Auditing for Fraud

1
Chapter 8

• Auditing for Fraud

2
Fraud Auditor Responsibilities Historical
Evolution

• "The detection of material fraud is a reasonable
  expectation of users of audited financial
  statements. Society needs and expects assurance
  that financial information has not been material
  misstated because of fraud. Unless an independent
  audit can provide this assurance, it has little
  if any value to society"
• This statement by the Public Companies Accounting
  Oversight Board represents a dramatic change in
  auditors' responsibility for detecting fraudulent
  financial reporting
• Previously, AICPA auditing standards required
  auditors to plan and perform an audit to provide
  reasonable assurance of detecting material
  misstatements, including those caused by fraud
• Today, the message is clear auditors must assume
  greater responsibility for detecting fraud

3
Comment on the Magnitude of Fraud

• According to a 2002 study by the Association of
  Certified Fraud Examiners (ACFE)--
• Six percent of revenues will be lost as a result
  of fraud
• Estimated at losses of 600 Billion per year
• These estimates cover all types of fraud, but do
  not include the losses investors incurred on
  major financial reporting frauds such as Enron or
  WorldCom

4
Fraud - Defined

• Intentional concealment or misrepresentation of
  material facts in order to deceive
• Differentiated from errors by the intent to
  deceive
• Traditionally defined into broad categories
• Defalcations
• Fraudulent financial reporting

5
Defalcation?

• Employee takes assets from the organization for
  personal gain. Examples theft, embezzlement
• ACFE divides into frauds due to
• Corruption
• Fraudsters use their influence in a transaction
  to gain personal benefit
• Examples kickbacks, conflict of interest,
  bribery, economic extortion
• Asset misappropriation
• Theft or misuse of organization's assets
• Common schemes skimming revenues, cash schemes,
  fraudulent disbursement, inventory theft,
  payroll fraud
• Defalcation may create misleading financial
  statements if stolen assets are reported on the
  statements

6
Fraudulent Financial Reporting - Defined

• Intentional manipulation of financial statements
• Typically committed by management
• Has opportunity to override internal controls
• Often evaluated and compensated based on
  financial results
• Usually involves
• Manipulation, falsification, or alteration of
  accounting records or supporting documents
• Misrepresentation or omission of events,
  transactions, or significant information
• Intentional misapplication of accounting
  principles
• The most common types are
• Overstate assets and understate expenses
• Overstate revenues and assets
• Understate liabilities

7
Lessons Learned From Fraud Cases

• Auditors take risk whenever they do not audit the
  entire company
• Auditors need to look at economic assumptions
  underlying a companys growth
• Auditors need to assess risk factors and when the
  risk of fraud is high, they must demand stronger
  evidence
• Computer errors should be viewed as a risk factor
• Dominant clients can be a problem
• Auditors need to know what motivates management
• Auditors should not assume all people are honest
• When fraud risk indicators are discovered, they
  must be thoroughly investigated

8
The Second COSO Report

• Report of the Committee of Sponsoring
  Organizations of the Treadway Commission (COSO)
  identified major characteristics of companies
  that had perpetrated fraud
• Involved smaller companies - under 200 million
  in revenues
• Board of directors dominated by management
• Audit committees non-existent or inactive
• Overstated revenues and corresponding assets in
  over half the frauds
• Most revenue frauds involved premature
  recognition or fictitious revenues

9
The Second COSO Report (Continued)

• No internal audit department
• Perpetrated over relatively long-terms (average
  period 2 years)
• Companies were in loss situations or near
  break-even prior to the fraud
• CEO and /or CFO involved in 83 of the cases
• Auditors realized there are signs that fraud
  might be taking place and that auditors would
  have to identify and investigate these signs

10
Auditing Standards on Fraud

• SAS 99, "Fraud Detection in a Financial Statement
  Audit" issued in 2002
• Requires auditors to search for risk factors
  related to fraud
• If these risk factors are present, auditor needs
  to modify audit to
• Actively search for fraud
• Require more substantive audit evidence
• In some cases, assign forensic (fraud) auditors
  to the engagement
• Emphasizes the need for professional skepticism

11
A Proactive Approach to Fraud Detection -
Planning the Audit

• The audit must be planned to detect material
  misstatements - whether the misstatements are due
  to errors or fraud
• The auditor must
• Understand the business
• Understand how changes in the economy might
  affect the business
• Understand management's motivations for
  committing a fraud
• Identify opportunities for other employees to
  commit defalcation
• Analyze changes in company's financial results
  for reasonableness
• Identify areas that might suggest fraud

12
Proactive Approach to Fraud Detection -
Conducting the Audit

• Overview of the process to integrate fraud risk
  assessment and fraud procedures into the audit
  includes ten major steps
• Understand the nature of fraud, motivations to
  commit fraud, and how fraud may be committed
• Develop and implement an approach based on
  professional skepticism
• Brainstorm and share knowledge within the audit
  team
• Obtain information useful in identifying and
  assessing fraud risk
• Identify specific fraud risks and areas likely to
  be affected by fraud

13
Proactive Approach to Fraud Detection -
Conducting the Audit

• Evaluate the quality and effectiveness of company
  controls in mitigating the risk of fraud
• Adjust audit procedures to address the risk of
  fraud and gather evidence specifically related
  to the possibility of fraud
• Evaluate findings if evidence signals fraud
  might exist, consider whether specialists are
  needed for the audit team
• Communicate possibility of fraud to management
  and audit committee
• Document all steps related to fraud

14
The motivations to commit fraud

• Research consistently shows three factors
  associated with fraud
• These factors are referred to as the fraud
  triangle
• Incentives or pressures to commit fraud
• Opportunities to commit fraud
• Rationalization of the fraud as acceptable

15
Motivations to Commit Fraud 1. Incentives or
Pressures

• The pressures to commit fraud include
• Management compensation schemes
• Personal wealth ties to financial results or
  survival of the company
• Other financial pressures to improve earnings or
  the balance sheet
• Example to avoid violating debt covenant
• Personal factors, including personal financial
  needs

16
Motivations to Commit Fraud 2. Opportunities

• Warning signs indicating opportunities for fraud
• Weak or non-existent internal controls
• Complex or unstable organizational structure
• Ineffective monitoring of management, either
  because board of directors is not effective, or
  management is dominant
• Significant accounting estimates made by
  management
• Significant related party transactions
• Industry dominance, including ability to dictate
  terms to suppliers or customers
• Simple transactions made complex through
  disjointed recording process
• Complex or difficult to understand transactions

17
Motivations to Commit Fraud 3. Rationalizations

• The nature of fraud rationalization often differs
  depending on the type of fraud
• For defalcations, rationalizations often revolve
  around personal issues
• Personal financial problems
• Mistreatment by the company
• Sense of entitlement
• Everyone does it
• For fraudulent financial reporting, the
  rationalizations may involve personal or
  organizational issues
• Compensation based on financial results
  (personal)
• Ego (personal)
• Necessary for organization to survive

18
Audit team brainstorming

• SAS 99 requires members of the audit team to
  discuss the risk of material misstatement due to
  fraud
• This brainstorming is designed to
• Allow experienced auditors to educate less
  experienced auditors
• Set the proper level of professional skepticism
  for the audit
• Topics covered during the brainstorming should
  include
• Consider how fraud can be perpetrated and
  concealed
• Presume fraud in revenue recognition
• Consider incentives, opportunities, and
  rationalization for fraud
• Consider industry conditions
• Consider operating characteristics and financial
  stability

19
Audit Procedures

• When there is a possibility of fraud, the auditor
  should consider that evidence might not be what
  it seems
• SAS 99 suggests the auditor consider the
  following
• Greater susceptibility of evidence manipulation
• Greater skepticism of management responses
• Journal entries are important
• New technology provides new ways to commit fraud
• Recognition that collusion may be likely
• Predictability of audit procedures
• Analytical procedures should tie to operational
  or industry data

20
Obtaining Information about Fraud Risk

• The auditor should specify procedures that could
  signal the possibility of fraud including
• Making inquires of management and others to
  obtain their views about the risk and fraud and
  controls set up to address those risks
• Perform analytical procedures and consider any
  unusual relationships
• Review risk factors identified earlier (pressure,
  opportunity, rationalization)
• Review management responses to recommendations
  for control improvements and internal audit
  reports

21
What are some analytical indicators of fraud risk?

• Some of the key analytical factors the auditor
  should develop include
• Large revenue increase at the end of the period
• Sales increasing faster than industry sales which
  don't seem justified
• Unusually large increase in gross margin
• Large number of sales returns after year-end
• Increase in number of day's sales in receivables
• Increase in number of day's sales in inventory
• Significant increase in debt/equity ratio
• Cash flow or liquidity problems
• Significant changes in non-financial performance
  measures

22
Identifying Risks of Fraud

• The auditor should examine each of the fraud risk
  conditions - pressure, opportunity,
  rationalization
• During this examination, the auditor should
  consider
• The type of fraud that might occur
• The potential significance of the fraud in both
  quantitative and qualitative terms
• The likelihood of fraud occurring
• The pervasiveness of the risk that fraud might
  occur
• SAS 99 requires the auditor presume there are
  risks with revenue recognition and management
  override of internal controls

23
Relate Internal Control and Fraud Risk

• Internal control weaknesses are a strong
  indicator of fraud risk
• The auditor will examine a variety of control
  areas including
• Corporate governance
• Management control and influence
• Audit committee
• Corporate culture
• Internal auditing
• Monitoring controls
• Whistle blowing
• Codes of ethics
• Related party transactions

24
Developing a Revised Audit Plan

• Auditor should develop hypotheses about how fraud
  could be committed and concealed
• The audit team should then develop and implement
  audit procedures that are directly responsive to
  the fraud risks
• Depending on the hypothesized fraud risks the
  auditor may change the
• Audit procedures in order to gather additional
  corroborative and/or direct evidence
• Timing of audit procedures
• Staffing of the engagement to include more
  experience auditors or specialists

25
Developing a Revised Audit Plan (Continued)

• Extent of audit procedures examples include
• Performing procedures on a surprise or
  unannounced basis
• Requiring inventories be counted and observed at
  year-end (instead of at an interim date)
• Making oral inquiries of major customers and
  suppliers
• Performing analytics using disaggregated data
• Examining details of major sales contracts
• Examining financial viability of customers
• Examining, in detail, reciprocal or similar
  transactions between two entities
• Detailed examination of journal entries,
  particularly those at year-end

26
Evaluating Audit Evidence

• The auditor's skepticism should be heightened
  whenever
• There are discrepancies in the accounting records
• The auditor finds conflicting or missing
  evidential matter
• The relationship with management is strained
• There are significant or unusual transactions
  around year-end

27
Communicating the Existence of Fraud

• Fraud should be communicated to a level at which
  effective action can be taken
• The auditor must communicate the existence of
  fraud to management, the Board, and the audit
  committee
• If fraud involves top management, the auditor
  must assess the actions taken by the Board
• If sufficient actions are not taken, the auditor
  must consider the control environment and the
  possible need to resign the engagement

28
Communicating the Existence of Fraud (Contd)

• The auditor must determine that the financial
  statements have been corrected and the fraud
  adequately disclosed
• If the statements are not corrected, the auditor
  should issue a qualified or adverse opinion
• In some cases, the auditor may be required to
  report the fraud to outside parties, such as to
  meet regulatory requirements
• For public companies, material fraud reflects a
  weakness in internal controls and may need be
  reported

29
Audit Documentation

• The audit team should document the full extent of
  the process described
• That documentation should include
• Discussion among audit team members including the
  assessment of fraud risk and how such frauds
  might take place
• Discussion of the factors that affected the risk
  assessment
• Audit procedures performed
• Need for corroborating evidence
• Evaluation of audit evidence and communication to
  required parties

30
Characteristics of Financial Reporting Frauds

• Historically, there are patterns in financial
  reporting frauds
• Complex revenue recognition schemes
• Incorrect billings to the government
• Holding the books open (accelerated revenue
  recognition)
• Capitalizing expenses
• The implications for audit procedures is clear
• The auditor must understand complex transactions
  to determine their economic substance
• The auditor cannot be pressured to complete the
  audit early there must be sufficient time to
  examine year-end transactions
• The auditor must use necessary procedures to
  gather sufficient reliable evidence including

31
Characteristics of defalcations?

• ACFE reports 90 of defalcations involve thefts
  of cash remaining 10 were thefts of inventory
  and other assets
• Cash misappropriation schemes include
• Larceny stealing cash after it has been recorded
  on the books
• Skimming stealing cash before it is recorded on
  the books
• Fraudulent disbursements
• Most common 70 of defalcation schemes
• Billing set up false vendors and pay for
  fictitious goods
• Payroll add fictitious employees to payroll
• Expense reimbursement submit overstated
  reimbursement requests
• Check tampering alter check, e.g. change payee
  or amount

32
Audit Procedures Evidence Considerations

• The procedures used by the auditor should reflect
• the internal control weaknesses and
• fraud risk indicators found with the client

33
1. Linking Audit Procedures to Control
Deficiencies

• Audit procedures used are based on specific
  control deficiencies
• Linkage process from control deficiencies to
  audit procedures
• What errors or fraud could occur because of the
  control deficiencies
• What account balances would be affected and how
• What audit procedures would provide evidence on
  whether the account balance is misstated
• Do the audit procedures provide objective
  evidence independent of the parties who have
  access to the assets
• Examples listed in Exhibit 8.11

34
2. Linking Audit Procedures to Fraud Risk
Indicators

• As with control deficiencies, audit procedures
  will depend on the fraud risk indicators and
  auditor's preliminary analytical review of
  account balances
• Existence of fraud risk indicators should cause
  the auditor to
• Expand audit testing to more detailed sampling
• Review all major sales
• Place more emphasis on independent outside
  evidence
• Perform more procedures at year-end (instead of
  interim testing)
• Examples listed in Exhibits 8.12 and 8.13

35
Using Computers to Analyze the Possibility of
Fraud

• Audit software can read a file and perform a
  number of procedures to analyze the possibility
  of fraud
• Test mechanical accuracy footing, mathematical
  extensions, and logical relationships
• Statistical selection
• Search for duplicate entries
• Analyze unusual patterns in data
• Analysis of logical relationships among data sets
• Identify unusual sources of entries to an account
• Search for missing data

36
Responsibilities for Detecting and Reporting
Illegal Acts

• Illegal acts are violations of laws or
  governmental regulations...by management or
  employees acting on behalf of the entity (AU
  317.02)
• Illegal acts often have a direct impact on
  financial statements
• Audit must be designed to identify illegal acts
  that have a direct, material effect on the
  financial statements audit procedures include
• Reading corporate minutes
• Inquiries of management and legal counsel

37
Responsibilities for Detecting and Reporting
Illegal Acts (continued)

• Tests of details to support transactions or
  account balances
• Large payments to consultants or employees for
  unspecified services
• Excessively large sales commissions
• Unexplained governmental payments
• Unauthorized or unnecessarily complex
  transactions
• If illegal acts are discovered, the auditor
  should
• Consult with the client's legal counsel
• Report the acts to management and the audit
  committee
• Make the financial statements present fairly
  including proper disclosure

38
Forensic Accounting

• Forensic accounting is an extension of auditing,
  but with a number of differences
• Detailed investigation where fraud has been
  identified or is suspected
• Focuses on identifying perpetrators and getting a
  confession
• Builds support for legal action against the
  perpetrator
• May provide litigation support such as expert
  testimony
• Extensive use of interviews
• 100 examination of fraud-related documents
• Reconstruction of account balances
• Broader scope than auditing