of fraud risk factors are presented in Illustrations 1 and 2 at the end of this chapter. These risk factors are classified based on the three conditions usually present when fraud exists:
1. Incentive/pressure
2. Opportunity
3. Attitude/rationalization
(AU-C 240.A30)
The auditor should not assume that all three conditions must be present or observed. In addition, the extent to which any condition is present may vary.
The size, complexity, and ownership of the entity may also affect the identification of fraud risks. (AU-C 240.A31)
In planning the audit, the auditor will most likely use a list of fraud risk factors to serve as a memory jogger. This list may be taken from the examples listed in the AU-C Illustrations at the end of this chapter, or the examples provided may be tailored to the client. The documentation of this list of fraud risk factors to be considered is not required, but represents good practice.
During the planning and performance of the audit, the auditor may identify some of the fraud risk factors from the list as being present at the client. Of those risk factors present, some will be addressed sufficiently by the planned audit procedures; others may require the auditor to extend audit procedures.
Considering Other Information
The auditor should evaluate other information that may be helpful in identifying fraud risk. The auditor should consider:
● Any information from procedures performed when deciding to accept or continue with a client
● Results of review of interim financial statements
● Identified inherent risks
● Information from the discussion among engagement team members
Identifying Fraud Risks
Fraud risk factors may come to the auditor's attention while performing procedures relating to acceptance or continuance of clients, during engagement planning or obtaining an understanding of an entity's internal control, or while conducting fieldwork. Accordingly, the assessment of the risk of material misstatement due to fraud is a cumulative process that includes a consideration of risk factors individually and in combination. As noted earlier, assessment of fraud risk factors is not a simple matter of counting the factors present and converting the result to a level of fraud risk. A few risk factors or even a single risk factor may heighten the risk of fraud significantly.
Attributes
The auditor should use professional judgment and information obtained when identifying the risks of material misstatement due to fraud. The auditor should consider the following attributes of the risk when identifying risks:
● Type (Does the risk involve fraudulent financial reporting or misappropriation of assets?)
● Significance (Could the risk lead to a material misstatement of the financial statements?)
● Likelihood (How likely is it that the risk would lead to a material misstatement of the financial statements?)
● Pervasiveness (Does the risk impact the financial statements as a whole, or does it relate to an assertion, account, or class of transactions?)
Throughout the audit, the auditor should evaluate whether identified fraud risks can be related to certain account balances or classes of transactions and related assertions, or whether they relate to the financial statements as a whole. (AU-C 240.25) Examples of accounts or classes of transactions that might be more susceptible to fraud risk include:
● Liabilities from a restructuring because of the subjectivity in estimating them
● Revenues for a software developer, because of their complexity
NOTE: The auditor should document the identified fraud risks.
Presumption about Improper Revenue Recognition as a Fraud Risk
Since fraudulent financial reporting often involves improper revenue recognition, the auditor should ordinarily presume that there is a risk of material misstatement due to fraudulent revenue recognition. (AU-C 240.26)
NOTE: The auditor should document the reasons supporting his or her conclusion when improper revenue recognition is not identified as a fraud risk. (AU-C 240.46)
Consideration of the Risk of Management Override of Controls
The auditor should also recognize that, even when other specific risks of material misstatement are not identified, there is a risk that management can override controls. (AU-C 240.31) The auditor should address this risk as discussed in the later section on “Addressing the Risk of Management Override.”
Assessing Identified Risks
As part of the understanding of internal control required by Section 319, the auditor should:
1. Evaluate whether the entity's programs and controls that address identified risks have been appropriately designed and placed in operation. Programs and controls may involve specific controls, such as those designed to prevent theft, or broad programs, such as one that promotes ethical behavior.
2. Consider whether programs and controls mitigate identified risks of material misstatement due to fraud or whether control deficiencies exacerbate risks.
3. Assess identified risks, taking into account the evaluation of programs and controls.
4. Consider this assessment when responding to the identified risks of material misstatement due to fraud.
Responding to the Results of the Assessment
The auditor responds to assessment of risk of material misstatement due to fraud by:
● Exercising professional skepticism
● Evaluating audit evidence
● Considering programs and controls to address those risks
Examples of the use of professional skepticism would include:
● Designing additional or different audit procedures to obtain more reliable evidence
● Obtaining additional corroboration of management's responses or representations
The auditor should respond to the risk of material misstatement in the following ways:
1. Evaluate the overall conduct of the audit.
2. Adjust the nature, timing, and extent of audit procedures performed in response to identified risks.
3. Perform certain procedures to address the risk that management will override controls.
NOTE: The auditor should document a description of the auditor's response to identified fraud risks.
If the auditor concludes that it is not practical to design audit procedures to sufficiently address the risks of material misstatement due to fraud, the auditor should consider withdrawing from the engagement and communicating the reason to the
