The revisions to ISA (UK) 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements apply soon. What changes should I prepare for?
The revised UK fraud ISA was issued by the Financial Reporting Council (FRC) in May 2021 and is effective for audits of periods beginning on or after 15 December 2021. In most cases, this means that the changes will apply to December 2022 year ends, but do not forget about short accounting periods.
There are a number of detailed revisions in ISA (UK) 240, but in my view the most noteworthy ones are:
- a greater focus on the audit team discussion being ‘an exchange of ideas’ and the requirement to consider the need to have additional discussions during the audit (which sounds like a good idea to me);
- requirements to consider using forensic expertise;
- requirements relating to whistle-blowers; and (importantly)
- requirements that further encourage professional scepticism in audit teams.
However, above and beyond this, the implementation of ISA (UK) 240 (revised) is a good opportunity to remind audit teams about the difficult issues surrounding auditing and fraud. This is especially true of professional scepticism, which is both vitally important in detecting fraud and is often hard to properly encourage in audit teams.
Not for the first time, I recommend firms use the ICAEW films False Assurance and Without Question as training tools. There are also other ICAEW resources that firms may find useful, such as the faculty’s new publication Sharpening the Focus on Corporate Fraud – An Audit Firm Perspective and its earlier publication Fraudulent financial reporting: fresh thinking, which share information on ways in which auditors use their skills and insights to maximise the likelihood of identifying fraudulent financial reporting.
Why is there such a focus on auditing for fraud? I have read that the auditor is not responsible for detecting fraud.
This is a common misconception and it is a dangerous one! Hunting for fraud is not the auditor’s primary role when auditing historical financial statements. Auditors should, however, plan to detect all material misstatements, including those arising from fraud.
When considering fraud, those who are relatively new to the profession often think only about the misappropriation of assets, by which I mean theft. This is also, usually, what the general public immediately think of as fraud. However, in my experience, the most common fraud that auditors are exposed to is the fraudulent misstatement of the financial statements, with the intention of misleading the users of the financial statements.
Sometimes, of course, fraud of both natures occurs simultaneously where assets are misappropriated and then the financial statements are misstated to conceal the theft.
So, to the extent explained above, it is the duty of the auditor to detect fraud and the reason that there is a particular focus on fraud in the ISAs is because doing this can be very challenging for auditors. Frauds are unlike other misstatements. Errors in the financial statements are relatively easy to detect because nobody is trying to conceal them.
Detecting fraud requires more focus from auditors and a significant degree of professional scepticism, above and beyond that needed to detect errors. This is why fraud is given special treatment in the ISAs.
Because of the nature of fraud, is it not inevitable that auditors will often fail to detect it? How can auditors be expected to detect falsified documentation if it comes from a credible source, such as management?
This is a huge problem for auditors. One thing that I need to challenge in your question, however, is your description of management as a credible source of information, which is not always the case. History tells us that when there is a fraud, management are often the perpetrators.
It is for a very good reason that both ISA (UK) 240 (Revised) and the international version of the standard include the following requirement related to the audit team discussion: “The discussion shall occur setting aside beliefs that the engagement team members may have that management and those charged with governance are honest and have integrity.” ISA 240 para 15.
I have heard auditors paraphrase this as: “Have the discussion assuming that management are crooks.” This sentiment goes too far, but not by that much!
However, your central question is a valid one. How can auditors detect a falsified document? With modern IT, anyone with a cheap PC and a £29 printer can be a forger. But modern IT also provides tools to address such challenges. There are many software-based products available to assist with (and automate) digital and document forgery detection.
Deciding whether and how to deploy such tools is a decision based on the auditor’s risk assessment, which is just one of the reasons why auditors need to be constantly vigilant and sceptical. Auditors need to remain alert for the tiniest detail that does not stack up and if they see it, they need to pursue the matter in a challenging way.
The revised ISA (UK) 240 includes a new requirement that the auditor shall be vigilant for conditions that indicate that a record or document may not be authentic and contains a useful list of indicators for auditors to look out for:
- unexplained alterations to documents received from external sources;
- serial numbers used out of sequence or duplicated;
- addresses and company emblems not as expected;
- document style different to others of the same type from the same source (for example, changes in fonts and formatting);
- an absence of information that would be expected;
- invoice references that differ from others;
- unusual terms of trade, such as unusual prices, interest rates, guarantees and repayment terms (for example, purchase costs that appear unreasonable for the goods or services being charged for);
- information that appears implausible or inconsistent with the auditor’s understanding and knowledge;
- a change from the authorised signatory;
- ‘copy’ documents presented rather than originals; and
- electronic documents with a ‘last edited’ date that is after the date they were represented as finalised.
Reading a revised auditing standard is always good practice and ISA (UK) 240 is no exception. It can be found on the FRC website along with all of the other current and past UK standards and guidance for audit and ethics.
If you want to get a taste first-hand of what the FRC is aiming for and expecting from auditors as they adopt the revised UK fraud standard, you may want to watch (or even rewatch) an FRC session from the faculty’s 2021 annual event. In his presentation on ‘Audit and fraud: preparing for change’, James Ferris, Head of UK Auditing Standards at the FRC, gives an overview of key changes and other enhancements in the revised ISA (UK) 240 and what they aim to achieve.
The recording of a March 2022 faculty webinar will also offer some valuable tips and insights. ‘Fraud risk factors in a financial statement audit’ reminds auditors of key elements of the revised standard, looks at potential indicators of fraud and provides practical hints and tips for small and medium firms when assessing and responding to the risk of fraud.
I keep reading about revisions to the UK version of the international auditing standard on fraud, but what is happening to the vanilla version? Has the IAASB also revised the ISA?
That is a good question. In many cases, revisions to the UK versions of International Standards on Auditing (ISAs) follow or coincide with revisions to ISAs by the International Auditing and Assurance Standards Board (IAASB) on which they are based. Occasionally, the FRC moves in advance of international standards to revise a UK version of a standard – as with the May 2021 revisions to ISA (UK) 240.
When the FRC issued its revised ISA (UK) 240, it explained that it was doing so “to address urgent stakeholder concerns in the public interest” because of misunderstandings around the auditor’s responsibilities in respect of fraud. The revised UK standard aims to make auditors’ obligations clearer, enhance the risk assessment they carry out and set clearer requirements for what the auditor then does.
The IAASB has a project ongoing to revise ISA 240. It aims to:
- clarify the role and responsibilities of the auditor for fraud in an audit of financial statements;
- promote consistent behaviour and facilitate effective responses to identified risks of material misstatement due to fraud, through strengthening ISA 240 to establish more robust requirements and enhance and clarify application material where necessary;
- enhance ISA 240 to reinforce the importance, throughout the audit, of the appropriate exercise of professional scepticism in fraud-related audit procedures; and
- enhance transparency on fraud-related procedures where appropriate, including strengthening communications with those charged with governance and the reporting requirements in ISA 240 and other relevant ISAs.
The IAASB timeline suggests that we can expect an exposure draft and consultation for its revised ISA 240 during 2023, with final approval of the standard around the end of 2024. You can follow developments and learn more about the project on the IAASB website.
Audit & Beyond
This article was first featured in the June 2022 edition of Audit & Beyond.