Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
5510 Evaluation of Audit Evidence to Identify Previously Unrecognized Risks of Fraud
Jun-2020
Overview
This topic explains:
- How we evaluate the audit evidence to identify previously unrecognized risks of fraud.
- What we need to consider when we identify misstatements.
- What procedures need to be performed when we are unable to continue the engagement.
- What types of management representations are required.
CAS Requirement
The auditor shall evaluate whether analytical procedures that are performed near the end of the audit when forming an overall conclusion as to whether the financial statements are consistent with the auditor’s understanding of the entity indicate a previously unrecognized risk of material misstatement due to fraud (CAS 240.35).
CAS Guidance
CAS 330 requires the auditor, based on the audit procedures performed and the audit evidence obtained, to evaluate whether the assessments of the risks of material misstatement at the assertion level remain appropriate. This evaluation is primarily a qualitative matter based on the auditor’s judgment. Such an evaluation may provide further insight about the risks of material misstatement due to fraud and whether there is a need to perform additional or different audit procedures. Appendix 3 contains examples of circumstances that may indicate the possibility of fraud (CAS 240.A50).
Determining which particular trends and relationships may indicate a risk of material misstatement due to fraud requires professional judgment. Unusual relationships involving year-end revenue and income are particularly relevant. These might include, for example: uncharacteristically large amounts of income being reported in the last few weeks of the reporting period or unusual transactions; or income that is inconsistent with trends in cash flow from operations (CAS 240.A51).
OAG Guidance
See OAG Audit 5511 for examples of circumstances that indicate the possibility of fraud.
Evaluating audit test results
Our assessment of the risks of material misstatement due to fraud is ongoing throughout the audit. Conditions may be identified during the performance of fieldwork that change or support our judgements regarding our assessment, such as discrepancies in accounting records, conflicting or missing evidential matter, or problematic or unusual relationships between the engagement team and the client.
We consider if responses to inquiries about analytical relationships were inconsistent or vague in comparison with other audit evidence. As part of this evaluation the engagement leader verifies that there has been appropriate communication among engagement team members throughout the audit.
At or near the completion of the audit, evaluate whether the accumulated results of audit procedures and other observations affect the assessment of fraud risk made earlier in the audit, and whether there is a need to perform additional or different audit procedures. This evaluation primarily is a qualitative matter based on our judgment. In addition, update the revenue analytics performed as part of our risk assessment analytical procedures. If financial benchmarking was performed, consider updating the analysis with the latest available information.
We cannot assume that an identified misstatement is an isolated occurrence. Consider whether such misstatements might be indicative of a higher risk of material misstatement due to fraud at a specific location and consider the implications in relation to other aspects of the audit, particularly the reliability of management representations.
See related guidance on risk assessment, OAG Audit 5033 and OAG Audit 5010.
CAS Requirement
If the auditor identifies a misstatement, the auditor shall evaluate whether such a misstatement is indicative of fraud. If there is such an indication, the auditor shall evaluate the implications of the misstatement in relation to other aspects of the audit, particularly the reliability of management representations, recognizing that an instance of fraud is unlikely to be an isolated occurrence (CAS 240.36).
If the auditor identifies a misstatement, whether material or not, and the auditor has reason to believe that it is or may be the result of fraud and that management (in particular, senior management) is involved, the auditor shall re-evaluate the assessment of the risks of material misstatement due to fraud and its resulting impact on the nature, timing and extent of audit procedures to respond to the assessed risks. The auditor shall also consider whether circumstances or conditions indicate possible collusion involving employees, management or third parties when reconsidering the reliability of evidence previously obtained (CAS 240.37).
When the auditor confirms that, or is unable to conclude whether, the financial statements are materially misstated as a result of fraud the auditor shall evaluate the implications for the audit (CAS 240.38).
OAG Policy
When our work indicates that fraud has or may have taken place, the matter shall be reported to the engagement leader immediately. The engagement leader shall consult with the assistant auditors general of the applicable practice, the Internal Specialist for Fraud and Legal Services in accordance with OAG Audit 3081. [Jun-2020]
If we believe the client should consult its legal counsel or other specialists about disclosure obligations and other implications, and the client will not so consult, we shall consult with the Internal Specialist for Fraud or Legal Services about the matter in particular whether disclosures concerning contingent liabilities or other matters shall be included in the financial statements or be referred to in our audit report. [Jun-2020]
If the integrity or honesty of management or those charged with governance is doubted, we shall consult with the assistant auditors general of the applicable practice and the Internal Specialist for Fraud in accordance with OAG Audit 3081 to assist in the determination of the appropriate course of action. [Jun-2020]
CAS Guidance
Since fraud involves incentive or pressure to commit fraud, a perceived opportunity to do so or some rationalization of the act, an instance of fraud is unlikely to be an isolated occurrence. Accordingly, misstatements, such as numerous misstatements at a specific location even though the cumulative effect is not material, may be indicative of a risk of material misstatement due to fraud (CAS 240.A52).
The implications of identified fraud depend on the circumstances. For example, an otherwise insignificant fraud may be significant if it involves senior management. In such circumstances, the reliability of evidence previously obtained may be called into question, since there may be doubts about the completeness and truthfulness of representations made and about the genuineness of accounting records and documentation. There may also be a possibility of collusion involving employees, management or third parties (CAS 240.A53).
CAS 450 and CAS 700 establish requirements and provide guidance on the evaluation and disposition of misstatements and the effect on the auditor’s opinion in the auditor’s report (CAS 240.A54).
OAG Guidance
For more guidance on the use of Internal Specialist for Fraud, see OAG Audit 5513.
At any time direct evidence of fraud or other grounds for suspecting that a fraud has or may have taken place may come to light in any one or more of a variety of ways. These include:
- Concerns raised by a member of the engagement team.
- Concerns raised openly by a member of entity management or staff.
- An anonymous tip-off from someone within or outside the entity.
- Notification to us as well as to the Audit Committee of any fraud detected by management, whether or not material, that involves management or other employees who have a significant role in the entity’s internal controls.
- Indications contained in one or more items of audit evidence examined in the course of the audit.
- Failure to timely respond to our concerns regarding disclosure of control matters.
- Extraneous circumstances or events media comment, law enforcement or regulator action, etc.
When our work indicates that fraud has or may have taken place, the engagement leader may involve an Internal Specialist for Fraud in determining the appropriate course of action to be taken, for example with regard to:
- The most appropriate approach to determine the full facts and extent of the fraud and its impact on the financial statements.
- The communication of the problem and of recommendations for dealing with it to the client.
- Wider legal and regulatory issues.
- Remedial and asset recovery options.
The engagement leader, with the support of Internal Specialist for Fraud, verifies that sufficient additional work is carried out either to ascertain the impact of the fraud on the financial statements, or to gain reasonable assurance that there is no material impact.
Actual and potential magnitude, nature, extent of concealment, and management of staff involved are all factors to consider when determining the action necessary in a particular instance.
Where the entity agrees to extend the scope of our work to include an investigation of an expected or known fraud (rather than performing such investigation themselves or engaging another firm to do so), such investigation is carried out by or under the direction of fraud experts, and is agreed upon with the Audit Committee. This may include, amongst other activities, some or all of the following:
- Securing evidence and gathering information, including the use of computer fraud techniques, where appropriate.
- Interviewing relevant entity staff and, possibly, third parties.
- Document and data analysis using a variety of fraud techniques.
- Evidence collation and management.
- Advising on potential courses of action.
- Reporting on findings in a form appropriate to the facts of the case and the addressee of the report (management, regulators, police, etc.).
- Liaison throughout with the entity’s legal advisers.
- Liaison with regulators and/or law enforcement authorities.
- Where applicable, Internal Specialist for Fraud may also provide assistance in identifying and implementing appropriate remedial steps both to recover misappropriated assets and to mitigate the risks of future recurrences.
Unless circumstances clearly dictate otherwise, a fraud investigation is carried out under a separate letter of engagement in order to distinguish the scope and objectives of the investigation from those of the audit and to enable appropriate limitations of liability to be put in place.
In situations when adequate information about a suspected act of fraud cannot be obtained, consider the effect of the lack of evidence on our audit report. If we conclude that the effect of the suspected act of fraud on the financial statements might be material, consider expressing a qualified or adverse opinion. If we are precluded by the entity from obtaining sufficient appropriate audit evidence to evaluate whether fraud that may be material to the financial statements has occurred, consider qualifying our opinion on the basis of a scope limitation, or deny any opinion on the financial statements.
Also consider whether the circumstances surrounding the fraudulent act affect our ability to rely on management’s representations or suggest that we not continue our association with the entity. In reaching decisions on these matters, evaluate carefully whether top management (including the Board of Directors or its Audit Committee) gives appropriate consideration to the act after it has been brought to their attention.
CAS Requirement
If, as a result of a misstatement resulting from fraud or suspected fraud, the auditor encounters exceptional circumstances that bring into question the auditor’s ability to continue performing the audit, the auditor shall (CAS 240.39):
a) Determine the professional and legal responsibilities applicable in the circumstances, including whether there is a requirement for the auditor to report to the person or persons who made the audit appointment or, in some cases, to regulatory authorities
b) Consider whether it is appropriate to withdraw from the engagement, where withdrawal is possible under applicable law or regulation
c) If the auditor withdraws:
i) Discuss with the appropriate level of management and those charged with governance the auditor’s withdrawal from the engagement and the reasons for the withdrawal
ii) Determine whether there is a professional or legal requirement to report to the person or persons who made the audit appointment or, in some cases, to regulatory authorities, the auditor’s withdrawal from the engagement and the reasons for the withdrawal
CAS Guidance
Auditor Unable to Continue the Engagement
Examples of exceptional circumstances that may arise and that may bring into question the auditor’s ability to continue performing the audit include (CAS 240.A55):
- The entity does not take the appropriate action regarding fraud that the auditor considers necessary in the circumstances, even where the fraud is not material to the financial statements;
- The auditor’s consideration of the risks of material misstatement due to fraud and the results of audit tests indicate a significant risk of material and pervasive fraud; or
- The auditor has significant concern about the competence or integrity of management or those charged with governance.
Because of the variety of the circumstances that may arise, it is not possible to describe definitively when withdrawal from an engagement is appropriate. Factors that affect the auditor’s conclusion include the implications of the involvement of a member of management or of those charged with governance (which may affect the reliability of management representations) and the effects on the auditor of a continuing association with the entity (CAS 240.A56).
The auditor has professional and legal responsibilities in such circumstances and these responsibilities may vary by country. In some countries, for example, the auditor may be entitled to, or required to, make a statement or report to the person or persons who made the audit appointment or, in some cases, to regulatory authorities. Given the exceptional nature of the circumstances and the need to consider the legal requirements, the auditor may consider it appropriate to seek legal advice when deciding whether to withdraw from an engagement and in determining an appropriate course of action, including the possibility of reporting to shareholders, regulators or others (CAS 240.CA57).
OAG Guidance
For related guidance on cessation of engagements refer to OAG Audit 3011.
CAS Requirement
The auditor shall obtain written representations from management and, where appropriate, those charged with governance that (CAS 240.40):
a) They acknowledge their responsibility for the design, implementation and maintenance of internal control to prevent and detect fraud
b) They have disclosed to the auditor the results of management’s assessment of the risk that the financial statements may be materially misstated as a result of fraud
c) They have disclosed to the auditor their knowledge of fraud or suspected fraud affecting the entity involving:
i) Management
ii) Employees who have significant roles in internal control
iii) Others where the fraud could have a material effect on the financial statements
d) They have disclosed to the auditor their knowledge of any allegations of fraud, or suspected fraud, affecting the entity’s financial statements communicated by employees, former employees, analysts, regulators or others
CAS Guidance
CAS 580 establishes requirements and provides guidance on obtaining appropriate representations from management and, where appropriate, those charged with governance in the audit. In addition to acknowledging that they have fulfilled their responsibility for the preparation of the financial statements, it is important that, irrespective of the size of the entity, management and, where appropriate, those charged with governance acknowledge their responsibility for internal control designed, implemented and maintained to prevent and detect fraud (CAS 240.A59).
Because of the nature of fraud and the difficulties encountered by auditors in detecting material misstatements in the financial statements resulting from fraud, it is important that the auditor obtain a written representation from management and, where appropriate, those charged with governance confirming that they have disclosed to the auditor (CAS 240.A60):
a) The results of management’s assessment of the risk that the financial statements may be materially misstated as a result of fraud.
b) Their knowledge of actual, suspected or alleged fraud affecting the entity.
In some jurisdictions, law or regulation may restrict the auditor’s communication of certain matters with management and those charged with governance. Law or regulation may specifically prohibit a communication, or other action, that might prejudice an investigation by an appropriate authority into an actual, or suspected, illegal act, including alerting the entity, for example, when the auditor is required to report the fraud to an appropriate authority pursuant to anti‑money laundering legislation. In these circumstances, the issues considered by the auditor may be complex and the auditor may consider it appropriate to obtain legal advice (CAS 240.A61).
OAG Guidance
See OAG Audit 9050 for related guidance on written representations.
We may want to consider written representation from the Audit Committee if any of the investigations that are under their oversight pertain to either senior management or others having a significant role in the internal controls over financial reporting.
CAS Guidance
In many cases in the public sector, the option of withdrawing from the engagement may not be available to the auditor due to the nature of the mandate or public interest considerations (CAS 240.A58).