include key audit team members. Other factors that should be considered when planning the discussion include:
● Whether to have multiple discussions if the audit involves more than one location
● Whether to include specialists assigned to the audit
Audit team members should continue to communicate throughout the audit about the risks of material misstatement due to fraud. (AU-C 240.15)
Obtaining Information Needed to Identify Fraud Risks
In addition to performing procedures required under Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements, the auditor should obtain information needed to identify the risks of material misstatement due to fraud by:
● Asking management and others within the entity about their views on the risk of fraud and how such risks are addressed.
● Considering unusual or unexpected relationships identified by analytical procedures performed while planning the audit.
● Considering whether any fraud risk factors exist.
● Considering other information that may be helpful in identifying fraud risk.
Inquiries of Management
Management is responsible for designing and implementing programs to prevent, deter, and detect fraud. When management and others, such as the audit committee and board of directors, set the proper tone of ethical conduct, the opportunities for fraud are significantly reduced.
The auditor should make the following inquiries of management:
● Does management or others within the entity know about actual or suspected fraud?
● Have there been any allegations of actual or suspected fraud from employees, former employees, analysts, regulators, short sellers, and others?
● Does management understand the entity's fraud risk, including any identified risk factors or account balances or classes of transactions for which a fraud risk is likely to exist?
● What programs and controls does the entity have to help prevent, deter, and detect fraud? How does management monitor such programs?
● When there are multiple locations, how are operating locations or business segments monitored? Is fraud more likely to exist at any one of the locations or business segments?
● Does management communicate its views on business practices and ethical behavior to employees, and, if so, how?
● Has management communicated to those charged with governance how the entity's internal control prevents, deters, and detects fraud?
(AU-C 240.17-.18)
When evaluating management's responses to these inquiries, auditors should remember that management is often in the best position to commit fraud. Therefore, the auditor should determine when it is necessary to corroborate those responses with other information. When responses are inconsistent, the auditor should obtain additional audit evidence.
Inquiries of Those Charged with Governance
The auditor should understand how those charged with governance oversee the entity's assessment of fraud risks and the mitigating programs and controls. (AU-C 240.20) The auditor should make the following inquiries of those charged with governance:
● What are those charged with governance's (or the audit committee's or at least the chair's) views of the risk of fraud?
● Do they know about actual, alleged, or suspected fraud in the entity?
(AU-C 240.21)
Inquiries of Internal Auditors
The auditor should make the following inquiries of appropriate individuals within the internal audit function:
● What are their views on the risk of fraud?
● Have they performed procedures to identify or detect fraud during the year?
● Has management satisfactorily responded to any finding from procedures performed to identify or detect fraud?
● Are they aware of any actual, suspected, or alleged fraud?
(AU-C 240.19)
Inquiries of Others within the Organization
The auditor should also ask others within the entity whether they are aware of actual or suspected fraud, using professional judgment to determine to whom these inquiries are made and how extensive the inquiries should be. The following are examples of people who may provide helpful information and, therefore, to whom the auditor may wish to consider directing inquiries:
1. Anyone at varying levels of authority whom the auditor deals with during the audit, such as when the auditor is obtaining an understanding of the entity's internal controls, observing inventory, performing cutoff procedures, or getting explanations for fluctuations noted during analytical procedures
2. Operating staff not directly involved in financial reporting
3. Employees involved in initiating, recording, or processing complex or unusual transactions
4. In-house legal counsel
(AU-C 240.A19)
Considering the Results of Analytical Procedures
When performing the required analytical procedures in planning the audit as discussed in Section 520, Analytical Procedures, the auditor may find unusual or unexpected relationships as a result of comparing the auditor's expectations with recorded amounts or ratios developed from such amounts. The auditor should consider those results in identifying the risk of material misstatement due to fraud. (AU-C 240.23)
The auditor should also perform analytical procedures relating to revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that may indicate a material misstatement due to fraudulent financial reporting. Examples of such procedures include:
● Comparing sales volume with production capacity (sales volume greater than production capacity might indicate fraudulent sales).
● Trend analysis of revenues by month and sales return by month shortly before and after the reporting period (the analysis may point to undisclosed side agreements with customers to return goods).
(AU-C 240.25)
Although analytical procedures performed during audit planning may be helpful in identifying the risk of material misstatement due to fraud, they may only provide a broad indication, since such procedures use data aggregated at a high level. Therefore, the results of such procedures should be considered along with other information obtained by the auditor in identifying fraud risk. (AU-C 240.26)
Considering Fraud Risk Factors
Using professional judgment, the auditor should consider whether information obtained about the entity and its environment indicates that fraud risk factors are present, and, if so, whether it should be considered when identifying and assessing the risk of material misstatement due to fraud. (AU-C 240.24)
Examples
