, or have produced evidence that is inconsistent with other audit evi- dence accumulated during the audit. [Revised, March 2006, to reflect conform- ing changes necessary due to the issuance of Statement on Auditing Standards No. 105.] .74 Evaluating the risks of material misstatement due to fraud at or near the date of the auditor’s report. At or near the completion of field- work, the auditor should evaluate whether the accumulated results of auditing procedures and other observations (for example, conditions and analytical re- lationships noted in paragraphs .69 through .73) affect the assessment of the risks of material misstatement due to fraud made earlier in the audit. This evaluation primarily is a qualitative matter based on the auditor's judgment. Such an evaluation may provide further insight about the risks of material misstatement due to fraud and whether there is a need to perform additional or different audit procedures. As part of this evaluation, the auditor with final responsibility for the audit should ascertain that there has been appropriate AU §316.70 Consideration of Fraud in a Financial Statement Audit 1745 communication with the other audit team members throughout the audit re- garding information or conditions indicative of risks of material misstatement due to fraud.30 .75 Responding to misstatements that may be the result of fraud. When audit test results identify misstatements in the financial statements, the auditor should consider whether such misstatements may be indicative of fraud.31 That determination affects the auditor's evaluation of materiality and the related responses necessary as a result of that evaluation.32 .76 If the auditor believes that misstatements are or may be the result of fraud, but the effect of the misstatements is not material to the financial state- ments, the auditor nevertheless should evaluate the implications, especially those dealing with the organizational position of the person(s) involved. For ex- ample, fraud involving misappropriations of cash from a small petty cash fund normally would be of little significance to the auditor in assessing the risk of material misstatement due to fraud because both the manner of operating the fund and its size would tend to establish a limit on the amount of potential loss, and the custodianship of such funds normally is entrusted to a nonmanagement employee.33 Conversely, if the matter involves higher-level management, even though the amount itself is not material to the financial statements, it may be indicative of a more pervasive problem, for example, implications about the integrity of management.34 In such circumstances, the auditor should reeval- uate the assessment of the risk of material misstatement due to fraud and its resulting impact on (a) the nature, timing, and extent of the tests of balances or transactions and (b) the assessment of the effectiveness of controls if control risk was assessed below the maximum. .77 If the auditor believes that the misstatement is or may be the result of fraud, and either has determined that the effect could be material to the finan- cial statements or has been unable to evaluate whether the effect is material, the auditor should: a. Attempt to obtain additional audit evidence to determine whether ma- terial fraud has occurred or is likely to have occurred, and, if so, its effect on the financial statements and the auditor's report thereon.35 30 To accomplish this communication, the auditor with final responsibility for the audit may want to arrange another discussion among audit team members about the risks of material misstatement due to fraud (see paragraphs .14 through .18). [Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November 2006.] 31 See footnote 4. [Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November 2006.] 32 Section 312.60 states in part, "Qualitative considerations also influence the auditor in reaching a conclusion as to whether misstatements are material." Section 312.59 states, "As a result of the interaction of quantitative and qualitative considerations in materiality judgments, misstatements of relatively small amounts that come to the auditor's attention could have a material effect on the financial statements." [Footnote revised, March 2006, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 107. Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November 2006.] 33 However, see paragraphs .79 through .82 of this section for a discussion of the auditor's commu- nication responsibilities. [Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November 2006.] 34 Section 312.10 states that there is a distinction between the auditor's response to detected misstatements due to error and those due to fraud. When fraud is detected, the auditor should consider the implications for the integrity of management or employees and the possible effect on other aspects of the audit. [Footnote revised, March 2006, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 107. Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November 2006.] 35 See section 508 for guidance on auditors' reports issued in connection with audits of financial statements. [Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November 2006.] AU §316.77 1748 The Standards of Field Work d. To a funding agency or other specified agency in accordance with re- quirements for the audits of entities that receive governmental finan- cial assistance43 Because potential conflicts between the auditor's ethical and legal obligations for confidentiality of client matters may be complex, the auditor may wish to consult with legal counsel before discussing matters covered by paragraphs .79 through .81 with parties outside the client. [Revised, April 2007, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 114.] Documenting the Auditor’s Consideration of Fraud .83 The auditor should document the following: • The discussion among engagement personnel in planning the audit re- garding the susceptibility of the entity's financial statements to mate- rial misstatement due to fraud, including how and when the discussion occurred, the audit team members who participated, and the subject matter discussed (See paragraphs .14 through .17.) • The procedures performed to obtain information necessary to identify and assess the risks of material misstatement due to fraud (See para- graphs .19 through .34.) • Specific risks of material misstatement due to fraud that were identi- fied (see paragraphs .35 through .45), and a description of the auditor's response to those risks (See paragraphs .46 through .56.) • If the auditor has not identified in a particular circumstance, improper revenue recognition as a risk of material misstatement due to fraud, the reasons supporting the auditor's conclusion (See paragraph .41.) • The results of the procedures performed to further address the risk of management override of controls (See paragraphs .58 through .67.) • Other conditions and analytical relationships that caused the auditor to believe that additional auditing procedures or other responses were required and any further responses the auditor concluded were appro- priate, to address such risks or other conditions (See paragraphs .68 through .73.) • The nature of the communications about fraud made to manage- ment, those charged with governance, and others (See paragraphs .79 through .82.) [Revised, April 2007, to reflect conforming changes necessary due to the is- suance of Statement on Auditing Standards No. 114.] Effective Date .84 This section is effective for audits of financial statements for periods beginning on or after December 15, 2002. Early application of the provisions of this section is permissible. 43 For example, Government Auditing Standards (the Yellow Book) require auditors to report fraud or illegal acts directly to parties outside the audited entity in certain circumstances. [Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November 2006.] AU §316.83 Consideration of Fraud in a Financial Statement Audit 1749 .85 Appendix Examples of Fraud Risk Factors A.1 This appendix contains examples of risk factors discussed in para- graphs .31 through .33 of the section. Separately presented are examples re- lating to the two types of fraud relevant to the auditor's consideration—that is, fraudulent financial reporting and misappropriation of assets. For each of these types of fraud, the risk factors are further classified based on the three conditions generally present when material misstatements due to fraud occur: (a) incentives/pressures, (b) opportunities, and (c) attitudes/rationalizations. Although the risk factors cover a broad range of situations, they are only exam- ples and, accordingly, the auditor may wish to consider additional or different risk factors. Not all of these examples are relevant in all circumstances, and some may be of greater or lesser significance in entities of different size or with different ownership characteristics or circumstances. Also, the order of the examples of risk factors provided is not intended to reflect their relative importance or frequency of occurrence. Risk Factors Relating to Misstatements Arising From Fraudulent Financial Reporting A.2 The following are examples of risk factors relating to misstatements arising from fraudulent financial reporting. Incentives/Pressures a. Financial stability or profitability is threatened by economic, industry, or entity operating conditions, such as (or as indicated by): — High degree of competition or market saturation, accompanied by declining margins — High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates — Significant declines in customer demand and increasing business failures in either the industry or overall economy — Operating losses making the threat of bankruptcy, foreclosure, or hostile takeover imminent — Recurring negative cash flows from operations and an inability to generate cash flows from operations while reporting earnings and earnings growth — Rapid growth or unusual profitability, especially compared to that of other companies in the same industry — New accounting, statutory, or regulatory requirements b. Excessive pressure exists for management to meet the requirements or expectations of third parties due to the following: — Profitability or trend level expectations of investment analysts, institutional investors, significant creditors, or other external par- ties (particularly expectations that are unduly aggressive or unre- alistic), including expectations created by management in, for ex- ample, overly optimistic press releases or annual report messages AU §316.85 1750 The Standards of Field Work — Need to obtain additional debt or equity financing to stay competitive—including financing of major research and develop- ment or capital expenditures — Marginal ability to meet exchange listing requirements or debt repayment or other debt covenant requirements — Perceived or real adverse effects of reporting poor financial results on significant pending transactions, such as business combina- tions or contract awards c. Information available indicates that management's or those charged with governance's personal financial situation is threatened by the entity's financial performance arising from the following: — Significant financial interests in the entity — Significant portions of their compensation (for example, bonuses, stock options, and earn-out arrangements) being contingent upon achieving aggressive targets for stock price, operating results, fi- nancial position, or cash flow1 — Personal guarantees of debts of the entity d. There is excessive pressure on management or operating personnel to meet financial targets set up by those charged with governance or management, including sales or profitability incentive goals. Opportunities a. The nature of the industry or the entity's operations provides opportu- nities to engage in fraudulent financial reporting that can arise from the following: — Significant related-party transactions not in the ordinary course of business or with related entities not audited or audited by another firm — A strong financial presence or ability to dominate a certain indus- try sector that allows the entity to dictate terms or conditions to suppliers or customers that may result in inappropriate or non- arm's-length transactions — Assets, liabilities, revenues, or expenses based on significant esti- mates that involve subjective judgments or uncertainties that are difficult to corroborate — Significant, unusual, or highly complex transactions, especially those close to period end that pose difficult "substance over form" questions — Significant operations located or conducted across international borders in jurisdictions where differing business environments and cultures exist — Significant bank accounts or subsidiary or branch operations in tax-haven jurisdictions for which there appears to be no clear busi- ness justification 1 Management incentive plans may be contingent upon achieving targets relating only to certain accounts or selected activities of the entity, even though the related accounts or activities may not be material to the entity as a whole. AU §316.85 Consideration of Fraud in a Financial Statement Audit 1753 — Easily convertible assets, such as bearer bonds, diamonds, or com- puter chips — Fixed assets that are small in size, marketable, or lacking observ- able identification of ownership b. Inadequate internal control over assets may increase the susceptibility of misappropriation of those assets. For example, misappropriation of assets may occur because there is the following: — Inadequate segregation of duties or independent checks — Inadequate management oversight of employees responsible for assets, for example, inadequate supervision or monitoring of re- mote locations — Inadequate job applicant screening of employees with access to assets — Inadequate recordkeeping with respect to assets — Inadequate system of authorization and approval of transactions (for example, in purchasing) — Inadequate physical safeguards over cash, investments, inventory, or fixed assets — Lack of complete and timely reconciliations of assets — Lack of timely and appropriate documentation of transactions, for example, credits for merchandise returns — Lack of mandatory vacations for employees performing key control functions — Inadequate management understanding of information technol- ogy, which enables information technology employees to perpe- trate a misappropriation — Inadequate access controls over automated records, including con- trols over and review of computer systems event logs. Attitudes/Rationalizations Risk factors reflective of employee attitudes/rationalizations that allow them to justify misappropriations of assets, are generally not susceptible to observation by the auditor. Nevertheless, the auditor who becomes aware of the existence of such information should consider it in identifying the risks of material mis- statement arising from misappropriation of assets. For example, auditors may become aware of the following attitudes or behavior of employees who have access to assets susceptible to misappropriation: • Disregard for the need for monitoring or reducing risks related to mis- appropriations of assets • Disregard for internal control over misappropriation of assets by over- riding existing controls or by failing to correct known internal control deficiencies • Behavior indicating displeasure or dissatisfaction with the company or its treatment of the employee • Changes in behavior or lifestyle that may indicate assets have been misappropriated [Revised, May 2006, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 112. Revised, April 2007, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 114.] AU §316.85 1754 The Standards of Field Work .86 Exhibit Management Antifraud Programs and Controls Guidance to Help Prevent, Deter, and Detect Fraud (This exhibit is reprinted for the reader's convenience but is not an integral part of the section.) This document is being issued jointly by the following organizations: American Institute of Certified Public Accountants Association of Certified Fraud Examiners Financial Executives International Information Systems Audit and Control Association The Institute of Internal Auditors Institute of Management Accountants Society for Human Resource Management In addition, we would also like to acknowledge the American Accounting Asso- ciation, the Defense Industry Initiative, and the National Association of Cor- porate Directors for their review of the document and helpful comments and materials. We gratefully acknowledge the valuable contribution provided by the Anti- Fraud Detection Subgroup: Daniel D. Montgomery, Chair David L. Landsittel Toby J.F. Bishop Carol A. Langelier Dennis H. Chookaszian Joseph T. Wells Susan A. Finn Janice Wilkins Dana Hermanson Finally, we thank the staff of the American Institute of Certified Public Accoun- tants for their support on this project: Charles E. Landes Kim M. Gibson Director Senior Technical Manager Audit and Attest Standards Audit and Attest Standards Richard Lanza Hugh Kelsey Senior Program Manager Program Manager Chief Operating Office Knowledge Management This document was commissioned by the Fraud Task Force of the AICPA's Au- diting Standards Board. This document has not been adopted, approved, dis- approved, or otherwise acted upon by a board, committee, governing body, or membership of the above issuing organizations. AU §316.86 Consideration of Fraud in a Financial Statement Audit 1755 Preface Some organizations have significantly lower levels of misappropriation of assets and are less susceptible to fraudulent financial reporting than other organiza- tions because these organizations take proactive steps to prevent or deter fraud. It is only those organizations that seriously consider fraud risks and take proac- tive steps to create the right kind of climate to reduce its occurrence that have success in preventing fraud. This document identifies the key participants in this antifraud effort, including the board of directors, management, internal and independent auditors, and certified fraud examiners. Management may develop and implement some of these programs and controls in response to specific identified risks of material misstatement of financial statements due to fraud. In other cases, these programs and controls may be a part of the entity's enterprise-wide risk management activities. Management is responsible for designing and implementing systems and pro- cedures for the prevention and detection of fraud and, along with the board of directors, for ensuring a culture and environment that promotes honesty and ethical behavior. However, because of the characteristics of fraud, a material misstatement of financial statements due to fraud may occur notwithstanding the presence of programs and controls such as those described in this document. AU §316.86 1758 The Standards of Field Work conduct to be effective, it should be communicated to all personnel in an under- standable fashion. It also should be developed in a participatory and positive manner that will result in both management and employees taking ownership of its content. Finally, the code of conduct should be included in an employee handbook or policy manual, or in some other formal document or location (for example, the entity's intranet) so it can be referred to when needed. Senior financial officers hold an important and elevated role in corporate gov- ernance. While members of the management team, they are uniquely capable and empowered to ensure that all stakeholders' interests are appropriately bal- anced, protected, and preserved. For examples of codes of conduct, see Attach- ment 1, "AICPA 'CPA's Handbook of Fraud and Commercial Crime Prevention,' An Organizational Code of Conduct," and Attachment 2, "Financial Executives International Code of Ethics Statement" provided by Financial Executives In- ternational. In addition, visit the Institute of Management Accountant's Ethics Center at www.imanet.org for their members' standards of ethical conduct. Creating a Positive Workplace Environment Research results indicate that wrongdoing occurs less frequently when em- ployees have positive feelings about an entity than when they feel abused, threatened, or ignored. Without a positive workplace environment, there are more opportunities for poor employee morale, which can affect an employee's attitude about committing fraud against an entity. Factors that detract from a positive work environment and may increase the risk of fraud include: • Top management that does not seem to care about or reward appro- priate behavior • Negative feedback and lack of recognition for job performance • Perceived inequities in the organization • Autocratic rather than participative management • Low organizational loyalty or feelings of ownership • Unreasonable budget expectations or other financial targets • Fear of delivering "bad news" to supervisors and/or management • Less-than-competitive compensation • Poor training and promotion opportunities • Lack of clear organizational responsibilities • Poor communication practices or methods within the organization The entity's human resources department often is instrumental in helping to build a corporate culture and a positive work environment. Human resource professionals are responsible for implementing specific programs and initia- tives, consistent with management's strategies, that can help to mitigate many of the detractors mentioned above. Mitigating factors that help create a positive work environment and reduce the risk of fraud may include: • Recognition and reward systems that are in tandem with goals and results • Equal employment opportunities • Team-oriented, collaborative decision-making policies • Professionally administered compensation programs • Professionally administered training programs and an organizational priority of career development AU §316.86 Consideration of Fraud in a Financial Statement Audit 1759 Employees should be empowered to help create a positive workplace environ- ment and support the entity's values and code of conduct. They should be given the opportunity to provide input to the development and updating of the en- tity's code of conduct, to ensure that it is relevant, clear, and fair. Involving employees in this fashion also may effectively contribute to the oversight of the entity's code of conduct and an environment of ethical behavior (see the section titled "Developing an Appropriate Oversight Process"). Employees should be given the means to obtain advice internally before mak- ing decisions that appear to have significant legal or ethical implications. They should also be encouraged and given the means to communicate concerns, anonymously if preferred, about potential violations of the entity's code of con- duct, without fear of retribution. Many organizations have implemented a pro- cess for employees to report on a confidential basis any actual or suspected wrongdoing, or potential violations of the code of conduct or ethics policy. For example, some organizations use a telephone "hotline" that is directed to or monitored by an ethics officer, fraud officer, general counsel, internal audit di- rector, or another trusted individual responsible for investigating and reporting incidents of fraud or illegal acts. Hiring and Promoting Appropriate Employees Each employee has a unique set of values and personal code of ethics. When faced with sufficient pressure and a perceived opportunity, some employees will behave dishonestly rather than face the negative consequences of honest behav- ior. The threshold at which dishonest behavior starts, however, will vary among individuals. If an entity is to be successful in preventing fraud, it must have effective policies that minimize the chance of hiring or promoting individuals with low levels of honesty, especially for positions of trust. Proactive hiring and promotion procedures may include: • Conducting background investigations on individuals being considered for employment or for promotion to a position of trust4 • Thoroughly checking a candidate's education, employment history, and personal references • Periodic training of all employees about the entity's values and code of conduct, (training is addressed in the following section) • Incorporating into regular performance reviews an evaluation of how each individual has contributed to creating an appropriate workplace environment in line with the entity's values and code of conduct • Continuous objective evaluation of compliance with the entity's values and code of conduct, with violations being addressed immediately Training New employees should be trained at the time of hiring about the entity's values and its code of conduct. This training should explicitly cover expectations of all employees regarding (1) their duty to communicate certain matters; (2) a list of the types of matters, including actual or suspected fraud, to be communicated along with specific examples; and (3) information on how to communicate those matters. There also should be an affirmation from senior management regard- ing employee expectations and communication responsibilities. Such training should include an element of "fraud awareness," the tone of which should be 4 Some organizations also have considered follow-up investigations, particularly for employees in positions of trust, on a periodic basis (for example, every five years) or as circumstances dictate. AU §316.86 1760 The Standards of Field Work positive but nonetheless stress that fraud can be costly (and detrimental in other ways) to the entity and its employees. In addition to training at the time of hiring, employees should receive re- fresher training periodically thereafter. Some organizations may consider ongo- ing training for certain positions, such as purchasing agents or employees with financial reporting responsibilities. Training should be specific to an employee's level within the organization, geographic location, and assigned responsibili- ties. For example, training for senior manager level personnel would normally be different from that of nonsupervisory employees, and training for purchasing agents would be different from that of sales representatives. Confirmation Management needs to clearly articulate that all employees will be held ac- countable to act within the entity's code of conduct. All employees within senior management and the finance function, as well as other employees in areas that might be exposed to unethical behavior (for example, procurement, sales and marketing) should be required to sign a code of conduct statement annually, at a minimum. Requiring periodic confirmation by employees of their responsibilities will not only reinforce the policy but may also deter individuals from committing fraud and other violations and might identify problems before they become signif- icant. Such confirmation may include statements that the individual under- stands the entity's expectations, has complied with the code of conduct, and is not aware of any violations of the code of conduct other than those the in- dividual lists in his or her response. Although people with low integrity may not hesitate to sign a false confirmation, most people will want to avoid mak- ing a false statement in writing. Honest individuals are more likely to return their confirmations and to disclose what they know (including any conflicts of interest or other personal exceptions to the code of conduct). Thorough follow- up by internal auditors or others regarding nonreplies may uncover significant issues. Discipline The way an entity reacts to incidents of alleged or suspected fraud will send a strong deterrent message throughout the entity, helping to reduce the number of future occurrences. The following actions should be taken in response to an alleged incident of fraud: • A thorough investigation of the incident should be conducted.5 • Appropriate and consistent actions should be taken against violators. • Relevant controls should be assessed and improved. • Communication and training should occur to reinforce the entity's val- ues, code of conduct, and expectations. Expectations about the consequences of committing fraud must be clearly com- municated throughout the entity. For example, a strong statement from man- agement that dishonest actions will not be tolerated, and that violators may be terminated and referred to the appropriate authorities, clearly establishes con- sequences and can be a valuable deterrent to wrongdoing. If wrongdoing occurs 5 Many entities of sufficient size are employing antifraud professionals, such as certified fraud examiners, who are responsible for resolving allegations of fraud within the organization and who also assist in the detection and deterrence of fraud. These individuals typically report their findings internally to the corporate security, legal, or internal audit departments. In other instances, such individuals may be empowered directly by the board of directors or its audit committee. AU §316.86 Consideration of Fraud in a Financial Statement Audit 1763 Audit Committee or Those Charged With Governance The audit committee (or those charged with governance where no audit com- mittee exists) should evaluate management's identification of fraud risks, im- plementation of antifraud measures, and creation of the appropriate "tone at the top." Active oversight by the audit committee can help to reinforce man- agement's commitment to creating a culture with "zero tolerance" for fraud. An entity's audit committee also should ensure that senior management (in particular, the CEO) implements appropriate fraud deterrence and preven- tion measures to better protect investors, employees, and other stakeholders. The audit committee's evaluation and oversight not only helps make sure that senior management fulfills its responsibility, but also can serve as a deter- rent to senior management engaging in fraudulent activity (that is, by ensur- ing an environment is created whereby any attempt by senior management to involve employees in committing or concealing fraud would lead promptly to reports from such employees to appropriate persons, including the audit committee). The audit committee also plays an important role in helping those charged with governance fulfill their oversight responsibilities with respect to the entity's fi- nancial reporting process and the system of internal control.9 In exercising this oversight responsibility, the audit committee should consider the potential for management override of controls or other inappropriate influence over the fi- nancial reporting process. For example, the audit committee may obtain from the internal auditors and independent auditors their views on management's involvement in the financial reporting process and, in particular, the ability of management to override information processed by the entity's financial re- porting system (for example, the ability for management or others to initiate or record nonstandard journal entries). The audit committee also may consider reviewing the entity's reported information for reasonableness compared with prior or forecasted results, as well as with peers or industry averages. In addi- tion, information received in communications from the independent auditors10 can assist the audit committee in assessing the strength of the entity's internal control and the potential for fraudulent financial reporting. As part of its oversight responsibilities, the audit committee should encourage management to provide a mechanism for employees to report concerns about unethical behavior, actual or suspected fraud, or violations of the entity's code of conduct or ethics policy. The committee should then receive periodic reports describing the nature, status, and eventual disposition of any fraud or unethical conduct. A summary of the activity, follow-up and disposition also should be provided to all of those charged with governance. If senior management is involved in fraud, the next layer of management may be the most likely to be aware of it. As a result, the audit committee (and oth- ers of those charged with governance) should consider establishing an open line of communication with members of management one or two levels below senior management to assist in identifying fraud at the highest levels of the 9 See the Report of the NACD Blue Ribbon Commission on the Audit Committee, (Washington, D.C.: National Association of Corporate Directors, 2000). For the board's role in the oversight of risk management, see Report of the NACD Blue Ribbon Commission on Risk Oversight, (Washington, D.C.: National Association of Corporate Directors, 2002). 10 See section 325, Communicating Internal Control Related Matters Identified in an Audit, and section 380, The Auditor's Communication With Those Charged With Governance. [Footnote revised, May 2006, due to conforming changes necessary due to the issuance of Statement on Standards No. 112. Footnote revised, April 2007, due to conforming changes necessary due to the issuance of Statement on Standards No. 114.] AU §316.86 1764 The Standards of Field Work organization or investigating any fraudulent activity that might occur.11 The audit committee typically has the ability and authority to investigate any al- leged or suspected wrongdoing brought to its attention. Most audit committee charters empower the committee to investigate any matters within the scope of its responsibilities, and to retain legal, accounting, and other professional advisers as needed to advise the committee and assist in its investigation. All audit committee members should be financially literate, and each com- mittee should have at least one financial expert. The financial expert should possess: • An understanding of generally accepted accounting principles and au- dits of financial statements prepared under those principles. Such un- derstanding may have been obtained either through education or ex- perience. It is important for someone on the audit committee to have a working knowledge of those principles and standards. • Experience in the preparation and/or the auditing of financial state- ments of an entity of similar size, scope and complexity as the entity on whose board the committee member serves. The experience would generally be as a chief financial officer, chief accounting officer, con- troller, or auditor of a similar entity. This background will provide a necessary understanding of the transactional and operational envi- ronment that produces the issuer's financial statements. It will also bring an understanding of what is involved in, for example, appro- priate accounting estimates, accruals, and reserve provisions, and an appreciation of what is necessary to maintain a good internal control environment. • Experience in internal governance and procedures of audit commit- tees, obtained either as an audit committee member, a senior corpo- rate manager responsible for answering to the audit committee, or an external auditor responsible for reporting on the execution and results of annual audits. Management Management is responsible for overseeing the activities carried out by em- ployees, and typically does so by implementing and monitoring processes and controls such as those discussed previously. However, management also may initiate, participate in, or direct the commission and concealment of a fraudu- lent act. Accordingly, the audit committee (or those charged with governance where no audit committee exists) has the responsibility to oversee the activities of senior management and to consider the risk of fraudulent financial report- ing involving the override of internal controls or collusion (see discussion on the audit committee and board of directors above). Public companies should include a statement in the annual report acknowledg- ing management's responsibility for the preparation of the financial statements and for establishing and maintaining an effective system of internal control. This will help improve the public's understanding of the respective roles of management and the auditor. This statement has also been generally referred to as a "Management Report" or "Management Certificate." Such a statement can provide a convenient vehicle for management to describe the nature and manner of preparation of the financial information and the adequacy of the 11 Report of the NACD Best Practices Council: Coping with Fraud and Other Illegal Activity, A Guide for Directors, CEOs, and Senior Managers (1998) sets forth "basic principles" and "implemen- tation approaches" for dealing with fraud and other illegal activity. AU §316.86 Consideration of Fraud in a Financial Statement Audit 1765 internal accounting controls. Logically, the statement should be presented in close proximity to the formal financial statements. For example, it could appear near the independent auditor's report, or in the financial review or management analysis section. Internal Auditors An effective internal audit team can be extremely helpful in performing aspects of the oversight function. Their knowledge about the entity may enable them to identify indicators that suggest fraud has been committed. The Standards for the Professional Practice of Internal Auditing (IIA Standards), issued by the Institute of Internal Auditors, state, "The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud." Internal auditors also have the opportunity to evaluate fraud risks and controls and to recommend action to mitigate risks and improve controls. Specifically, the IIA Standards require internal auditors to assess risks facing their organizations. This risk assessment is to serve as the basis from which audit plans are devised and against which internal controls are tested. The IIA Standards require the audit plan to be presented to and approved by the audit committee (or board of directors where no audit committee exists). The work completed as a result of the audit plan provides assurance on which management's assertion about controls can be made. Internal audits can be both a detection and a deterrence measure. Internal auditors can assist in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of the system of internal control, commensurate with the extent of the potential exposure or risk in the various segments of the organization's operations. In carrying out this responsibility, internal auditors should, for example, determine whether: • The organizational environment fosters control consciousness. • Realistic organizational goals and objectives are set. • Written policies (for example, a code of conduct) exist that describe prohibited activities and the action required whenever violations are discovered. • Appropriate authorization policies for transactions are established and maintained. • Policies, practices, procedures, reports, and other mechanisms are de- veloped to monitor activities and safeguard assets, particularly in high- risk areas. • Communication channels provide management with adequate and re- liable information. • Recommendations need to be made for the establishment or enhance- ment of cost-effective controls to help deter fraud. Internal auditors may conduct proactive auditing to search for corruption, mis- appropriation of assets, and financial statement fraud. This may include the use of computer-assisted audit techniques to detect particular types of fraud. Internal auditors also can employ analytical and other procedures to isolate anomalies and perform detailed reviews of high-risk accounts and transactions to identify potential financial statement fraud. The internal auditors should have an independent reporting line directly to the audit committee, to enable them to express any concerns about management's commitment to appropriate internal controls or to report suspicions or allegations of fraud involving senior management. AU §316.86 1768 The Standards of Field Work Relationships With Clients and Suppliers Employees should avoid investing in or acquiring a financial interest for their own accounts in any business organization that has a contractual relationship with the Organization, or that provides goods or services, or both to the Organization, if such investment or interest could influence or create the impression of influencing their decisions in the performance of their duties on behalf of the Organization. Gifts, Entertainment, and Favors Employees must not accept entertainment, gifts, or personal favors that could, in any way, influence, or appear to influence, business decisions in favor of any person or organization with whom or with which the Organiza- tion has, or is likely to have, business dealings. Similarly, employees must not accept any other preferential treatment under these circumstances because their position with the Organization might be inclined to, or be perceived to, place them under obligation. Kickbacks and Secret Commissions Regarding the Organization's business activities, employees may not re- ceive payment or compensation of any kind, except as authorized under the Organization's remuneration policies. In particular, the Organization strictly prohibits the acceptance of kickbacks and secret commissions from suppliers or others. Any breach of this rule will result in immediate termi- nation and prosecution to the fullest extent of the law. Organization Funds and Other Assets Employees who have access to Organization funds in any form must follow the prescribed procedures for recording, handling, and protecting money as detailed in the Organization's instructional manuals or other explanatory materials, or both. The Organization imposes strict standards to prevent fraud and dishonesty. If employees become aware of any evidence of fraud and dishonesty, they should immediately advise their superior or the Law Department so that the Organization can promptly investigate further. When an employee's position requires spending Organization funds or in- curring any reimbursable personal expenses, that individual must use good judgment on the Organization's behalf to ensure that good value is received for every expenditure. Organization funds and all other assets of the Organization are for Or- ganization purposes only and not for personal benefit. This includes the personal use of organizational assets, such as computers. Organization Records and Communications Accurate and reliable records of many kinds are necessary to meet the Organization's legal and financial obligations and to manage the affairs of the Organization. The Organization's books and records must reflect in an accurate and timely manner all business transactions. The employees responsible for accounting and recordkeeping must fully disclose and record all assets, liabilities, or both, and must exercise diligence in enforcing these requirements. Employees must not make or engage in any false record or communication of any kind, whether internal or external, including but not limited to: • False expense, attendance, production, financial, or similar reports and statements • False advertising, deceptive marketing practices, or other misleading representations AU §316.86 Consideration of Fraud in a Financial Statement Audit 1769 Dealing With Outside People and Organizations Employees must take care to separate their personal roles from their Or- ganization positions when communicating on matters not involving Or- ganization business. Employees must not use organization identification, stationery, supplies, and equipment for personal or political matters. When communicating publicly on matters that involve Organization busi- ness, employees must not presume to speak for the Organization on any topic, unless they are certain that the views they express are those of the Organization, and it is the Organization's desire that such views be publicly disseminated. When dealing with anyone outside the Organization, including public offi- cials, employees must take care not to compromise the integrity or damage the reputation of either the Organization, or any outside individual, busi- ness, or government body. Prompt Communications In all matters relevant to customers, suppliers, government authorities, the public and others in the Organization, all employees must make every effort to achieve complete, accurate, and timely communications—responding promptly and courteously to all proper requests for information and to all complaints. Privacy and Confidentiality When handling financial and personal information about customers or oth- ers with whom the Organization has dealings, observe the following prin- ciples: 1. Collect, use, and retain only the personal information necessary for the Organization's business. Whenever possible, obtain any relevant information directly from the person concerned. Use only reputable and reliable sources to supplement this information. 2. Retain information only for as long as necessary or as required by law. Protect the physical security of this information. 3. Limit internal access to personal information to those with a legiti- mate business reason for seeking that information. Use only personal information for the purposes for which it was originally obtained. Ob- tain the consent of the person concerned before externally disclosing any personal information, unless legal process or contractual obliga- tion provides otherwise. AU §316.86 1770 The Standards of Field Work Attachment 2: Financial Executives International Code of Ethics Statement The mission of Financial Executives International (FEI) includes significant efforts to promote ethical conduct in the practice of financial management throughout the world. Senior financial officers hold an important and elevated role in corporate governance. While members of the management team, they are uniquely capable and empowered to ensure that all stakeholders' inter- ests are appropriately balanced, protected, and preserved. This code provides principles that members are expected to adhere to and advocate. They embody rules regarding individual and peer responsibilities, as well as responsibilities to employers, the public, and other stakeholders. All members of FEI will: 1. Act with honesty and integrity, avoiding actual or apparent conflicts of interest in personal and professional relationships. 2. Provide constituents with information that is accurate, complete, ob- jective, relevant, timely, and understandable. 3. Comply with rules and regulations of federal, state, provincial, and lo- cal governments, and other appropriate private and public regulatory agencies. 4. Act in good faith; responsibly; and with due care, competence, and diligence, without misrepresenting material facts or allowing one's in- dependent judgment to be subordinated. 5. Respect the confidentiality of information acquired in the course of one's work except when authorized or otherwise legally obligated to disclose. Confidential information acquired in the course of one's work will not be used for personal advantage. 6. Share knowledge and maintain skills important and relevant to con- stituents' needs. 7. Proactively promote ethical behavior as a responsible partner among peers, in the work environment, and in the community. 8. Achieve responsible use of and control over all assets and resources employed or entrusted. [Revised, April 2007, to reflect conforming changes necessary due to the is- suance of Statement on Auditing Standards No. 114.] AU §316.86