Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
5501 Introduction
Apr-2018
In This Section
Overview
This topic explains:
- The content of section 5500 to help navigate through this subsection.
- What are our objectives in relation to fraud.
- What are the characteristics of fraud.
- What management’s responsibilities are in relation to fraud.
- What our responsibilities are in relation to fraud.
OAG Guidance
|
Topic |
Title |
Content |
|
Fraud risk factors |
This topic explains the definition of fraud risk factors and provides related examples. |
|
|
Discussions among the engagement team |
This topic explains the need to discuss fraud among the engagement team members. |
|
|
Risk assessment and related activities |
This topic explains the need to use the information gathered to identify fraud risks, and to assess the identified fraud risks after taking into account an evaluation of the entity’s programs and controls. Assessed risks that could result in a material misstatement due to fraud are significant risks. |
|
|
Assessment of the risk of material misstatement due to fraud |
This topic sets out our responsibilities in relation to the assessment of material misstatement due to fraud and in particular in relation to revenue recognition. |
|
|
Responses to the risks of material misstatements due to fraud |
This topic sets out our responses to fraud risks. |
|
|
Examples of possible audit procedures to address the assessed risks of material misstatement due to fraud |
This topic provides examples of possible responses to identified fraud risks. |
|
|
Management override of controls |
This topic explains that management override is considered as a significant risk on every audit engagement and lists the procedures we perform to address this risk. |
|
|
Journal entries |
This topic explains our responsibilities in relation to journal entries. |
|
|
Evaluation of audit evidence to identify previously unrecognized risks of fraud. |
This topic explains that we shall assess fraud risks throughout the audit and evaluate the accumulated results of our audit work at the completion of our audit, including whether identified misstatements may be indicative of fraud risk. |
|
|
Examples of circumstances that indicate the possibility of fraud |
This topic provides examples of fraud indicators. |
|
|
Fraud communications |
This topic provides guidance on the communications related to fraud we make to management and others. |
|
|
Involvement of the Internal Specialist for Fraud |
This topic explains when the Internal Specialist for Fraud may be used on an engagement. |
|
|
Using CAATS in attempting to detect fraud |
This topic provides examples of where CAATS can assist engagement teams in detecting fraud. |
|
|
Fraud in the public sector |
This topic provides examples of fraud indicators related to contracting, grants and contributions, non-tax revenue and other vulnerable areas that may occur in the public sector. |
CAS Objective
The objectives of the auditor are (CAS 240.11);
a) To identify and assess the risks of material misstatement of the financial statements due to fraud
b) To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses
c) To respond appropriately to fraud or suspected fraud identified during the audit
OAG Guidance
CAS 240 flowchart
Set out below is a diagram of the overall process that is required by the standard. This tool focuses on the planning phase of the process, so takes teams up to the top of the fourth column, the planning of the responses to the risks identified.
CAS Guidance
Fraud—An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage (CAS 240.12).
CAS Guidance
Misstatements in the financial statements can arise from either fraud or error. The distinguishing factor between fraud and error is whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional. (CAS 240.2)
Although fraud is a broad legal concept, for the purposes of the CASs, the auditor is concerned with fraud that causes a material misstatement in the financial statements. Two types of intentional misstatements are relevant to the auditor - misstatements resulting from fraudulent financial reporting and misstatements resulting from misappropriation of assets. Although the auditor may suspect or, in rare cases, identify the occurrence of fraud, the auditor does not make legal determinations of whether fraud has actually occurred. (CAS 240.3)
Fraud, whether fraudulent financial reporting or misappropriation of assets, involves incentive or pressure to commit fraud, a perceived opportunity to do so and some rationalization of the act. For example (CAS 240.A1):
-
Incentive or pressure to commit fraudulent financial reporting may exist when management is under pressure, from sources outside or inside the entity, to achieve an expected (and perhaps unrealistic) earnings target or financial outcome - particularly since the consequences to management for failing to meet financial goals can be significant. Similarly, individuals may have an incentive to misappropriate assets, for example, because the individuals are living beyond their means.
-
A perceived opportunity to commit fraud may exist when an individual believes internal control can be overridden, for example, because the individual is in a position of trust or has knowledge of specific deficiencies in internal control.
-
Individuals may be able to rationalize committing a fraudulent act. Some individuals possess an attitude, character or set of ethical values that allow them knowingly and intentionally to commit a dishonest act. However, even otherwise honest individuals can commit fraud in an environment that imposes sufficient pressure on them.
OAG Guidance
The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional. Unlike error, fraud is intentional and usually involves deliberate concealment of the facts. It may involve one or more members of management, employees, or third parties.
Errors are defined as unintentional misstatements or omissions of amounts or disclosures in financial statements. Errors may involve:
-
Mistakes in gathering or processing data from which financial statements are prepared.
-
Unreasonable accounting estimates arising from oversight or misinterpretation of facts.
-
Mistakes in the application of accounting principles relating to amount, classification, manner of presentation, or disclosure.
Intent is often difficult to determine, particularly in matters involving accounting estimates and the application of accounting principles. For example, unreasonable accounting estimates may be unintentional or may be the result of an intentional attempt to misstate the financial statements. An audit is not designed to determine intent but we need some understanding of intent in order to assess the implications of the misstatements and impact on our audit procedures.
The following diagram illustrates the elements of the fraud triangle.
The existence of one of these factors in isolation does not in itself give rise to a fraud risk. Typically both incentives/pressures and opportunity will need to be present in order for there to be a significant risk of material misstatement due to fraud, given that without incentive, and the ability to commit fraud, the likelihood of fraud being perpetrated is generally considered to be low.
See OAG Audit 5502 for further examples of fraud risk factors.
CAS Guidance
Fraudulent Financial Reporting
Fraudulent financial reporting involves intentional misstatements including omissions of amounts or disclosures in financial statements to deceive financial statement users. It can be caused by the efforts of management to manage earnings in order to deceive financial statement users by influencing their perceptions as to the entity’s performance and profitability. Such earnings management may start out with small actions or inappropriate adjustment of assumptions and changes in judgments by management. Pressures and incentives may lead these actions to increase to the extent that they result in fraudulent financial reporting. Such a situation could occur when, due to pressures to meet market expectations or a desire to maximize compensation based on performance, management intentionally takes positions that lead to fraudulent financial reporting by materially misstating the financial statements. In some entities, management may be motivated to reduce earnings by a material amount to minimize tax or to inflate earnings to secure bank financing. (CAS 240.A2)
Fraudulent financial reporting may be accomplished by the following (CAS 240.A3):
-
Manipulation, falsification (including forgery), or alteration of accounting records or supporting documentation from which the financial statements are prepared.
-
Misrepresentation in or intentional omission from, the financial statements of events, transactions or other significant information.
-
Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure.
Fraudulent financial reporting often involves management override of controls that otherwise may appear to be operating effectively. Fraud can be committed by management overriding controls using such techniques as intentionally (CAS 240.A4):
-
Recording fictitious journal entries, particularly close to the end of an accounting period, to manipulate operating results or achieve other objectives.
-
Inappropriately adjusting assumptions and changing judgments used to estimate account balances.
-
Omitting, advancing or delaying recognition in the financial statements of events and transactions that have occurred during the reporting period.
-
Omitting, obscuring or misstating disclosures required by the applicable financial reporting framework, or disclosures that are necessary to achieve fair presentation.
-
Concealing facts that could affect the amounts recorded in the financial statements.
-
Engaging in complex transactions that are structured to misrepresent the financial position or financial performance of the entity.
-
Altering records and terms related to significant and unusual transactions.
CAS Guidance
Misappropriation of Assets
Misappropriation of assets involves the theft of an entity’s assets and is often perpetrated by employees in relatively small and immaterial amounts. However, it can also involve management who are usually more able to disguise or conceal misappropriations in ways that are difficult to detect. Misappropriation of assets can be accomplished in a variety of ways including (CAS 240.A5):
-
Embezzling receipts (for example, misappropriating collections on accounts receivable or diverting receipts in respect of written-off accounts to personal bank accounts).
-
Stealing physical assets or intellectual property (for example, stealing inventory for personal use or for sale, stealing scrap for resale, colluding with a competitor by disclosing technological data in return for payment).
-
Causing an entity to pay for goods and services not received (for example, payments to fictitious vendors, kickbacks paid by vendors to the entity’s purchasing agents in return for inflating prices, payments to fictitious employees).
-
Using an entity’s assets for personal use (for example, using the entity’s assets as collateral for a personal loan or a loan to a related party).
Misappropriation of assets is often accompanied by false or misleading records or documents in order to conceal the fact that the assets are missing or have been pledged without proper authorization.
OAG Guidance
In many cases, the misappropriation of an asset may not lead to a material misstatement or omission in the financial statements. However, keep in mind that a misappropriation of assets may be material by its nature rather than by its size, e.g., because it involves senior management, has regulatory implications, or has a detrimental impact on the reputation of the entity or on the confidence of customers in that entity which is disproportionate to the quantum of the actual loss incurred. There is also the possibility that the fraud uncovered may represent only the tip of the iceberg. In other words, the discovery of what initially appears to be a small fraud may be indicative of a more significant problem with wider implications for the entity and its financial statements.
CAS Guidance
Responsibility for the Prevention and Detection of Fraud
The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. It is important that management, with the oversight of those charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment. This involves a commitment to creating a culture of honesty and ethical behavior which can be reinforced by an active oversight by those charged with governance. Oversight by those charged with governance includes considering the potential for override of controls or other inappropriate influence over the financial reporting process, such as efforts by management to manage earnings in order to influence the perceptions of analysts as to the entity’s performance and profitability. (CAS 240.4)
OAG Guidance
The respective responsibilities of those charged with governance and management may vary by entity. It is important that management, with the oversight of those charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment. A culture of honesty and ethical behavior is rooted in a strong set of core values that provides the foundation for employees as to how the entity conducts its business.
Creating a culture of honesty and ethical behavior includes:
- Setting the proper tone.
- Creating a positive workplace environment.
- Hiring, training and promoting appropriate employees.
- Requiring periodic confirmation by employees of their responsibilities.
- Taking appropriate action in response to actual, suspected or alleged fraud.
It is the responsibility of those charged with governance of the entity to ensure, through oversight of management, that the entity establishes and maintains internal control to provide reasonable assurance with regard to:
- Reliability of financial reporting.
- Effectiveness and efficiency of operations.
- Compliance with applicable laws and regulations.
It is management’s responsibility to establish a control environment and maintain policies and procedures to assist in achieving the objective of ensuring, as far as possible, the orderly and efficient conduct of the entity’s business. This responsibility includes establishing and maintaining controls pertaining to the entity’s objective of preparing financial statements for external purposes that give a true and fair view (or are presented fairly in all material respects) in accordance with the applicable financial reporting framework and managing risks that may give rise to a risk of material misstatement of those financial statements.
CAS Guidance
An auditor conducting an audit in accordance with CASs is responsible for obtaining reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error. Owing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements of the financial statements may not be detected, even though the audit is properly planned and performed in accordance with the CASs. (CAS 240.5)
As described in CAS 200, the potential effects of inherent limitations are particularly significant in the case of misstatement resulting from fraud. The risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting one resulting from error. This is because fraud may involve sophisticated and carefully organized schemes designed to conceal it, such as forgery, deliberate failure to record transactions, or intentional misrepresentations being made to the auditor. Such attempts at concealment may be even more difficult to detect when accompanied by collusion. Collusion may cause the auditor to believe that audit evidence is persuasive when it is, in fact, false. The auditor’s ability to detect a fraud depends on factors such as the skillfulness of the perpetrator, the frequency and extent of manipulation, the degree of collusion involved, the relative size of individual amounts manipulated, and the seniority of those individuals involved. While the auditor may be able to identify potential opportunities for fraud to be perpetrated, it is difficult for the auditor to determine whether misstatements in judgment areas such as accounting estimates are caused by fraud or error. (CAS 240.6)
Furthermore, the risk of the auditor not detecting a material misstatement resulting from management fraud is greater than for employee fraud, because management is frequently in a position to directly or indirectly manipulate accounting records, present fraudulent financial information or override controls designed to prevent similar frauds by other employees. (CAS 240.7)
When obtaining reasonable assurance, the auditor is responsible for maintaining professional skepticism throughout the audit, considering the potential for management override of controls and recognizing the fact that audit procedures that are effective for detecting error may not be effective in detecting fraud. The requirements in CAS 240 are designed to assist the auditor in identifying and assessing the risks of material misstatement due to fraud and in designing procedures to detect such misstatement. (CAS 240.8)
The auditor may have additional responsibilities under law, regulation or relevant ethical requirements regarding an entity’s non-compliance with laws and regulations, including fraud, which may differ from or go beyond this and other CASs, such as (CAS 240.9):
(a) Responding to identified or suspected non-compliance with laws and regulations, including requirements in relation to specific communications with management and those charged with governance, assessing the appropriateness of their response to non-compliance and determining whether further action is needed;
(b) Communicating identified or suspected non-compliance with laws and regulations to other auditors (e.g., in an audit of group financial statements); and
(c) Documentation requirements regarding identified or suspected non-compliance with laws and regulations.
Complying with any additional responsibilities may provide further information that is relevant to the auditor’s work in accordance with this and other CASs (e.g., regarding the integrity of management or, where appropriate, those charged with governance).
Law, regulation or relevant ethical requirements may require the auditor to perform additional procedures and take further actions. For example, the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants (IESBA Code) requires the auditor to take steps to respond to identified or suspected non-compliance with laws and regulations and determine whether further action is needed. Such steps may include the communication of identified or suspected non-compliance with laws and regulations to other auditors within a group, including a group engagement partner, component auditors or other auditors performing work at components of a group for purposes other than the audit of the group financial statements (CAS 240.A6).
OAG Guidance
Concealment of Fraud
Typically, management and employees engaged in fraud will take steps to conceal the fraud from the auditors and others within and outside the entity. Fraud may be concealed by:
- Withholding evidence.
- Misrepresenting information in response to inquiries.
- Falsifying documentation.
- Collusion among management, employees, or third parties.
- Altering data or computations within a spreadsheet that supports an account balance
- Management override of controls that otherwise may appear to be operating effectively.
For example, management that engages in fraudulent financial reporting might record fictitious journal entries or alter shipping documents. Employees or members of management who misappropriate cash might try to conceal their thefts by forging signatures or electronic approvals on disbursement authorizations. An audit conducted in accordance with CASs rarely involves authentication of such documentation, nor are auditors trained as, or expected to be, experts in such authentication. In addition we may not discover the existence of a modification of documentation through a side agreement that management or a third party has not disclosed.
Fraud also may be concealed through collusion among management, employees, or third parties. For example, through collusion, false evidence that controls have been operating effectively may be presented to us, or consistent misleading explanations may be given to us by more than one individual within the entity to explain an unexpected result of an analytical procedure. As another example, we may receive a false confirmation from a third party that is in collusion with management. Where a risk of collusion with a third party exists, we do not place reliance on accounts receivable and payable confirmations. There may also be some circumstances where we do not rely on other confirmations, e.g., from custodians.
Management can either direct employees or solicit their help in carrying out the fraud. In addition, management personnel at a component of the entity may be in a position to manipulate the accounting records of the component in a manner that causes a material misstatement in the consolidated financial statements of the entity. For these reasons, fraud committed by management can be particularly difficult to detect. When management and those responsible for the oversight of the financial reporting process set the proper tone, promote high ethical standards, and implement and monitor appropriate automated and manual controls to prevent, deter, and detect fraud, the opportunities to commit fraud can be reduced significantly.
CAS Guidance
The public sector auditor’s responsibilities relating to fraud may be a result of law, regulation or other authority applicable to public sector entities or separately covered by the auditor’s mandate. Consequently, the public sector auditor’s responsibilities may not be limited to consideration of risks of material misstatement of the financial statements, but may also include a broader responsibility to consider risks of fraud. (CAS 240.A7)