is required to notify SEC (within one business day) of auditor’s conclusion described in item b (e.g., by Tuesday).Client is required to furnish report to SEC in item d to auditor within one business day (e.g., by Tuesday).If auditor doesn’t receive report in item e, auditor notifies SEC within one business day following failure to receive (e.g., on Wednesday).3 If the auditor withdraws or resigns from the engagement, the auditor must send a copy of the resignation to the SEC within five business days.
4 Follow SEC requirements for reporting on Form 8-K:Upon auditor’s withdrawal, client must disclose within four business days the following information on a Form 8-K, filed with the SEC, with a copy to the auditor on the same day:Auditor’s resignationAuditor’s conclusion that the information coming to his or her attention has a material impact on the fairness or reliability of the client’s financial statements or audit report and that this matter was not resolved to the auditor’s satisfaction before resignationAuditor must prepare a letter stating agreement or disagreement with client’s statements after reading Form 8-K. If auditor disagrees, he or she must disclose differences of opinion in a letter to client as promptly as possible. Client must then file the letter with the SEC within ten business days after filing the Form 8-K. Notwithstanding the ten-business-day requirement, client has two business days from the date of receipt to file the letter with the SEC.
Situation 3
Any Fraud Not Involving Senior Management for All Clients (Public and Nonpublic)
Auditor should:
Evaluate the implications for other aspects of the audit, especially organizational positions of persons involved.
Bring to the attention of, and discuss with, the appropriate level of management (even if inconsequential).
Communicate the matter to those charged with governance unless the matter is clearly below the communication threshold previously agreed to by the auditor and those charged with governance.
Consider whether any risk factors identified represent reportable conditions (Section 265).
Documentation
The auditor should document:
The engagement team’s discussion, when planning the audit, about the entity’s susceptibility to fraud; the documentation should include how and when the discussion occurred, audit team members participating, and the subject matter covered.
Procedures performed to obtain the information for identifying and assessing the risks of material misstatements due to fraud.
Specific risks of material misstatement due to fraud identified by the auditor. Description of the auditor’s overall response to those risks.
If improper revenue recognition has not been identified as a risk factor, the reasons supporting such conclusion.
The results of procedures performed that addressed the risk that management would override controls.
Other conditions and analytical relationships that caused the auditor to believe that additional procedures or responses were required, and any other further responses to address risks or other conditions.
The nature of communications about fraud to management, those charged with governance, and others.
(AU-C 240.43–.46)
Antifraud Programs and Controls
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework (2013) includes a discussion of expectations related to preventing and detecting fraud.
In 2017, COSO updated its Enterprise Risk Management—Integrated Framework to address the evolving business environment.
The guidance in AU-C 240 is based on the presumption that entity management has both the responsibility and the means to take action to reduce the occurrence of fraud at the entity. To fulfill this responsibility, management should:
Create and maintain a culture of honesty and high ethics.
Evaluate the risks of fraud and implement the processes, procedures, and controls needed to mitigate the risks and reduce the opportunities for fraud.
Develop an appropriate oversight process.
Culture of Honesty and Ethics
A culture of honesty and ethics includes these elements:
A value system founded on integrity
A positive workplace environment where employees have positive feelings about the entity
Human resource policies that minimize the chance of hiring or promoting individuals with low levels of honesty, especially for positions of trust
Training—both at the time of hire and on an ongoing basis—about the entity’s values and its code of conduct
Confirmation from employees that they understand and have complied with the entity’s code of conduct and that they are not aware of any violations of the code
Appropriate investigation and response to incidents of alleged or suspected fraud
Evaluating Antifraud Programs and Controls
The entity’s risk assessment process (as described in the separate chapter on AU-C 315) should include the consideration of fraud risk. With an aim toward reducing fraud opportunities, the entity should take steps to:
Identify and measure fraud risk.
Mitigate fraud risk by making changes to the entity’s activities and procedures.
Implement and monitor an appropriate system of internal control.
Develop an Appropriate Oversight Process
The entity’s audit committee or board of directors should take an active role in evaluating management’s:
Creation of an appropriate culture
Identification of fraud risks
Implementation of antifraud measures
To fulfill its oversight responsibilities, audit committee members should be financially literate, and each committee should have at least one financial expert. Additionally, the committee should consider establishing an open line of communication with members of management one or two levels below senior management to assist in identifying fraud at the highest levels of the organization or investigating any fraudulent activity that might occur.
