Fraud Risk (extracted from PwC Audit Guide)
Guidance extracted from PwC Audit Guide (2003) to provide easy access to those teams not applying the PwC Audit 2003 methodology but where new guidance is required to be followed.
Fraud risk is a critical component of business risk and we need to identify and respond to the risk of material misstatement due to fraud (generally referred to in this section as fraud risk), both for our own risk management and to meet professional standards’ requirements. This means
specifically considering as part of our risk assessment the areas of an entity’s operations where
there are increased fraud risks at a financial statement assertion level, because of the industry, the business activities, the control environment, performance incentives/pressures and the overall objectives/agenda of management.
Fraud Appendix 1 gives a working definition of fraud, describes its nature and characteristics, and distinguishes between fraudulent financial reporting and misappropriation of assets, both
of which are relevant to our consideration of fraud in a financial statement audit.
Absolute assurance of detecting material misstatements is not attainable. However, that should not deter us from planning our audit to maximize the likelihood that we will detect material misstatements due to fraud. Therefore, we should plan and perform the audit with an attitude of professional scepticism, recognising that conditions or events may be found that indicate that fraud or other questionable or illegal acts may exist or are reasonably possible, and investigating those conditions or events, and their impact on the financial statements.
While some guidance below might indicate a sequential audit process, activities relating to fraud risk assessment and our response occur throughout the audit comfort cycle and the gathering of substantive audit evidence.
This guidance covers the following:
? Obtaining the information needed to identify fraud risks. PwC Audit 4262 sets out the
procedures we should perform to gather information to identify risks, including:
> Considering the information from the client Acceptance & Continuance process
> Discussion among engagement personnel
> Making inquiries of management and others within the entity
> Considering the results of the preliminary analytical procedures
> Considering fraud risk factors relating to misappropriation of assets
> Considering certain other information
? Identifying fraud risks and assessing the identified risks. PwC Audit 4263 explains the
need to use the information gathered to identify fraud risks, and to assess the identified fraud
risks after taking into account an evaluation of the entity’s programmers and controls. This
recognises that we should treat management override of controls as a fraud risk, and also
presume that improper revenue recognition is a fraud risk.
? Communicating the results of our risk assessment. PwC Audit 4264 provides guidance on
the communications we should make to management and the Audit Committee.
? Responding to the results of our risk assessment. PwC Audit 4265 sets out the responses
we should make to fraud risks:
> A response that has an overall effect on how the audit is conducted
> A response to identified risks involving the nature, timing, and extent of the procedures to
> A response involving the performance of certain procedures to address the fraud risk
involving management override of controls
? Evaluating the results of our audit tests. PwC Audit 4266 explains that we should assess
fraud risks throughout the audit, and evaluate the accumulated results of our audit work at the
completion of our audit, including whether identified misstatements may be indicative of fraud
? Documentation. PwC Audit 4267 explains the requirements for documenting our work relating
to fraud risk assessment and response.
? Action when fraud is discovered. PwC Audit 4268 sets out policy and guidance on the
responses necessary if we discover fraud as a result of our audit work.
? Involvement of forensic specialists. PwC Audit 4269 sets out the recommended policy on
use of forensic specialists, to be tailored and implemented by territories to reflect local
4262 Obtaining Information Needed to Identify Fraud Risks
To obtain the information needed to identify the risks of material misstatement due to fraud, our procedures should include:
? Considering the information from the client Acceptance & Continuance process ? Discussion among engagement personnel
? Making inquiries of management and others within the entity, including, where applicable, the
Audit Committee and internal audit
? Considering the results of the preliminary analytical procedures, including analytical
procedures specifically directed at revenue
? Considering fraud risk factors relating to misappropriation of assets
? Considering other information that may be helpful in identifying risks
Identification of Fraud Risks in Client Acceptance & Continuance
Consideration of fraud risks relating to fraudulent financial reporting begins at the client acceptance and continuance stage through the use of the Acceptance & Continuance (FRISK) process of My Client. This includes common fraud risk factors to be considered, specifically relating to fraudulent financial reporting. We should consider these in the context of the three conditions generally present when fraud occurs, as follows:
? Incentive/Pressure. These include excessive pressures on management or operating
personnel to meet financial targets or third party expectations; financial stability threatened by
economic, industry or entity operating conditions; and management or director personal net
worth dependent on the entity’s financial performance.
? Opportunity. These pertain to the nature of the industry or the entity’s operations; ineffective
monitoring; complex or unstable organisational structures; and deficiencies in internal control. ? Rationalisation/Attitude. These pertain to attributes of Board members, management, or
employees that allow them to engage in and/or justify fraudulent financial reporting. These
conditions reflect the "tone at the top" and the overall culture of the entity.
Examples of risk factors relating to misstatements arising from fraudulent financial reporting are included in Fraud Appendix 2.
While, as auditors we should apply professional scepticism and be alert to indicators of possible fraud, we are not required to plan the audit specifically to discover information that is indicative of management or employee personal lack of integrity, financial stress on individuals, or collusive relationships, either internal or external, which could result in fraudulent actions. However, should we become aware of such information, we should consider the impact of this information on fraud risk.
The fraud risk implications of matters considered during this process, where the decision is taken to accept/continue with the audit, should be reflected in the audit file, including the specific responses to fraud risks.
Discussion Among Engagement Personnel
The engagement team is required to have a discussion early in the audit, preferably face-to-face in a meeting, to discuss the potential for material misstatements in the financial statements, including misstatements due to fraud. The discussion should involve the engagement leader and other key members of the engagement team, including specialists where it is anticipated that they will have significant involvement in the audit. It could be a part of the kick-off meeting or a separate meeting, but if the discussion of fraud risk forms part of a larger meeting, sufficient time should be allowed for a proper discussion specifically focused on fraud risk, with a view towards "What could go wrong?"
The discussion should cover:
? Review with the entire team of any fraud risk conditions identified in the Acceptance &
? Sharing of the insights of the more experienced members of the engagement team based on
their knowledge of the entity and its industry, and an exchange of ideas or "brainstorming"
about how and where the team believes the entity’s financial statements might be
susceptible to material misstatement, how management could perpetrate and conceal
fraudulent financial reporting, and how the assets of the entity could be misappropriated. The
discussion should include a consideration of the known external and internal factors affecting
the entity that might:
> Create incentives/pressures for management and others to commit fraud
> Provide the opportunity for fraud to be perpetrated
> Indicate a culture or environment that enables management to rationalise committing fraud ? An emphasis on the importance of maintaining the proper state of mind (i.e., professional
scepticism) throughout the audit. This should lead the engagement team members continually
to be alert for indicators that fraud may have occurred. Furthermore:
> The discussion should emphasize that the members of the engagement team should not
be satisfied with less than persuasive evidence because of a belief that management is
> The engagement team should set aside any prior beliefs they may have that management
is honest and has integrity
> The discussion should include a consideration of the risk of management override of
? Determination of specific procedures to be conducted as part of the audit to address any fraud
risks identified in this meeting, including determination of the use of forensic specialists, and
the plan for reviewing results with engagement leadership.
A specimen agenda for the discussion is included in Fraud Appendix 3.
For multinational corporation audits and other large multiplication audits, team meetings
should be held in all territories/locations where there is a major business unit. The meeting of
the referring office engagement team should take place in advance of local team meetings so
that any relevant issues from a group perspective can be communicated to local teams. Any
concerns identified in the local team meeting should be reported back to the referring office
Inquiries of Management and Others Within the Entity
Our inquiries of management and others within the entity are important because fraud often is
uncovered through information received in response to inquiries. One reason for this is that
such inquiries may provide individuals with an opportunity to convey information to us that
otherwise might not be communicated.
Fraud Appendix 4 sets out example inquiries that cover the matters that our inquiries should
address. Inquiries within the entity should include the following:
? Management. Generally, these inquiries should be directed to the chief executive officer, chief
financial officer, and financial controller, as well as to management of significant business units
and leaders of major operational and support services. We should consider directing inquiries
to a cross-section of management, in terms of organisational responsibility, level of position
held, and geographic location. In addition, the management representation letter should
contain certain specific representations regarding disclosure to us of instances of fraud or
suspected fraud. If management is required by law or local standards to report incidences of
fraud to the Audit Committee and/or the external auditors, we should review all such
communications, and determine if we believe management’s processes for deterrence and
detection support the voracity of their reporting process.
? Audit Committee. In recent studies, a significant proportion of recent material corporate frauds have involved senior officers – i.e., the CEO, CFO, COO or similar executive levels.
Thus, the oversight role played by the Board and its Audit Committee in assessing the incentives/pressures, opportunity and rationalisation/attitude, and the one at the top of the entity is critical. As a minimum, we should directly make inquiries of the members of the Audit Committee, or other governance body charged with oversight of financial reporting.
? Internal audit. For entities that have an internal audit function, we should inquire of appropriate internal audit personnel.
? Others. Making inquiries of others outside management and the finance function may be useful in providing us with a different perspective to that of individuals within the financial reporting area. Their responses might serve to corroborate responses received from management or, alternatively, might provide information regarding the possibility of management override of controls, e.g., a response from an employee indicating an unusual change in the way transactions have been processed. In addition, we may obtain information regarding how effectively management has communicated standards of ethical behaviour to individuals throughout the entity. Others within the entity include the following:
> Operating personnel not directly involved in the financial reporting process
> Employees with varying levels of authority within the entity.
> Employees involved in initiating, recording, or processing complex or unusual
> In-house legal counsel
We use professional judgement to determine the others within the entity to whom inquiries should be directed and the extent of those inquiries, considering whether they might be able to provide information that will be helpful to us in identifying fraud risks. These inquiries generally would be directed to entity personnel that we come into contact with during the course of the audit. In that regard, we may make inquiries of different people each year. If any allegations of fraud or inappropriate behaviour have been made during the period to those responsible for whistle-blower or ethics hotlines, etc., and employees making such allegations can be identified, then our inquiries should include these personnel.
Results of Analytical Procedures
As part of our preliminary analytical procedures, we should consider whether any unusual or unexpected results of these procedures might indicate a potential material misstatement due to fraud. As revenue is particularly subject to fraud risk, we should analyse revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that may be indicative of a material misstatement due to fraud. These revenue analytics should be performed at a disaggregated level (e.g., by monthly or quarterly time period, line of business, location, product, or account).
Consideration of Risk Factors Relating to Misappropriation of Assets
We should consider risk factors relating to misstatements arising from misappropriation of assets in the context of the three conditions generally present when fraud occurs, as follows: Incentive/Pressure
? Personal financial obligations may create pressure on management or employees with access to cash or other assets susceptible to theft to misappropriate those assets
? Adverse relationships between the entity and employees with access to cash or other assets susceptible to theft may motivate those employees to misappropriate those assets. For example, adverse relationships may be created by the following:
> Known or anticipated future employee layoffs
> Promotions, compensation, or other rewards inconsistent with expectations
? Certain characteristics or circumstances may increase the susceptibility of assets to misappropriation, for example:
> Large amounts of cash on hand or processed
> Inventory items that are small in size, of high value, or in high demand
> Easily convertible assets, such as bearer bonds, diamonds, or computer chips
> Assets that are small in size, marketable, or lacking observable identification of ownership
? Inadequate internal control over assets may increase the susceptibility of misappropriation of
those assets, for example:
> Inadequate segregation of duties or independent checks
> Inadequate management oversight of employees responsible for assets (e.g., inadequate
supervision or monitoring of remote locations)
> Inadequate job applicant screening of employees with access to assets
> Inadequate recordkeeping with respect to assets
> Inadequate system of authorisation and approval of transactions (e.g., in purchasing)
> Inadequate physical safeguards over cash, investments, inventory, or other assets
> Lack of timely and appropriate documentation of transactions (e.g., credits for merchandise
> Lack of mandatory vacations for employees performing key control functions
> Inadequate management understanding of information technology, which enables
information technology employees to perpetrate a misappropriation
> Inadequate access controls over automated records
The following are examples of attitudes or behaviour of employees who have access to assets susceptible to misappropriation that we may become aware of:
? Disregard for the need for monitoring or reducing risks related to misappropriation of assets ? Disregard for internal control over misappropriation of assets by overriding existing controls or
by failing to correct known internal control deficiencies
? Behaviour indicating displeasure or dissatisfaction with the entity or its treatment of the
? Changes in behaviour or lifestyle that may indicate assets have been misappropriated ? Tone at the top that sets expectations for lavish lifestyles, mixing of personal and entity assets,
or sense of entitlement
Other information that might be helpful in identifying fraud risk includes:
? Interim reviews. When we perform reviews of interim financial information on a timely basis,
we should take into consideration information gained in the conduct of those reviews in
assessing the risks of material misstatements as part of our audit. In particular, we should
consider the source of potential adjustments identified during interim reviews as indications of
potential material misstatements of the annual financial statements under audit.
? Consideration of account balances and classes of transactions that may be particularly
subject to fraud risk. For example, because they involve a high degree of management
judgement and subjectivity leading to a risk of fraudulent financial reporting (such as
estimation of liabilities resulting from a restructuring) or they are susceptible to
misappropriation. Fraud Appendix 5 contains tables to assist in identifying and remaining
alert to potential fraud schemes relating to:
> Revenue recognition
> Overstatement of assets/understatement of liabilities
> Misappropriation of assets
These tables include a description of the fraud schemes, potential indicators, and illustrative
procedures to be performed if a potential fraud scheme is identified. Not all indicators
necessarily need to be observed for the potential for the fraud to be present. Professional
judgement is required to determine if potential fraud schemes or fraud risks exist and whether
procedures should be expanded and additional steps should be performed to address any
? Information gathered about the incentives/pressures facing management. For example,
we should develop an 搃nventory of management’s performance-related earnings or
similar arrangements, including identifying the levels of performance that trigger them.
4263 Identifying and Assessing Risks That May Result in Material Misstatement
Identifying Fraud Risks
In identifying fraud risks, it is helpful to consider the information we have gathered in the context of incentives/pressures, opportunities and rationalisation/attitudes. However, we should not assume that all three conditions must be observed or evident before concluding that there are identified risks, nor that the inability to observe one or two of these conditions means that there is no fraud risk. In fact, risk factors reflective of employee rationalisation or attitudes are generally not susceptible to observation.
Additionally, the extent to which each of the three conditions is present when fraud occurs may vary:
? An incentive/pressure to achieve an earnings level to preclude a loan default or to trigger
performance-related earnings may alone result in fraud risk
? An easy opportunity to commit fraud because of a lack of controls may be the dominant
condition leading to fraud risk
? An individual’s attitude or ability to rationalise unethical actions may be sufficient to motivate
that individual to engage in fraud, even in the absence of significant incentives/pressures or
Our identification of fraud risks may be influenced by characteristics such as the size, complexity, and ownership attributes of the entity. Also, fraud risks may vary among operating locations or business segments of an entity, requiring an identification of the risks related to specific geographic areas or business segments, as well as for the entity as a whole.
Management Override of Controls
Even if we do not identify specific risks of material misstatement due to fraud, we should recognise that there is a possibility that management override of controls could occur, and address that risk, as discussed in PwC Audit 4265.
Presumption That Improper Revenue Recognition Is a Fraud Risk
Material misstatements due to fraudulent financial reporting often result from an overstatement of revenues (e.g., through premature revenue recognition or recording fictitious revenues) or an understatement of revenues (e.g., through improperly shifting revenues to a later period). Therefore, we should ordinarily presume that there is a fraud risk relating to revenue recognition. Fraud Appendix 5 includes examples of potential fraud schemes relating to revenue recognition. If we conclude that there is no fraud risk, the rationale should be documented in the audit file. In summary, the identification process should consider a number of factors, including: ? Type of risk – fraudulent financial reporting or misappropriation of assets
? Significance of risk – whether it is of a magnitude that could result in a material
? Likelihood of the risk – likelihood that it would result in a material misstatement
? Pervasiveness of the risk – pervasive to the financial statements as a whole or specifically
related to a particular assertion, account, or class of transactions
We should determine whether the identified fraud risks are pervasive to the financial statements as a whole or are related to specific financial statement account balances or classes of transactions, and related assertions. Relating the fraud risks to individual accounts, classes of transactions and assertions will assist us in subsequently designing appropriate auditing procedures.
Assessing the Risk of Material Misstatement
When considering the identified fraud risks, we should consider the entity’s programmes and
controls designed to address those risks. These programmes and controls may involve: ? Specific controls designed to mitigate specific risks of fraud
? Broader programmes designed to prevent, deter, and detect fraud (including programmes to
promote a culture of honesty and ethical behaviour)
These programmes or controls, whether manual or automated, can be circumvented by collusion of two or more people or by inappropriate management override of internal control. We should evaluate whether the entity’s programmes and controls are suitably designed to prevent or
detect material misstatements resulting from fraud risks and, if so, we should obtain, to the extent needed to develop further our responses, evidence that such programmes and controls have been implemented.
In developing our response to identified fraud risks, we should assess the extent to which it appears that the risks are mitigated or reduced. To the extent that we place reliance on the programmes and controls, we should validate them.
4264 Communications About Fraud to the Client
We should engage in a dialogue with the Audit Committee to obtain their views on fraud and to further our understanding of the risks of material misstatement. This dialogue should occur initially at the scoping phase of the audit, but further discussions may be necessary depending on our audit findings. While discussions with Audit Committees are primarily applicable to listed entities, a similar discussion should be held with other entities.
The discussion should include the following:
? An overview of our responsibilities as independent accountants and the general procedures
we perform to address the risks of material misstatement due to fraud
? The inquiries of the Audit Committee about fraud referred to in PwC Audit 4262
? Identified risks, including those that have continuing control implications (whether or not
transactions or adjustments that could be the result of fraud have been detected), and which
represent material weaknesses or reportable conditions relating to the entity's internal control
– in determining these matters, we should consider the three fraud conditions:
incentives/pressures, opportunity, and rationalisation/attitude
? Details of the absence of, or deficiencies in, programmes and controls to mitigate specific risks
of fraud or to otherwise help prevent, deter, and detect fraud represent weaknesses that
should be communicated to senior management and the Audit Committee
For further guidance on communication with the client, see perspectives on fraud risk in PwC
4265 Responding to the Results of the Assessment
Our response to the identified fraud risks is influenced by the nature and significance of the risks
s programmers and controls that address these identified risks. We identified and the entity’
should respond to fraud risks in the following three ways:
? A response that has an overall effect on how the audit is conducted
? A response to identified risks involving the nature, timing, and extent of the procedures to be
? A response involving the performance of certain procedures to address the fraud risk involving
management override of controls
We may conclude that it appears not to be practicable to sufficiently modify the procedures that are planned for the audit to address the risks. Withdrawal from the engagement with communication to the appropriate parties may be an appropriate course of action, but should only be undertaken after consultation with a Risk Management Partner, and others as appropriate. Overall Responses to Risks
Overall responses to identified risks include:
? Reviewing staff assignments (e.g., need for specialised skills or more experienced staff,
including forensic specialists) and necessary supervision
? Considering management’s selection and application of significant accounting principles,
particularly those related to subjective measurements and complex transactions ? Incorporating an element of unpredictability in the selection of auditing procedures from
year-to-year, for example –
> Performing substantive tests of selected account balances and assertions not otherwise
tested due to their materiality or risk
> Adjusting the timing of testing from that otherwise expected
> Using different sampling methods
> Performing procedures at different locations or at locations on an unannounced basis
Modifying Nature, Timing and Extent of Procedures
Responses to identified risks involving the nature, timing, and extent of the procedures to be performed include:
? Changing the nature of procedures performed to obtain evidence that is more reliable or to
obtain additional corroborative information
? Modifying the timing of substantive tests performed to be at or near the year-end or initiating
early testing to substantiate transactions throughout the year
? Changing the extent of the procedures applied by increasing sample sizes, adding more
detailed analytical procedures, or employing computer-assisted auditing techniques
Fraud Appendix 6 provides examples of how CAATs can be used in attempting to detect fraud. Addressing the Risk of Management Override of Controls
We should perform procedures to address the risk of management override of controls on every audit as management is in a unique position to perpetrate fraud because of its ability to directly or indirectly manipulate accounting records and prepare fraudulent financial statements by overriding established controls that otherwise appear to be operating effectively. These procedures include: ? Examining journal entries and other adjustments for evidence of possible material
misstatement due to fraud. Fraud often involves manipulation of the financial reporting process
by recording inappropriate or unauthorised journal entries or making adjustments to amounts
reported in the financial statements that are not reflected in formal journal entries, such as
consolidating adjustments, report combinations, and reclassifications. Accordingly, we should
design procedures to test the appropriateness and authorisation of journal entries recorded in
the general ledger and other adjustments, based upon the following considerations –
> Assessment of fraud risk
> Evaluation of the effectiveness of controls that have been implemented over one or more
aspects of the financial reporting process
> Linkage of management’s internal reporting to the external financial statements
> Entity’s financial reporting process and the nature of evidence that can be examined
> Nature and complexity of accounts
> Timing of the testing
Inappropriate or unauthorised journal entries and adjustments often have certain unique
identifying characteristics. Such characteristics may include entries:
> Made to unrelated, unusual, or seldom used accounts or business segments
> Recorded at the end of the period or post-closing entries that have little or no explanation
> Made either before or during the preparation of the financial statements that do not have
> That contain round numbers or a consistent ending number
? Reviewing accounting estimates for biases that could result in a material misstatement due
to fraud, including performing a retrospective review of prior year estimates. This review is not
intended to call into question our professional judgements made in the prior year that were
based on information available at that time. Rather, it is to determine, with the knowledge
gained from hindsight, whether there are insights that would call for additional auditing
procedures in the current audit relating to management judgements that may have contained
biases in prior periods.
? Evaluating the business rationale for significant unusual transactions. We may become
aware of significant transactions that are outside of the normal course of business, or that
otherwise appear to be unusual given our understanding of the client and its environment. We
should gain an understanding of the business rationale and whether the rationale (or the lack
thereof) suggests that the transaction may have been entered into to engage in fraudulent
financial reporting. We should consider whether:
> The form of such transactions is overly complex (e.g., involves multiple entities within a
consolidated group or unrelated third parties)
> Management has discussed the nature of and accounting for such transactions with the
Audit Committee or Board of Directors
> Management is placing more emphasis on the need for a particular accounting treatment
than on the underlying economics of the transaction
> Transactions that involve unconsolidated related parties, including special purpose entities,
have been properly reviewed and approved by the Audit Committee or Board of Directors
> The transactions involve previously unidentified related parties or parties that do not have
the substance or financial strength to support the transaction without assistance from the
entity under audit
> The level of disclosure or transparency of the transactions is appropriate
4266 Evaluating Audit Test Results
Our assessment of the risks of material misstatement due to fraud should be ongoing throughout the audit. Conditions may be identified during the performance of fieldwork that change or support our judgements regarding our assessment, such as discrepancies in accounting records, conflicting or missing evidential matter, or problematic or unusual relationships between the engagement team and the client. Examples of such evidential risk factors and other indicators of the possible existence of fraud are included in Fraud Appendix 2.
At or near the completion of the audit, we also should evaluate whether the accumulated results of auditing procedures and other observations affect the assessment of fraud risk made earlier in the audit, and whether there is a need to perform additional or different auditing procedures. This evaluation primarily is a qualitative matter based on our judgement. Our evaluation should include assessing whether substantive or final analytical procedures indicate a previously unrecognised fraud risk. In addition, we should update the revenue analytics performed as part of our preliminary analytical procedures.
When audit test results identify misstatements in the financial statements, we should consider whether such misstatements might be indicative of fraud. If circumstances indicate the possible existence of fraud, we should consider its potential effect on the financial statements. If we believe the effect of the misstatement could be material, we should perform whatever modified or additional procedures we determine appropriate to ascertain whether fraud exists and, if so, whether it has a material effect on the financial statements.
If we believe that misstatements are or may be the result of fraud, but the effect of the misstatement is not material to the financial statements, we should evaluate the implications, especially those dealing with the organisational position of the person(s) involved. If the matter
involves higher-level management, even though the amount itself is not material, it may be indicative of a more pervasive problem (e.g., integrity of management). In such circumstances we should reassess the risk of material misstatement due to fraud and its resulting impact on (a) the nature, timing, and extent of tests of balances or transactions, and (b) the assessment of the effectiveness of controls. We also should consider our communication responsibilities, as discussed below.
A number of required steps are incorporated in Master Data to address our consideration of fraud in a financial statement audit. Audit work in response to risks or related to the detection of fraud should be evidenced through documentation of the results of performing the audit programme steps. Separate documentation of circumstances identified that indicate the possible existence of fraud or other questionable or illegal acts, and conclusions reached thereon, is required in the form of a critical matter.
We should document:
? The discussion among the engagement team regarding the susceptibility of the entity’s
financial statements to material misstatement due to fraud, including –
> Details of the date and time of the discussion, and the engagement team members who
> The subject matter discussed, which may be limited to the topics discussed, e.g., by
including on the audit file the agenda for the discussion
? The procedures performed to obtain necessary information to identify and assess the risks of
material misstatement due to fraud (including management inquiries, review of analytical
procedures including those directed at revenue, results of interim reviews, and the audit
comfort matrix incorporating the results of our client acceptance and continuance process) ? The specific fraud risks that were identified, and a description of our response to those risks.
The risk categorization function in MyClient can be used to record the risks and enable the
steps responding to those risks to be viewed together in the audit file.
? The nature of the communications about fraud made to management, the Audit Committee,
4268 Action on Discovery of Possible Fraud
At any time direct evidence of fraud or other grounds for suspecting that a fraud has or may have taken place may come to light in any one or more of a variety of ways. These include: ? Concerns raised openly by a member of client management or staff
? An anonymous tip-off from someone within or outside the entity
? Indications contained in one or more items of audit evidence examined in the course of the
? Extraneous circumstances or events – media comment, law enforcement or regulator action,
When our work indicates that fraud has or may have taken place, the matter should be reported to the engagement leader immediately. The engagement leader should consult with the concurring review partner, Risk Management and Office of General Counsel in accordance with territory policy.
Based on the territory implementation of the policy on use of a forensic specialist (PwC Audit
4269), the engagement leader should also consult with a forensic specialist in determining the appropriate course of action to be taken, for example with regard to:
? The most appropriate approach to determine the full facts and extent of the fraud and its
impact on the financial statements
? The communication of the problem and of recommendations for dealing with it to the client ? Wider legal and regulatory issues