In a recent webcast presented by Mario Fazekas, a renowned certified fraud examiner, it was noted that the fraud pandemic is only going to get worse with the Covid-19 pandemic. The webcast provided an overview of the auditor’s responsibilities relating to fraud using International Standard on Auditing 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements (ISA 240), as the basis.
When we trace the history of auditing, we find that in the early 1900s, fraud detection was one of the primary objectives of the audit. However, this objective became too onerous and from the 1920s, auditors no longer assumed the responsibility to detect fraud. Since then, audit has never reinstated the primary objective of detecting fraud. This may well be a root cause of the expectation gap that has arisen over the years with respect to the auditor’s responsibility to detect fraud. Between 1960 and 1980, audits were performed in accordance with Generally Accepted Auditing Standards (GAAS) where the focus shifted to the risks of material misstatement and the responses thereto, and these requirements remain to this day.
For the auditor to truly add value to the client and enhance the chances of the auditor identifying fraud, the auditor needs to understand the characteristics of fraud and perform the audit with an appropriately sceptical mind-set.
ISA 240 states that misstatements in the financial statements can arise from either fraud or error, with the distinguishing factor being intent. Experience has shown that fraud is often overlooked. Auditors may identify an anomaly, for example an error or disparity between different sources of information that may be indicative of fraud, but do not apply the appropriate level of professional scepticism to the facts presented and fail to take the identified anomaly further in looking for evidence of intent. Such evidence may include alterations of documents, concealment or destruction of evidence, obstruction of justice, a pattern of conduct in terms of repetition of certain behaviour, personal gain as evidenced by lifestyle, and false statements.
The standard indicates an auditor conducting an audit in accordance with the ISAs is responsible for obtaining reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error. This requirement focuses the auditor’s attention on fraud that causes a material misstatement in the financial statements. The response of some auditors to anomalies is that the amounts are not material and are therefore not investigated further. This may well be an area where auditors are going wrong. Owing to the nature of fraud, auditors should be cognisant of qualitative materiality when identifying fraud risk factors and when assessing identified anomalies, rather than purely focusing on quantitative materiality.
The identification of an anomaly in the audit environment can be equated to a visit to the doctor where the doctor identifies an anomaly. Like the auditor, the doctor has certain choices, namely to ignore the identified anomaly or to investigate it further. The doctor may find a minuscule spot of cancer and therefore not to report this to the patient because he or she does not want to cause unnecessary concern, or report the finding to the patient to provide them with the opportunity to take the necessary responsive action.
Fraud is like a cancer and if left, the problem does not go away but rather grows. Experience has shown that perpetrators of fraud start out committing small acts of fraud to test the system, then expand on these fraudulent activities once they realise it has gone undetected and such acts often result in significant financial loss to the entity. To prevent significant financial loss, it is imperative for the anomaly to be nipped in the bud at the early stages of the fraud − in the same way that a doctor would want the cancer to be eliminated before it spreads.
Auditors are therefore encouraged to report all identified errors or fraud risk factors to management regardless of how small they may be, in order to empower management to perform the necessary investigations and take any necessary corrective and/or preventive action.
The Association of Certified Fraud Examiners have identified five main categories of financial statement fraud schemes in their Fraud Tree:
The application and other explanatory material of ISA 240 contains an extensive list of risk factors relating to misstatements arising from fraudulent financial reporting that are related to the categories of incentives/pressure, opportunity and attitude/rationalisation that auditors should be alert to when performing an audit.
Sam Antar, former Crazy Eddie CFO, former CPA and convicted felon, said that "As a criminal, I feared two things, scepticism and cynicism."
A sceptical mind-set has the following characteristics:
Auditor scepticism starts with a person’s competence, including knowledge and skills. From this comes attitude or mind-set. Auditors must assume neither honesty nor dishonesty of their clients and be neutral in recognising the possibility of material misstatement due to fraud. Based on the competence of the auditor and the auditor’s professional scepticism, the auditor will decide how to act. Experience shows that most auditors have the necessary attributes, in that they have received the necessary training and therefore know what they should do. The attitude or mind-set is where auditors are going wrong in that auditors are overly concerned with their clients’ reactions to the auditors’ actions.
Antar also said: "Don’t trust, just verify, verify, verify. The inclination to trust and the presumption of innocence gives the fraudsters the initial benefit of any doubt while they are free to plan and execute their crimes."
Professional scepticism and cynicism are key for auditors to positively contribute to detecting and therefore combating fraud. To succeed in adding value in identifying fraud, auditors must have a questioning mind and keep on asking questions until they are satisfied that they have the answers.
