Performing a risk assessment with a fraud lens
What’s new?
There are proposed changes to the following areas of the audit, with new requirements and considerations from a fraud perspective:
- Professional skepticism – This is enhanced throughout the standard, with a new requirement to remain alert throughout the audit for information that is indicative of fraud or suspected fraud.
- Engagement resources – There is an emphasis on determining that the engagement team collectively has sufficient time and appropriate specialized skills and knowledge (e.g., forensic, information technology).
- Engagement team discussions – These discussions include specific fraud-related topics, with additional considerations for the timing of discussions and the attendees.
- Understanding the entity and its environment – There is a focus on aspects of your understanding of the entity and its environment, and the applicable financial reporting framework, that may lead to an increased susceptibility to misstatement due to management bias or other fraud risk factors (e.g., performance measures used, whether internal or external, that may create incentives or pressures to achieve financial performance targets).
- Understanding the components of the entity’s system of internal controls – A combination of new and enhanced requirements focus on your understanding of the component of the entity’s system of internal controls, including a requirement to determine whether there are deficiencies in identified internal controls that are relevant to the prevention and detection of fraud.
- Presumption of risk of material misstatement due to fraud in revenue – Instead of focusing on developing and documenting a rebuttal to the presumed risk of fraud in revenue recognition, the proposals emphasize the importance of performing a robust risk identification and assessment by linking identified fraud risk factors. This will help you determine which types of revenue, revenue transactions, and assertions could give rise to risks of material misstatement due to fraud in revenue recognition.
- The Application Material clarifies that due to the significance of fraud risk factors related to revenue recognition both individually or in combination, it ordinarily makes it inappropriate to rebut the presumption of the risks of material misstatement due to fraud in revenue recognition.
Documentation
The expanded documentation requirements include:
- the key elements of your understanding of the entity and its environment, the applicable financial reporting framework, and the entity’s system or internal control; and
- the identified and assessed risks of material misstatement due to fraud for both the financial statement and assertion level as currently required by extant CAS 240, as well as the rationale for the significant judgments made.
Relevant sections
The Exposure Draft of proposed revised Canadian Auditing Standard (CAS) 240 includes paragraphs:
- 21, A29-A32;
- 22, A33-36;
- 26-39, A44-A103;
- 41, A109-A112; and
- 70(b) and 70(c).
Back to top
Responding to assessed risks of material misstatement due to fraud
What’s new?
The proposals include stronger requirements and new application material to respond to assessed risks of material misstatement due to fraud.
Key enhancements include:
- Designing and performing audit procedures in a manner that is not biased – Similar to recent changes in other auditing standards, there is a new requirement to remind you to design and perform responses to the assessed risks of material misstatement due to fraud that are not biased toward corroborating management’s assertions or excluding contradictory audit evidence.
- Incorporating unpredictability in the selection of audit procedures – This broadens the requirement to respond to the assessed risks of material misstatement due to fraud at the assertion level instead of focusing on the overall response to risk at the financial statement level. Appendix 2 of the Exposure Draft is a source for possible audit procedures to choose from when incorporating an element of unpredictability.
- Journal entry testing – There is a new requirement to obtain audit evidence about the completeness of the population of all journal entries and other adjustments made in the preparation of the financial statements throughout the period. This requirement was added because:
- risks related to management override of controls are significant risks (irrespective of the auditor’s assessment of the risks of management override of controls), and
- journal entries and other adjustments are generated internally from the entity’s information system, emphasizing the need to test the attribute of completeness.
- Appendix 4 of the Exposure Draft includes additional considerations that may be useful when selecting journal entries and other adjustments to test.
Documentation
There is a new requirement to document the results of audit procedures performed to address the risk of management override of controls, the significant professional judgments made, and the conclusions reached.
Relevant sections
The Exposure Draft of proposed revised CAS 240 includes paragraphs:
- 43;
- 44, A114-A115;
- 50(b), A128-A129, A135; and
- 70(e).
Back to top
Responding to identified fraud or suspected fraud
What’s new?
The proposals introduce a separate section for audit procedures when fraud is identified or suspected.
Suspected fraud is described as allegations of fraud that come to your attention during the course of the audit (e.g., as a result of inquiries performed or a whistleblower tip).
The new “ramp-up procedures” in paragraphs 55-59 apply to all instances of fraud or suspected fraud, irrespective of materiality, that you identify. Although obtaining an understanding of fraud or suspected fraud was implied in extant CAS 240, the requirement is now explicit with the following:
- First, obtain an understanding of the matter by:
- asking management and those charged with governance (if appropriate in the circumstances) about the fraud or suspected fraud;
- evaluating if the process to investigate the matter is appropriate (if applicable);
- evaluating whether remediation measures are appropriate (if applicable); and
- considering whether there are control deficiencies.
- Next, the engagement partner decides whether more risk assessment procedures are necessary, whether more procedures to respond to risk are needed, or whether there are additional responsibilities under law, regulation, or relevant ethical requirements.
- Finally, if a misstatement due to fraud is identified, review the proposals, as they explain your responsibilities.
The rest of the fraud or suspected fraud requirements (paragraphs 57-58 and 66-69) were not significantly revised from the corresponding requirements in extant ISA 240.
The auditor’s report has also been updated to reflect communications with those charged with governance about any identified fraud or suspected fraud.
See the proposed auditor’s report here.
Documentation
The new requirement includes documenting identified fraud or suspected fraud, the results of audit procedures performed, the significant professional judgments made, and the conclusions reached. Where fraud or suspected fraud is identified, there are enhanced communication and reporting requirements.
Relevant sections
The Exposure Draft of proposed revised CAS 240 includes paragraphs:
- 55-59, A7-A10, A144-157;
- 66-69, A182-192; and
- 70(f) and 70(g).
Back to top
Ongoing communications with management and those charged with governance
What’s new?
There is a new explicit requirement for robust two-way communication between management or those charged with governance and the auditor at appropriate times throughout the audit about fraud-related matters, including:
- Risk assessment –
- asking management about its communications with those charged with governance regarding their processes for identifying and responding to the risks of fraud in the entity; and
- asking those charged with governance about their:
- views about whether the financial statements may be materially misstated due to fraud, and
- awareness of deficiencies in the system of internal control related to the prevention and detection of fraud and any remediation efforts to address those deficiencies.
- Identification of fraud or suspected fraud – If the auditor identifies fraud or suspects fraud, they learn more about the matter from a level of management that is at least one level above those involved and, when appropriate, those charged with governance.
- Reporting – The auditor’s report reflects the additional communications with those charged with governance about identified fraud or suspected fraud and other matters related to fraud that are, in the auditor’s judgment, relevant to the responsibilities of those charged with governance.
See the proposed auditor’s report here.
Relevant sections
The Exposure Draft of proposed revised CAS 240 includes paragraphs:
- 25, A39-A43;
- 34(c) and 34(d) (ii) and (iii), A75-A78;
- 55(a); and
- 66-67.
Back to top
Improving transparency in the auditor’s report
What’s new?
Auditor’s reports of listed entities will have greater transparency by requiring the auditor to include key audit matters (KAM) relating to fraud. KAMs are, in the auditor’s professional judgment, most significant when auditing financial statements of the current period. KAMs are selected from matters communicated with those charged with governance. KAMs related to fraud may include, for example:
- identified and assessed risks of material misstatement due to fraud;
- identification of fraud or suspected fraud; and
- identification of significant deficiencies in internal control that are relevant to the prevention and detection of fraud.
In the audit of a complete set of general-purpose financial statements for a listed entity, it may be rare that the auditor would not determine at least one KAM related to fraud. However, in certain limited circumstances, the auditor may determine that there are no KAMs related to fraud.
One of the objectives of the Auditing and Assurance Standards Board’s (AASB) ED-CAS 240 outreach is to obtain feedback on the understandability and usefulness of KAMs related to fraud. Tell us what you think of the changes in the auditor’s report!
See the proposed auditor’s report here.
To determine KAMs, you will need to explicitly consider fraud-related matters. Financial statement users have expressed their interest in fraud-related matters and have requested additional transparency about those communications. The proposed changes to CAS 240 build on what is already required by CAS 701, Communicating Key Audit Matters in the Independent Auditor’s Report. The auditor uses the same filter to identify KAMs related to fraud:
*Matters that, in the auditor’s professional judgment, are most significant in the audit of the financial statements of the current period.
Relevant sections
The Exposure Draft of proposed revised CAS 240 including paragraphs:
Back to top
Incorporating scalability in the Exposure Draft
What’s new?
Given that fraud-related matters are relevant to audits of entities, regardless of size or complexity, the IAASB addresses scalability and proportionality in the following ways:
- Principles-based requirements – This allows the requirements to be applied in a wide range of circumstances.
- Conditional requirements – These requirements are only applied when a certain condition is met. The following are examples:
- professional skepticism in paragraph 20;
- inquiries of management and inconsistent responses in paragraph 30;
- accounting estimates in paragraph 52(b);
- fraud or suspected fraud in paragraphs 55-59;
- the auditor being unable to continue the audit engagement in paragraph 60;
- communications with management and those charged with governance in paragraphs 66-67;
- reporting to an appropriate authority outside the entity in paragraph 69; and
- documentation in paragraph 70(d)
- Differential requirements – For example, communication of key audit matters is only applicable to listed entities.
- Nature and circumstances of the audit engagement – The nature, timing, and extent of fraud-related audit procedures may vary based on the nature and circumstances of the entity (e.g., the extent of understanding of identified fraud or suspected fraud required in paragraph 55 may change based on the facts and circumstances).
- Scalability considerations specific for smaller or less complex entities – New or retained application matter to demonstrate how requirements can be scaled for audits of smaller or less complex entities.
One of the objectives of the AASB’s ED-CAS 240 outreach is to obtain feedback on scalability and proportionality considerations for smaller or less complex entities in the areas of:
- identification and response to fraud risk;
- incorporation of an element of unpredictability; and
- journal entry testing.
The IAASB has a specific question about scalability in their Exposure Draft – Question 8. We welcome feedback on the areas identified above or additional areas. See the detailed changes and how to respond to the IAASB and/or AASB.
Back to top