The Financial Reporting Council (FRC)’s UK Auditing Standard on Fraud (ISA (UK) 240) has been significantly updated for the first time in 16 years. The changes are a response to recent public discussions on the role of audit in identifying fraud, including high profile cases in which auditors were found to fall short of their responsibilities when it comes to fraud. This was also reflected in the findings of the Brydon review.
The changes to the standard do not alter the scope of audit when it comes to fraud. Rather, it seeks to clarify the auditor’s role and objectives in identifying fraud. Nor does it change the emphasis on directors’ responsibilities in tackling fraud; the audit standard change is designed to coincide with the government’s proposed changes to directors’ reporting around fraud.
The new fraud audit standard clarifies the auditor’s objective to “obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement due to fraud, including identifying and assessing risks of material misstatement, and obtaining sufficient appropriate audit evidence.”
The standard also addresses the inherent limitations and challenges of an audit in relation to fraud, particularly where management are colluding in fraud. Despite those challenges, it is still the auditor’s responsibility to obtain sufficient, appropriate audit evidence.
“It's really important that the particular challenges in the audit of fraud aren’t used as a reason not to properly plan an audit to deal with the risk of material misstatement due to fraud,” says James Ferris, the FRC’s Director of UK Auditing and Assurance Standards. “It is difficult, but it's still your responsibility.”
The focus of the changes to the standard is the mindset of auditors regarding scepticism and judgement, Ferris explains. These are critical components of any quality audit. “We're really trying to codify: if you're doing a good audit around fraud, this is what it would look like.”
The FRC has introduced new requirements for auditors to consider what specialist knowledge and expertise they need to carry out an effective risk assessment for an audit that may have indicators of fraud. “Not every single audit, for example, has to have a forensic accountant, but I think it's part of your risk assessment to determine if you need to have that specialism in the team,” says Ferris. “You must consider the need for these skills at both the risk assessment and the investigation phase so that you can come up with the appropriate response in the circumstances of each specific audit. What are the material risks of misstatement, and how are we going to deal with it?”
Several FRC standards include a ‘stand back provision’ which requires auditors to consider all of the work done during that audit and consider all evidence in the round. Auditors should assess whether they have sufficient appropriate audit evidence and consider whether they’ve done enough to seek out contradictory as well as corroborative evidence, says Ferris.
“You're not just accepting what management tells you at face value or testing what management's assertions are. You look at the other things you have done to challenge that viewpoint. It's really about thinking about the plausibility of what you've been told in the context of the knowledge and understanding you have acquired in the course of the audit.”
If more time had been taken in some recent high-profile cases to assess the plausibility of explanations and contradictory evidence, the outcome may have been different, Ferris says.
Ferris will be discussing the new UK Auditing Standard on Fraud at ICAEW’s Financial Reporting and Audit conference. He is also urging firms to consider how they will approach audits next year, keeping the concept of enhanced professional scepticism at the front of their minds.
The pandemic has created several new challenges for auditors including obtaining the same quality of evidence that they would on site. The business support schemes in place during the lockdowns are potential triggers for heightened risk of fraud. Internal controls in organisations are also more likely to be challenged as more people work remotely.
“Understanding the nature of each scheme is going to be quite an important aspect of this, so consider the criteria and legal requirements very closely when you do your risk assessment.
Ultimately, the new standard is about putting extra emphasis on professional scepticism. “This is about mindset, not scope.”
To hear more about the changes to auditing fraud, James will be presenting a breakout session at the Financial Reporting and Audit Conference next Monday, 11 October 2021. Tickets can be booked here.