Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

5506 Responses to the Risks of Material Misstatements Due to Fraud
Jun-2020

In This Section

Overall responses to fraud risks

Assignment and supervision of personnel

Incorporating an element of unpredictability in the nature, timing and extent of audit procedures

Audit procedures at the assertion level

Overview

This topic explains:

  • What we need to do to determine our overall responses to identified fraud risks.
  • How we assign and supervise our personnel.
  • Why we need to introduce a level of unpredictability in the selection of audit procedures.
  • What types of audit procedures are required to address fraud risks at the assertion level.
Overall responses to fraud risks

CAS Requirement

In accordance with CAS 330, the auditor shall determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level (CAS 240.29).

In determining overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level, the auditor shall (CAS 240.30):

a) Assign and supervise personnel taking account of the knowledge, skill and ability of the individuals to be given significant engagement responsibilities and the auditor’s assessment of the risks of material misstatement due to fraud for the engagement;

b) Evaluate whether the selection and application of accounting policies by the entity, particularly those related to subjective measurements and complex transactions, may be indicative of fraudulent financial reporting resulting from management’s effort to manage earnings; and

c) Incorporate an element of unpredictability in the selection of the nature, timing and extent of audit procedures.

The auditor shall include the following in the audit documentation of the auditor’s responses to the assessed risks of material misstatement required by CAS 330 shall include (CAS 240.46):

a) The overall responses to the assessed risks of material misstatement due to fraud at the financial statement level and the nature, timing and extent of audit procedures, and the linkage of those procedures with the assessed risks of material misstatement due to fraud at the assertion level

b) The results of the audit procedures, including those designed to address the risk of management override of controls

CAS Guidance

Determining overall responses to address the assessed risks of material misstatement due to fraud generally includes the consideration of how the overall conduct of the audit can reflect increased professional skepticism, for example, through (CAS 240.A34):

  • Increased sensitivity in the selection of the nature and extent of documentation to be examined in support of material transactions.

  • Increased recognition of the need to corroborate management explanations or representations concerning material matters.

Assignment and supervision of personnel

CAS Guidance

The auditor may respond to identified risks of material misstatement due to fraud by, for example, assigning additional individuals with specialized skill and knowledge, such as forensic and IT experts, or by assigning more experienced individuals to the engagement (CAS 240.A35).

The extent of supervision reflects the auditor’s assessment of risks of material misstatement due to fraud and the competencies of the engagement team members performing the work (CAS 240.A36).

Incorporating an element of unpredictability in the nature, timing and extent of audit procedures

CAS Guidance

Incorporating an element of unpredictability in the selection of the nature, timing and extent of audit procedures to be performed is important as individuals within the entity who are familiar with the audit procedures normally performed on engagements may be more able to conceal fraudulent financial reporting. This can be achieved by, for example (CAS 240.A37):

  • Performing substantive procedures on selected account balances and assertions not otherwise tested due to their materiality or risk.

  • Adjusting the timing of audit procedures from that otherwise expected.

  • Using different sampling methods.

  • Performing audit procedures at different locations or at locations on an unannounced basis.

OAG Guidance

As noted in CAS 240.30 we need to incorporate an element of unpredictability in the nature, timing and extent of audit procedures in order to respond to an assessed risk of material misstatement due to fraud at the financial statement level. The risks of fraud at the financial statement level ordinarily represent pervasive risks that are difficult to relate to specific assertions, such as the lack of segregation of duties, management override of controls and significant manual intervention, all of which could introduce incentives and pressures that could lead to aggressive earnings management, bias in judgments and disclosures or other manipulation of financial reporting. Unpredictable procedures are important, because management may be familiar with the audit procedures normally performed and may be more able to conceal fraud in the areas which they think would not be tested by us. Thus, we would normally incorporate an element of unpredictability in the selection of the nature, extent and timing of auditing procedures on all engagements, unless we have not identified any indicators of financial statement level risks of fraud or error (other than those related to the risk of management override or fraud risk in revenue recognition). In practice this would be rare and may include, for example, audits of dormant entities where limited or no transactions have been performed during the period and no financial statement level risks have been identified.

The level of unpredictability required is a matter of judgment and we need to consider the best way to incorporate unpredictability taking into account our assessment of risks of fraud, and discuss this during the planning team meeting(s). For example, changing the testing selection method (e.g., changing the targeted testing threshold or performing audit sampling instead of targeted testing) as compared to the previous year or as compared to the initial plan communicated to the entity during the planning phase would all represent an element of unpredictability and may be an effective and efficient way to incorporate an element of unpredictability to address the risk of fraud at the financial statement level.

In case of initial audit engagements, we also need to incorporate an element of unpredictability. For example, we may perform procedures on selected account balances below materiality, attend inventory counts performed at insignificant locations or include insignificant locations in scope of the group audit work.  Consider any fraud risk factors identified during planning as part of incorporating an element of unpredictability. If we review the predecessor auditor’s workpapers and are able to determine the nature, timing and extent of audit procedures performed in the prior audit, we can also introduce unpredictability by performing procedures, which would be different as compared to the prior year.

In the case of an identified fraud risk at the assertion level, introducing an element of unpredictability into the nature, timing and extent of audit procedures may again be a valid response for engagement teams to consider when they are determining the nature, timing and extent of audit procedures to perform to address this assertion level risk taking into account the specific guidance in CAS 240.A38.

Consider performing unpredictable procedures by incorporating an element of unpredictability in the nature, timing and extent of audit procedures in order to respond to an assessed risk of material misstatement due to fraud at the financial statement level, and/or the assertion level if a specific fraud risk at the assertion level has been identified. Following are some examples of potential unpredictable procedures:

Topic Content

Inventory

  • Conduct meetings and inquiries with entity staff with whom we have not had much previous contact, (e.g., key personnel in purchasing department, quality control managers, etc.).

  • Attend inventory counts performed at locations not attended in the past, without providing advance notice.

  • Adjust the nature or extent of procedures performed over work in progress or recording of transit items (e.g. testing immaterial items in transit or observing counts of work in progress not previously observed).

Revenue/Accounts Receivable

  • Conduct meetings with entity staff with whom we have not had much previous contact, (e.g., sales staff responsible for handling major customer accounts).

  • Change nature of substantive analytical procedures (e.g., use different basis for disaggregating revenue).

  • Extend cut-off testing beyond the periods normally covered, including sales and sales returns.

  • Alter the selection criteria for the sample of accounts receivable balances to confirm.

  • Perform other procedures which were not previously considered; for example:

    • Confirm sales terms and/or amounts for a selection of customers.

    • Test classes of sales transactions not previously tested, e.g., export sales.

    • Perform more detailed analytical procedures, for example, by using CAATs (IDEA) to scan sales accounts or customer accounts.

    • Change the date used for confirmations, i.e., confirm as of an earlier or later date.

    • Perform work to verify inter-company sales and related balances beyond confirming details with the other group company.

Purchases/ Accounts Payable

  • If not normally performed, obtain confirmations of outstanding amounts directly from suppliers. If this is already performed, vary the scope and/or timing of the confirmation process.

  • Test areas of expense not previously tested in detail.

  • Use CAATs (IDEA) to scan purchase accounts/payments to look for unusual items, for example suppliers with similar bank details.

Cash

  • Select additional month(s) to perform procedures on bank reconciliations.

  • Where there are large numbers of bank accounts and selective testing of bank reconciliations is performed, change the basis of selection.

Property, Plant and Equipment

  • Perform work on property, plant and equipment not previously considered (e.g., consider inspecting existence of lower value assets such as company cars and equipment).

  • Alter the extent of physical verification procedures.

Group Audit

  • Change scope or locations for component work (e.g., more work in smaller locations, visiting locations not previously visited).

This outline serves only as an illustration to provide some examples of unpredictable procedures which will be applicable only in certain circumstances. It does not encompass all potential procedures that may be considered applicable as a result of obtaining a thorough understanding of the entity’s business and processes, nor is it intended to be an exhaustive list of all unpredictable procedures. We use professional judgment in determining the necessary unpredictable procedures to address the risk of fraud.

Audit procedures at the assertion level

CAS Requirement

In accordance with CAS 330, the auditor shall design and perform further audit procedures whose nature, timing and extent are responsive to the assessed risks of material misstatement due to fraud at the assertion level (CAS 240.31).

CAS Guidance

The auditor’s responses to address the assessed risks of material misstatement due to fraud at the assertion level may include changing the nature, timing, and extent of audit procedures in the following ways (CAS 240.A38):

  • The nature of audit procedures to be performed may need to be changed to obtain audit evidence that is more reliable and relevant or to obtain additional corroborative information. This may affect both the type of audit procedures to be performed and their combination. For example:

    • Physical observation or inspection of certain assets may become more important or the auditor may choose to use computer- assisted audit techniques to gather more evidence about data contained in significant accounts or electronic transaction files.

    • The auditor may design procedures to obtain additional corroborative information. For example, if the auditor identifies that management is under pressure to meet earnings expectations, there may be a related risk that management is inflating sales by entering into sales agreements that include terms that preclude revenue recognition or by invoicing sales before delivery. In these circumstances, the auditor may, for example, design external confirmations not only to confirm outstanding amounts, but also to confirm the details of the sales agreements, including date, any rights of return and delivery terms. In addition, the auditor might find it effective to supplement such external confirmations with inquiries of non-financial personnel in the entity regarding any changes in sales agreements and delivery terms.

    • The timing of substantive procedures may need to be modified. The auditor may conclude that performing substantive testing at or near the period end better addresses an assessed risk of material misstatement due to fraud. The auditor may conclude that, given the assessed risks of intentional misstatement or manipulation, audit procedures to extend audit conclusions from an interim date to the period end would not be effective. In contrast, because an intentional misstatement—for example, a misstatement involving improper revenue recognition—may have been initiated in an interim period, the auditor may elect to apply substantive procedures to transactions occurring earlier in or throughout the reporting period.

    • The extent of the procedures applied reflects the assessment of the risks of material misstatement due to fraud. For example, increasing sample sizes or performing analytical procedures at a more detailed level may be appropriate. Also, computer-assisted audit techniques may enable more extensive testing of electronic transactions and account files. Such techniques can be used to select sample transactions from key electronic files, to sort transactions with specific characteristics, or to test an entire population instead of a sample.

If the auditor identifies a risk of material misstatement due to fraud that affects inventory quantities, examining the entity’s inventory records may help to identify locations or items that require specific attention during or after the physical inventory count. Such a review may lead to a decision to observe inventory counts at certain locations on an unannounced basis or to conduct inventory counts at all locations on the same date (CAS 240.A39).

The auditor may identify a risk of material misstatement due to fraud affecting a number of accounts and assertions. These may include asset valuation, estimates relating to specific transactions (such as acquisitions, restructurings, or disposals of a segment of the business), and other significant accrued liabilities (such as pension and other post-employment benefit obligations, or environmental remediation liabilities). The risk may also relate to significant changes in assumptions relating to recurring estimates. Information gathered through obtaining an understanding of the entity and its environment may assist the auditor in evaluating the reasonableness of such management estimates and underlying judgments and assumptions. A retrospective review of similar management judgments and assumptions applied in prior periods may also provide insight about the reasonableness of judgments and assumptions supporting management estimates (CAS 240.A40).

Examples of possible audit procedures to address the assessed risks of material misstatement due to fraud, including those that illustrate the incorporation of an element of unpredictability, are presented in Appendix 2. The appendix includes examples of responses to the auditor’s assessment of the risks of material misstatement resulting from both fraudulent financial reporting, including fraudulent financial reporting resulting from revenue recognition, and misappropriation of assets (CAS 240.A41).

OAG Guidance

See OAG Audit 5507 for examples of possible audit responses to identified fraud risks, which incorporates the material from Appendix 2 of CAS 240.

Actions to be taking when we cannot modify our procedures

We may conclude that it appears not to be practicable to sufficiently modify the procedures that are planned for the audit to address the risks. Consider withdrawal from the engagement with communication to the appropriate parties and after consultation as directed in OAG Audit 3011 Acceptance and continuance.