PwC_Fraud Risk Audit Guide

By Shirley Rodriguez,2014-03-08 22:09
23 views 0
PwC_Fraud Risk Audit Guide

    Fraud Risk (extracted from PwC Audit Guide)


    Guidance extracted from PwC Audit Guide (2003) to provide easy access to those teams not applying the PwC Audit 2003 methodology but where new guidance is required to be followed.

    4261 Overview

    Fraud risk is a critical component of business risk and we need to identify and respond to the risk of material misstatement due to fraud (generally referred to in this section as fraud risk), both for our own risk management and to meet professional standards requirements. This means

    specifically considering as part of our risk assessment the areas of an entitys operations where

    there are increased fraud risks at a financial statement assertion level, because of the industry, the business activities, the control environment, performance incentives/pressures and the overall objectives/agenda of management.

    Fraud Appendix 1 gives a working definition of fraud, describes its nature and characteristics, and distinguishes between fraudulent financial reporting and misappropriation of assets, both

    of which are relevant to our consideration of fraud in a financial statement audit.

    Absolute assurance of detecting material misstatements is not attainable. However, that should not deter us from planning our audit to maximize the likelihood that we will detect material misstatements due to fraud. Therefore, we should plan and perform the audit with an attitude of professional scepticism, recognising that conditions or events may be found that indicate that fraud or other questionable or illegal acts may exist or are reasonably possible, and investigating those conditions or events, and their impact on the financial statements.

    While some guidance below might indicate a sequential audit process, activities relating to fraud risk assessment and our response occur throughout the audit comfort cycle and the gathering of substantive audit evidence.

    This guidance covers the following:

    ? Obtaining the information needed to identify fraud risks. PwC Audit 4262 sets out the

    procedures we should perform to gather information to identify risks, including:

    > Considering the information from the client Acceptance & Continuance process

    > Discussion among engagement personnel

    > Making inquiries of management and others within the entity

    > Considering the results of the preliminary analytical procedures

    > Considering fraud risk factors relating to misappropriation of assets

    > Considering certain other information

    ? Identifying fraud risks and assessing the identified risks. PwC Audit 4263 explains the

    need to use the information gathered to identify fraud risks, and to assess the identified fraud

    risks after taking into account an evaluation of the entitys programmers and controls. This

    recognises that we should treat management override of controls as a fraud risk, and also

    presume that improper revenue recognition is a fraud risk.

    ? Communicating the results of our risk assessment. PwC Audit 4264 provides guidance on

    the communications we should make to management and the Audit Committee.

    ? Responding to the results of our risk assessment. PwC Audit 4265 sets out the responses

    we should make to fraud risks:

    > A response that has an overall effect on how the audit is conducted

    > A response to identified risks involving the nature, timing, and extent of the procedures to

    be performed

    > A response involving the performance of certain procedures to address the fraud risk

    involving management override of controls

    ? Evaluating the results of our audit tests. PwC Audit 4266 explains that we should assess

    fraud risks throughout the audit, and evaluate the accumulated results of our audit work at the

    completion of our audit, including whether identified misstatements may be indicative of fraud


    ? Documentation. PwC Audit 4267 explains the requirements for documenting our work relating

    to fraud risk assessment and response.

    ? Action when fraud is discovered. PwC Audit 4268 sets out policy and guidance on the

    responses necessary if we discover fraud as a result of our audit work.

    ? Involvement of forensic specialists. PwC Audit 4269 sets out the recommended policy on

    use of forensic specialists, to be tailored and implemented by territories to reflect local


    4262 Obtaining Information Needed to Identify Fraud Risks

    To obtain the information needed to identify the risks of material misstatement due to fraud, our procedures should include:

    ? Considering the information from the client Acceptance & Continuance process ? Discussion among engagement personnel

    ? Making inquiries of management and others within the entity, including, where applicable, the

    Audit Committee and internal audit

    ? Considering the results of the preliminary analytical procedures, including analytical

    procedures specifically directed at revenue

    ? Considering fraud risk factors relating to misappropriation of assets

    ? Considering other information that may be helpful in identifying risks

Identification of Fraud Risks in Client Acceptance & Continuance

    Consideration of fraud risks relating to fraudulent financial reporting begins at the client acceptance and continuance stage through the use of the Acceptance & Continuance (FRISK) process of My Client. This includes common fraud risk factors to be considered, specifically relating to fraudulent financial reporting. We should consider these in the context of the three conditions generally present when fraud occurs, as follows:

    ? Incentive/Pressure. These include excessive pressures on management or operating

    personnel to meet financial targets or third party expectations; financial stability threatened by

    economic, industry or entity operating conditions; and management or director personal net

    worth dependent on the entitys financial performance.

    ? Opportunity. These pertain to the nature of the industry or the entitys operations; ineffective

    monitoring; complex or unstable organisational structures; and deficiencies in internal control. ? Rationalisation/Attitude. These pertain to attributes of Board members, management, or

    employees that allow them to engage in and/or justify fraudulent financial reporting. These

    conditions reflect the "tone at the top" and the overall culture of the entity.

    Examples of risk factors relating to misstatements arising from fraudulent financial reporting are included in Fraud Appendix 2.

    While, as auditors we should apply professional scepticism and be alert to indicators of possible fraud, we are not required to plan the audit specifically to discover information that is indicative of management or employee personal lack of integrity, financial stress on individuals, or collusive relationships, either internal or external, which could result in fraudulent actions. However, should we become aware of such information, we should consider the impact of this information on fraud risk.

    The fraud risk implications of matters considered during this process, where the decision is taken to accept/continue with the audit, should be reflected in the audit file, including the specific responses to fraud risks.

    Discussion Among Engagement Personnel

    The engagement team is required to have a discussion early in the audit, preferably face-to-face in a meeting, to discuss the potential for material misstatements in the financial statements, including misstatements due to fraud. The discussion should involve the engagement leader and other key members of the engagement team, including specialists where it is anticipated that they will have significant involvement in the audit. It could be a part of the kick-off meeting or a separate meeting, but if the discussion of fraud risk forms part of a larger meeting, sufficient time should be allowed for a proper discussion specifically focused on fraud risk, with a view towards "What could go wrong?"

    The discussion should cover:

    ? Review with the entire team of any fraud risk conditions identified in the Acceptance &

    Continuance process.

    ? Sharing of the insights of the more experienced members of the engagement team based on

    their knowledge of the entity and its industry, and an exchange of ideas or "brainstorming"

    about how and where the team believes the entitys financial statements might be

    susceptible to material misstatement, how management could perpetrate and conceal

    fraudulent financial reporting, and how the assets of the entity could be misappropriated. The

    discussion should include a consideration of the known external and internal factors affecting

    the entity that might:

    > Create incentives/pressures for management and others to commit fraud

    > Provide the opportunity for fraud to be perpetrated

    > Indicate a culture or environment that enables management to rationalise committing fraud ? An emphasis on the importance of maintaining the proper state of mind (i.e., professional

    scepticism) throughout the audit. This should lead the engagement team members continually

    to be alert for indicators that fraud may have occurred. Furthermore:

    > The discussion should emphasize that the members of the engagement team should not

    be satisfied with less than persuasive evidence because of a belief that management is


    > The engagement team should set aside any prior beliefs they may have that management

    is honest and has integrity

    > The discussion should include a consideration of the risk of management override of


    ? Determination of specific procedures to be conducted as part of the audit to address any fraud

    risks identified in this meeting, including determination of the use of forensic specialists, and

    the plan for reviewing results with engagement leadership.

    A specimen agenda for the discussion is included in Fraud Appendix 3.

    For multinational corporation audits and other large multiplication audits, team meetings

    should be held in all territories/locations where there is a major business unit. The meeting of

    the referring office engagement team should take place in advance of local team meetings so

    that any relevant issues from a group perspective can be communicated to local teams. Any

    concerns identified in the local team meeting should be reported back to the referring office

    engagement team.

    Inquiries of Management and Others Within the Entity

    Our inquiries of management and others within the entity are important because fraud often is

    uncovered through information received in response to inquiries. One reason for this is that

    such inquiries may provide individuals with an opportunity to convey information to us that

    otherwise might not be communicated.

    Fraud Appendix 4 sets out example inquiries that cover the matters that our inquiries should

    address. Inquiries within the entity should include the following:

    ? Management. Generally, these inquiries should be directed to the chief executive officer, chief

    financial officer, and financial controller, as well as to management of significant business units

    and leaders of major operational and support services. We should consider directing inquiries

    to a cross-section of management, in terms of organisational responsibility, level of position

    held, and geographic location. In addition, the management representation letter should

    contain certain specific representations regarding disclosure to us of instances of fraud or

    suspected fraud. If management is required by law or local standards to report incidences of

    fraud to the Audit Committee and/or the external auditors, we should review all such

communications, and determine if we believe managements processes for deterrence and

    detection support the voracity of their reporting process.

    ? Audit Committee. In recent studies, a significant proportion of recent material corporate frauds have involved senior officers i.e., the CEO, CFO, COO or similar executive levels.

    Thus, the oversight role played by the Board and its Audit Committee in assessing the incentives/pressures, opportunity and rationalisation/attitude, and the one at the top of the entity is critical. As a minimum, we should directly make inquiries of the members of the Audit Committee, or other governance body charged with oversight of financial reporting.

    ? Internal audit. For entities that have an internal audit function, we should inquire of appropriate internal audit personnel.

    ? Others. Making inquiries of others outside management and the finance function may be useful in providing us with a different perspective to that of individuals within the financial reporting area. Their responses might serve to corroborate responses received from management or, alternatively, might provide information regarding the possibility of management override of controls, e.g., a response from an employee indicating an unusual change in the way transactions have been processed. In addition, we may obtain information regarding how effectively management has communicated standards of ethical behaviour to individuals throughout the entity. Others within the entity include the following:

    > Operating personnel not directly involved in the financial reporting process

    > Employees with varying levels of authority within the entity.

    > Employees involved in initiating, recording, or processing complex or unusual


    > In-house legal counsel

    We use professional judgement to determine the others within the entity to whom inquiries should be directed and the extent of those inquiries, considering whether they might be able to provide information that will be helpful to us in identifying fraud risks. These inquiries generally would be directed to entity personnel that we come into contact with during the course of the audit. In that regard, we may make inquiries of different people each year. If any allegations of fraud or inappropriate behaviour have been made during the period to those responsible for whistle-blower or ethics hotlines, etc., and employees making such allegations can be identified, then our inquiries should include these personnel.

    Results of Analytical Procedures

    As part of our preliminary analytical procedures, we should consider whether any unusual or unexpected results of these procedures might indicate a potential material misstatement due to fraud. As revenue is particularly subject to fraud risk, we should analyse revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that may be indicative of a material misstatement due to fraud. These revenue analytics should be performed at a disaggregated level (e.g., by monthly or quarterly time period, line of business, location, product, or account).

    Consideration of Risk Factors Relating to Misappropriation of Assets

    We should consider risk factors relating to misstatements arising from misappropriation of assets in the context of the three conditions generally present when fraud occurs, as follows: Incentive/Pressure

    ? Personal financial obligations may create pressure on management or employees with access to cash or other assets susceptible to theft to misappropriate those assets

    ? Adverse relationships between the entity and employees with access to cash or other assets susceptible to theft may motivate those employees to misappropriate those assets. For example, adverse relationships may be created by the following:

    > Known or anticipated future employee layoffs

    > Promotions, compensation, or other rewards inconsistent with expectations


    ? Certain characteristics or circumstances may increase the susceptibility of assets to misappropriation, for example:

    > Large amounts of cash on hand or processed

    > Inventory items that are small in size, of high value, or in high demand

    > Easily convertible assets, such as bearer bonds, diamonds, or computer chips

    > Assets that are small in size, marketable, or lacking observable identification of ownership

    ? Inadequate internal control over assets may increase the susceptibility of misappropriation of

    those assets, for example:

    > Inadequate segregation of duties or independent checks

    > Inadequate management oversight of employees responsible for assets (e.g., inadequate

    supervision or monitoring of remote locations)

    > Inadequate job applicant screening of employees with access to assets

    > Inadequate recordkeeping with respect to assets

    > Inadequate system of authorisation and approval of transactions (e.g., in purchasing)

    > Inadequate physical safeguards over cash, investments, inventory, or other assets

    > Lack of timely and appropriate documentation of transactions (e.g., credits for merchandise


    > Lack of mandatory vacations for employees performing key control functions

    > Inadequate management understanding of information technology, which enables

    information technology employees to perpetrate a misappropriation

    > Inadequate access controls over automated records


    The following are examples of attitudes or behaviour of employees who have access to assets susceptible to misappropriation that we may become aware of:

    ? Disregard for the need for monitoring or reducing risks related to misappropriation of assets ? Disregard for internal control over misappropriation of assets by overriding existing controls or

    by failing to correct known internal control deficiencies

    ? Behaviour indicating displeasure or dissatisfaction with the entity or its treatment of the


    ? Changes in behaviour or lifestyle that may indicate assets have been misappropriated ? Tone at the top that sets expectations for lavish lifestyles, mixing of personal and entity assets,

    or sense of entitlement

Other Information

Other information that might be helpful in identifying fraud risk includes:

    ? Interim reviews. When we perform reviews of interim financial information on a timely basis,

    we should take into consideration information gained in the conduct of those reviews in

    assessing the risks of material misstatements as part of our audit. In particular, we should

    consider the source of potential adjustments identified during interim reviews as indications of

    potential material misstatements of the annual financial statements under audit.

    ? Consideration of account balances and classes of transactions that may be particularly

    subject to fraud risk. For example, because they involve a high degree of management

    judgement and subjectivity leading to a risk of fraudulent financial reporting (such as

    estimation of liabilities resulting from a restructuring) or they are susceptible to

    misappropriation. Fraud Appendix 5 contains tables to assist in identifying and remaining

    alert to potential fraud schemes relating to:

    > Revenue recognition

    > Overstatement of assets/understatement of liabilities

    > Misappropriation of assets

    These tables include a description of the fraud schemes, potential indicators, and illustrative

    procedures to be performed if a potential fraud scheme is identified. Not all indicators

    necessarily need to be observed for the potential for the fraud to be present. Professional

    judgement is required to determine if potential fraud schemes or fraud risks exist and whether

    procedures should be expanded and additional steps should be performed to address any

    identified risks.

? Information gathered about the incentives/pressures facing management. For example,

    we should develop an nventory of managements performance-related earnings or

    similar arrangements, including identifying the levels of performance that trigger them.

    4263 Identifying and Assessing Risks That May Result in Material Misstatement

Identifying Fraud Risks

    In identifying fraud risks, it is helpful to consider the information we have gathered in the context of incentives/pressures, opportunities and rationalisation/attitudes. However, we should not assume that all three conditions must be observed or evident before concluding that there are identified risks, nor that the inability to observe one or two of these conditions means that there is no fraud risk. In fact, risk factors reflective of employee rationalisation or attitudes are generally not susceptible to observation.

    Additionally, the extent to which each of the three conditions is present when fraud occurs may vary:

    ? An incentive/pressure to achieve an earnings level to preclude a loan default or to trigger

    performance-related earnings may alone result in fraud risk

    ? An easy opportunity to commit fraud because of a lack of controls may be the dominant

    condition leading to fraud risk

    ? An individuals attitude or ability to rationalise unethical actions may be sufficient to motivate

    that individual to engage in fraud, even in the absence of significant incentives/pressures or


    Our identification of fraud risks may be influenced by characteristics such as the size, complexity, and ownership attributes of the entity. Also, fraud risks may vary among operating locations or business segments of an entity, requiring an identification of the risks related to specific geographic areas or business segments, as well as for the entity as a whole.

    Management Override of Controls

    Even if we do not identify specific risks of material misstatement due to fraud, we should recognise that there is a possibility that management override of controls could occur, and address that risk, as discussed in PwC Audit 4265.

    Presumption That Improper Revenue Recognition Is a Fraud Risk

    Material misstatements due to fraudulent financial reporting often result from an overstatement of revenues (e.g., through premature revenue recognition or recording fictitious revenues) or an understatement of revenues (e.g., through improperly shifting revenues to a later period). Therefore, we should ordinarily presume that there is a fraud risk relating to revenue recognition. Fraud Appendix 5 includes examples of potential fraud schemes relating to revenue recognition. If we conclude that there is no fraud risk, the rationale should be documented in the audit file. In summary, the identification process should consider a number of factors, including: ? Type of risk fraudulent financial reporting or misappropriation of assets

    ? Significance of risk whether it is of a magnitude that could result in a material


    ? Likelihood of the risk likelihood that it would result in a material misstatement

    ? Pervasiveness of the risk pervasive to the financial statements as a whole or specifically

    related to a particular assertion, account, or class of transactions

    We should determine whether the identified fraud risks are pervasive to the financial statements as a whole or are related to specific financial statement account balances or classes of transactions, and related assertions. Relating the fraud risks to individual accounts, classes of transactions and assertions will assist us in subsequently designing appropriate auditing procedures.

Assessing the Risk of Material Misstatement

When considering the identified fraud risks, we should consider the entitys programmes and

    controls designed to address those risks. These programmes and controls may involve: ? Specific controls designed to mitigate specific risks of fraud

    ? Broader programmes designed to prevent, deter, and detect fraud (including programmes to

    promote a culture of honesty and ethical behaviour)

    These programmes or controls, whether manual or automated, can be circumvented by collusion of two or more people or by inappropriate management override of internal control. We should evaluate whether the entitys programmes and controls are suitably designed to prevent or

    detect material misstatements resulting from fraud risks and, if so, we should obtain, to the extent needed to develop further our responses, evidence that such programmes and controls have been implemented.

    In developing our response to identified fraud risks, we should assess the extent to which it appears that the risks are mitigated or reduced. To the extent that we place reliance on the programmes and controls, we should validate them.

    4264 Communications About Fraud to the Client

    We should engage in a dialogue with the Audit Committee to obtain their views on fraud and to further our understanding of the risks of material misstatement. This dialogue should occur initially at the scoping phase of the audit, but further discussions may be necessary depending on our audit findings. While discussions with Audit Committees are primarily applicable to listed entities, a similar discussion should be held with other entities.

The discussion should include the following:

    ? An overview of our responsibilities as independent accountants and the general procedures

    we perform to address the risks of material misstatement due to fraud

    ? The inquiries of the Audit Committee about fraud referred to in PwC Audit 4262

    ? Identified risks, including those that have continuing control implications (whether or not

    transactions or adjustments that could be the result of fraud have been detected), and which

    represent material weaknesses or reportable conditions relating to the entity's internal control

     in determining these matters, we should consider the three fraud conditions:

    incentives/pressures, opportunity, and rationalisation/attitude

    ? Details of the absence of, or deficiencies in, programmes and controls to mitigate specific risks

    of fraud or to otherwise help prevent, deter, and detect fraud represent weaknesses that

    should be communicated to senior management and the Audit Committee

For further guidance on communication with the client, see perspectives on fraud risk in PwC

    Audit 7220.

    4265 Responding to the Results of the Assessment

    Our response to the identified fraud risks is influenced by the nature and significance of the risks

    s programmers and controls that address these identified risks. We identified and the entity

    should respond to fraud risks in the following three ways:

    ? A response that has an overall effect on how the audit is conducted

    ? A response to identified risks involving the nature, timing, and extent of the procedures to be


    ? A response involving the performance of certain procedures to address the fraud risk involving

    management override of controls

    We may conclude that it appears not to be practicable to sufficiently modify the procedures that are planned for the audit to address the risks. Withdrawal from the engagement with communication to the appropriate parties may be an appropriate course of action, but should only be undertaken after consultation with a Risk Management Partner, and others as appropriate. Overall Responses to Risks

    Overall responses to identified risks include:

    ? Reviewing staff assignments (e.g., need for specialised skills or more experienced staff,

    including forensic specialists) and necessary supervision

    ? Considering managements selection and application of significant accounting principles,

    particularly those related to subjective measurements and complex transactions ? Incorporating an element of unpredictability in the selection of auditing procedures from

    year-to-year, for example

    > Performing substantive tests of selected account balances and assertions not otherwise

    tested due to their materiality or risk

    > Adjusting the timing of testing from that otherwise expected

    > Using different sampling methods

    > Performing procedures at different locations or at locations on an unannounced basis

Modifying Nature, Timing and Extent of Procedures

    Responses to identified risks involving the nature, timing, and extent of the procedures to be performed include:

    ? Changing the nature of procedures performed to obtain evidence that is more reliable or to

    obtain additional corroborative information

    ? Modifying the timing of substantive tests performed to be at or near the year-end or initiating

    early testing to substantiate transactions throughout the year

    ? Changing the extent of the procedures applied by increasing sample sizes, adding more

    detailed analytical procedures, or employing computer-assisted auditing techniques


    Fraud Appendix 6 provides examples of how CAATs can be used in attempting to detect fraud. Addressing the Risk of Management Override of Controls

    We should perform procedures to address the risk of management override of controls on every audit as management is in a unique position to perpetrate fraud because of its ability to directly or indirectly manipulate accounting records and prepare fraudulent financial statements by overriding established controls that otherwise appear to be operating effectively. These procedures include: ? Examining journal entries and other adjustments for evidence of possible material

    misstatement due to fraud. Fraud often involves manipulation of the financial reporting process

    by recording inappropriate or unauthorised journal entries or making adjustments to amounts

    reported in the financial statements that are not reflected in formal journal entries, such as

    consolidating adjustments, report combinations, and reclassifications. Accordingly, we should

    design procedures to test the appropriateness and authorisation of journal entries recorded in

    the general ledger and other adjustments, based upon the following considerations

    > Assessment of fraud risk

    > Evaluation of the effectiveness of controls that have been implemented over one or more

    aspects of the financial reporting process

    > Linkage of managements internal reporting to the external financial statements

    > Entitys financial reporting process and the nature of evidence that can be examined

    > Nature and complexity of accounts

    > Timing of the testing

    Inappropriate or unauthorised journal entries and adjustments often have certain unique

    identifying characteristics. Such characteristics may include entries:

    > Made to unrelated, unusual, or seldom used accounts or business segments

    > Recorded at the end of the period or post-closing entries that have little or no explanation

    or description

    > Made either before or during the preparation of the financial statements that do not have

    account numbers

    > That contain round numbers or a consistent ending number

? Reviewing accounting estimates for biases that could result in a material misstatement due

    to fraud, including performing a retrospective review of prior year estimates. This review is not

    intended to call into question our professional judgements made in the prior year that were

    based on information available at that time. Rather, it is to determine, with the knowledge

    gained from hindsight, whether there are insights that would call for additional auditing

    procedures in the current audit relating to management judgements that may have contained

    biases in prior periods.

? Evaluating the business rationale for significant unusual transactions. We may become

    aware of significant transactions that are outside of the normal course of business, or that

    otherwise appear to be unusual given our understanding of the client and its environment. We

    should gain an understanding of the business rationale and whether the rationale (or the lack

    thereof) suggests that the transaction may have been entered into to engage in fraudulent

    financial reporting. We should consider whether:

    > The form of such transactions is overly complex (e.g., involves multiple entities within a

    consolidated group or unrelated third parties)

    > Management has discussed the nature of and accounting for such transactions with the

    Audit Committee or Board of Directors

    > Management is placing more emphasis on the need for a particular accounting treatment

    than on the underlying economics of the transaction

    > Transactions that involve unconsolidated related parties, including special purpose entities,

    have been properly reviewed and approved by the Audit Committee or Board of Directors

    > The transactions involve previously unidentified related parties or parties that do not have

    the substance or financial strength to support the transaction without assistance from the

    entity under audit

    > The level of disclosure or transparency of the transactions is appropriate

    4266 Evaluating Audit Test Results

    Our assessment of the risks of material misstatement due to fraud should be ongoing throughout the audit. Conditions may be identified during the performance of fieldwork that change or support our judgements regarding our assessment, such as discrepancies in accounting records, conflicting or missing evidential matter, or problematic or unusual relationships between the engagement team and the client. Examples of such evidential risk factors and other indicators of the possible existence of fraud are included in Fraud Appendix 2.

    At or near the completion of the audit, we also should evaluate whether the accumulated results of auditing procedures and other observations affect the assessment of fraud risk made earlier in the audit, and whether there is a need to perform additional or different auditing procedures. This evaluation primarily is a qualitative matter based on our judgement. Our evaluation should include assessing whether substantive or final analytical procedures indicate a previously unrecognised fraud risk. In addition, we should update the revenue analytics performed as part of our preliminary analytical procedures.

    When audit test results identify misstatements in the financial statements, we should consider whether such misstatements might be indicative of fraud. If circumstances indicate the possible existence of fraud, we should consider its potential effect on the financial statements. If we believe the effect of the misstatement could be material, we should perform whatever modified or additional procedures we determine appropriate to ascertain whether fraud exists and, if so, whether it has a material effect on the financial statements.

    If we believe that misstatements are or may be the result of fraud, but the effect of the misstatement is not material to the financial statements, we should evaluate the implications, especially those dealing with the organisational position of the person(s) involved. If the matter

    involves higher-level management, even though the amount itself is not material, it may be indicative of a more pervasive problem (e.g., integrity of management). In such circumstances we should reassess the risk of material misstatement due to fraud and its resulting impact on (a) the nature, timing, and extent of tests of balances or transactions, and (b) the assessment of the effectiveness of controls. We also should consider our communication responsibilities, as discussed below.

    4267 Documentation

    A number of required steps are incorporated in Master Data to address our consideration of fraud in a financial statement audit. Audit work in response to risks or related to the detection of fraud should be evidenced through documentation of the results of performing the audit programme steps. Separate documentation of circumstances identified that indicate the possible existence of fraud or other questionable or illegal acts, and conclusions reached thereon, is required in the form of a critical matter.

    We should document:

    ? The discussion among the engagement team regarding the susceptibility of the entitys

    financial statements to material misstatement due to fraud, including

    > Details of the date and time of the discussion, and the engagement team members who


    > The subject matter discussed, which may be limited to the topics discussed, e.g., by

    including on the audit file the agenda for the discussion

    ? The procedures performed to obtain necessary information to identify and assess the risks of

    material misstatement due to fraud (including management inquiries, review of analytical

    procedures including those directed at revenue, results of interim reviews, and the audit

    comfort matrix incorporating the results of our client acceptance and continuance process) ? The specific fraud risks that were identified, and a description of our response to those risks.

    The risk categorization function in MyClient can be used to record the risks and enable the

    steps responding to those risks to be viewed together in the audit file.

    ? The nature of the communications about fraud made to management, the Audit Committee,

    and others

    4268 Action on Discovery of Possible Fraud

    At any time direct evidence of fraud or other grounds for suspecting that a fraud has or may have taken place may come to light in any one or more of a variety of ways. These include: ? Concerns raised openly by a member of client management or staff

    ? An anonymous tip-off from someone within or outside the entity

    ? Indications contained in one or more items of audit evidence examined in the course of the


    ? Extraneous circumstances or events media comment, law enforcement or regulator action,


    When our work indicates that fraud has or may have taken place, the matter should be reported to the engagement leader immediately. The engagement leader should consult with the concurring review partner, Risk Management and Office of General Counsel in accordance with territory policy.

    Based on the territory implementation of the policy on use of a forensic specialist (PwC Audit

    4269), the engagement leader should also consult with a forensic specialist in determining the appropriate course of action to be taken, for example with regard to:

    ? The most appropriate approach to determine the full facts and extent of the fraud and its

    impact on the financial statements

    ? The communication of the problem and of recommendations for dealing with it to the client ? Wider legal and regulatory issues

Report this document

For any questions or suggestions please email