Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

5512 Fraud Communications
Dec-2023

In This Section

Communications with management

Communications to those charged with governance

Reporting fraud to an appropriate authority outside the entity

Documentation considerations

Guidance specific to Legislative Auditors

Communications with management

CAS Requirement

If the auditor has identified a fraud or has obtained information that indicates that a fraud may exist, the auditor shall communicate these matters, unless prohibited by law or regulation, on a timely basis with the appropriate level of management in order to inform those with primary responsibility for the prevention and detection of fraud of matters relevant to their responsibilities (CAS 240.41).

CAS Guidance

In some jurisdictions, laws and regulations may restrict the auditor's communication of certain matters with management and those charged with governance. Law or regulation may specifically prohibit a communication, or other action, that might prejudice an investigation by an appropriate authority into an actual, or suspected, illegal act, including alerting the entity, for example, when the auditor is required to report the fraud to an appropriate authority pursuant to anti-money laundering legislation. In these circumstances, the issues considered by the auditor may be complex and the auditor may consider it appropriate to obtain legal advice (CAS 240.A61).

When the auditor has obtained evidence that fraud exists or may exist, it is important that the matter be brought to the attention of the appropriate level of management as soon as practicable. This is so even if the matter might be considered inconsequential (for example, a minor defalcation by an employee at a low level in the entity’s organization). The determination of which level of management is the appropriate one is a matter of professional judgment and is affected by such factors as the likelihood of collusion and the nature and magnitude of the suspected fraud. Ordinarily, the appropriate level of management is at least one level above the persons who appear to be involved with the suspected fraud. (CAS 240.A62)

Communications to those charged with governance

CAS Requirement

Unless all of those charged with governance are involved in managing the entity, if the auditor has identified or suspects fraud involving (CAS 240.42):

a) management;

b) employees who have significant roles in internal control; or

c) others where the fraud results in a material misstatement in the financial statements.

the auditor shall communicate these matters with those charged with governance on a timely basis. If the auditor suspects fraud involving management, the auditor shall communicate these suspicions with those charged with governance and discuss with them the nature, timing and extent of audit procedures necessary to complete the audit. Such communications with those charged with governance are required unless the communication is prohibited by law or regulation.

The auditor shall communicate, unless prohibited by law or regulation, with those charged with governance any other matters related to fraud that are, in the auditor’s judgment, relevant to their responsibilities. (CAS 240.43)

CAS Guidance

In some jurisdictions, laws and regulations may restrict the auditor's communication of certain matters with management and those charged with governance. Law or regulation may specifically prohibit a communication, or other action, that might prejudice an investigation by an appropriate authority into an actual, or suspected, illegal act, including alerting the entity, for example, when the auditor is required to report the fraud to an appropriate authority pursuant to anti-money laundering legislation. In these circumstances, the issues considered by the auditor may be complex and the auditor may consider it appropriate to obtain legal advice (CAS 240.A61).

The auditor’s communication with those charged with governance may be made orally or in writing. CAS 260 identifies factors the auditor considers in determining whether to communicate orally or in writing. Due to the nature and sensitivity of fraud involving senior management, or fraud that results in a material misstatement in the financial statements, the auditor reports such matters on a timely basis and may consider it necessary to also report such matters in writing. (CAS 240.A63)

In some cases, the auditor may consider it appropriate to communicate with those charged with governance when the auditor becomes aware of fraud involving employees other than management that does not result in a material misstatement. Similarly, those charged with governance may wish to be informed of such circumstances. The communication process is assisted if the auditor and those charged with governance agree at an early stage in the audit about the nature and extent of the auditor’s communications in this regard. (CAS 240.A64)

In the exceptional circumstances where the auditor has doubts about the integrity or honesty of management or those charged with governance, the auditor may consider it appropriate to obtain legal advice to assist in determining the appropriate course of action. (CAS 240.A65)

Other matters related to fraud to be discussed with those charged with governance of the entity may include, for example (CAS 240.A66):

  • Concerns about the nature, extent and frequency of management’s assessments of the controls in place to prevent and detect fraud and of the risk that the financial statements may be misstated.

  • A failure by management to appropriately address identified significant deficiencies in internal control, or to appropriately respond to an identified fraud.

  • The auditor’s evaluation of the entity’s control environment, including questions regarding the competence and integrity of management.

  • Actions by management that may be indicative of fraudulent financial reporting, such as management’s selection and application of accounting policies that may be indicative of management’s effort to manage earnings in order to deceive financial statement users by influencing their perceptions as to the entity’s performance and profitability.

  • Concerns about the adequacy and completeness of the authorization of transactions that appear to be outside the normal course of business.

OAG Guidance

See related guidance on communications at OAG Audit 2213.

Engage in a dialogue with the Audit Committee to obtain their views on fraud and to further our understanding of the risks of material misstatement. This dialogue occurs initially at the planning phase of the audit in the procedure “Understand entity and environment” within the program “Understand the Entity and Environment” but further discussions may be necessary depending on our audit findings.

The discussion ordinarily includes the following:

  • An overview of

    • the responsibilities of management, the Audit Committee/Board of Directors and us as independent auditors.
    • the general procedures we perform to address the risks of material misstatement due to fraud.

  • The inquiries of the Audit Committee / Board of Directors to obtain their views on fraud and their understanding and assessment of management’s fraud risk assessment specifically including assessment of override of controls by management and the Audit Committee’s / Board of Directors’ response to that risk.

  • Details of established company protocol for management to report any fraud situation or fraud issue detected to the Audit Committee/Board of Directors and independent auditors.

  • Details of whistleblower activity that has been discussed with entity counsel, our understanding of the status of investigations arising from such activity and our understanding of Audit Committee / Board of Directors’ involvement with any investigations.

  • Identified risks, including those that have continuing control implications (whether or not transactions or adjustments that could be the result of fraud have been detected) and which represent significant deficiencies in the entity’s internal control.

  • Details of the absence of, or weaknesses in, antifraud programs and controls to mitigate specific risks of fraud or to otherwise help prevent and detect fraud

  • Details of any knowledge of the Audit Committee / Board of Directors with regard to any fraud involving senior management.

  • An explanation that we will incorporate an element of unpredictability into our audit procedures to counter the risk that attempts are made to conceal fraud in areas we would not normally examine.

  • On a group audit, details of our specific fraud-related procedures at the entity’s locations.

  • Communications regarding instances of actual or potential fraud noted on the audit.

  • Communications regarding our requirement to perform unpredictable procedures without telling the entity how this will be done.

In addition, reach an understanding with the Audit Committee regarding the expected nature and extent of communications about misappropriations perpetrated by lower-level employees that might be considered inconsequential. As with all Audit Committee communications, if the communication is oral, document it in the audit file.

Reporting fraud to an appropriate authority outside the entity

CAS Requirement

The engagement partner shall review, prior to their issuance, formal written communications to management, those charged with governance or regulatory authorities (CAS 220.34).

If the auditor has identified or suspects a fraud, the auditor shall determine whether law, regulation or relevant ethical requirements (CAS 240.44):

(a) Require the auditor to report to an appropriate authority outside the entity.

(b) Establish responsibilities under which reporting to an appropriate authority outside the entity may be appropriate in the circumstances.

OAG Policy

Before discussing matters relating to possible fraud with parties outside the entity, the engagement leader shall consult Legal Services in accordance with the guidance described at OAG Audit 3081, as potential conflicts with our ethical and legal obligations for confidentiality may be complex. [Oct-2012]

CAS Guidance

CAS 250 provides further guidance with respect to the auditor's determination of whether reporting identified or suspected non-compliance with laws or regulations to an appropriate authority outside the entity is required or appropriate in the circumstances, including consideration of the auditor's duty of confidentiality (CAS 240.A67).

The determination required by paragraph 44 may involve complex considerations and professional judgments. Accordingly, the auditor may consider consulting internally (e.g., within the firm or a network firm) or on a confidential basis with a regulator or professional body (unless doing so is prohibited by law or regulation or would break the duty of confidentiality). The auditor may also consider obtaining legal advice to understand the auditor's options and the professional or legal implications of taking any particular course of action (CAS 240.A68).

OAG Guidance

The disclosure of possible fraud to parties other than the entity’s senior management and its Audit Committee ordinarily is not part of our responsibility and ordinarily would be precluded by our ethical or legal obligations of confidentiality unless the matter is reflected in the audit report. However, in the following circumstances a duty to disclose to parties outside the entity might exist:

  • To comply with certain legal and regulatory requirements.

  • To a successor auditor when the successor auditor makes inquiries (assuming that we obtain the appropriate consent from the entity).

  • In response to a subpoena or other order of production.

  • To a funding agency or other specified agency in accordance with requirements for the audits of entities that receive government financial assistance.

Consistent with the requirement of CAS 220.34, where we make formal written communications to parties outside the entity (e.g., a regulatory authority), evidence of the engagement leader's review of the formal written communications is included in the audit documentation.

Documentation considerations

CAS Requirement

The auditor shall include in the audit documentation communications about fraud made to management, those charged with governance, regulators and others (CAS 240.47).

Guidance specific to Legislative Auditors

CAS Guidance

In the public sector, requirements for reporting fraud, whether or not discovered through the audit process, may be subject to specific provisions of the audit mandate or related law, regulation or other authority (CAS 240.A69).