Auditing standards require auditors to identify and assess the risks of material misstatement due to fraud and to determine overall and specific responses to those risks. Here is what auditors look for during fraud-risk interviews and why face-to-face meetings are essential.
Entities being audited sometimes feel fraud-related questions are probing and invasive, but they’re a critical part of the audit process. The American Institute for Certified Public Accountants (“AICPA”) requires auditors to identify and assess the risks of material misstatement due to fraud and to determine overall and specific responses to those risks under Clarified Statement on Auditing Standards (AU-C) Section 240, Consideration of Fraud in a Financial Statement Audit.
Specific areas of inquiry under AU-C Sec. 240 include:
- Whether management has knowledge of any actual, suspected or alleged fraud,
- Management’s process for identifying, responding to and monitoring the fraud risks in the entity,
- The nature, extent and frequency of management’s assessment of fraud risks and the results of those assessments,
- Any specific fraud risks that management has identified or that have been brought to its attention,
- The classes of transactions, account balances or disclosures for which a fraud risk is likely to exist, and
- Management’s communications, if any, to those charged with governance about its process for identifying and responding to fraud risks, and to employees on its views on appropriate business practices and ethical behavior.
Fraud-related inquiries may also be made of those charged with governance, internal auditors and others within the entity. Examples of other people that an auditor might ask about fraud risks include executives, in-house legal counsel, and employees involved in initiating, processing, or recording financial transactions.
So how does your auditor ensure that he or she gains as much fraud-related information as possible from fraud-risk interviews? During the planning stage of the audit, the audit partner meets with the audit team to brainstorm potential company- and industry-specific risks and to outline specific areas of inquiry and high-risk accounts.
Interviews must be conducted for every audit. Auditors can’t just assume that fraud risks are the same as those that existed in the previous accounting period. While performing onsite audit fieldwork, auditors meet in person with managers and others to discuss fraud risks. Why? A large part of uncovering fraud involves picking up on nonverbal clues. In a face-to-face interview, the auditor can also observe signs of stress on the part of the interviewee in responding to the question. In addition, in-person interviews provide an opportunity for immediate follow-up questions.
When it isn’t possible to have a face-to-face interview, a videoconference or phone call is the next best option because it provides the auditor many of the same advantages as meeting in person.
It is important for interviewees to be patient when answering the auditor’s questions. Auditors are trained to ask for clarification throughout the discussion.
Even when an audit is properly planned in accordance with the auditing standards, some dishonest behaviors may not be detected. It is generally easier to find unintentional errors than to detect a material misstatement resulting from fraud. Fraud may involve sophisticated concealment schemes, such as forgery, deliberate failure to record transactions, or intentional misrepresentations made to the auditor.
In addition, collusion between employees, suppliers and customers can make it harder for audit evidence to reveal fraud. The risk of the auditor not detecting a material misstatement is even greater when upper-level management is involved in the fraud scheme. That is because top managers may have the opportunity to directly or indirectly manipulate accounting records, present fraudulent financial information or override control procedures designed to prevent similar frauds by other employees.
To catch a thief
Evaluating fraud risks is a critical part of your auditor’s responsibilities. You can facilitate this process by anticipating the types of questions your auditor will ask and the types of audit evidence that your auditor will need. Forthcoming and prompt responses help keep your audit on schedule and minimize any unnecessary delays.
Evaluating the fraud "triangle"
Auditors look inside and outside of the company for the risks of two types of fraud: 1) fraudulent financial reporting, and 2) asset misappropriation. In general, they categorize risk factors based on the three conditions that must be present for fraud to happen. Together, these three conditions are known as the fraud triangle.
- Incentives and pressures. Employees resort to fraud only if they have a motive to be dishonest. For example, the company’s financial stability (and, therefore, the employee’s livelihood) might be at risk due to a high degree of competition, significant declines in customer demand or new regulatory requirements. Or management could feel excessive pressure to achieve the performance level necessary to obtain additional financing, meet debt covenants or receive performance-based compensation (such as bonuses, stock options, and earnout arrangements). In addition, personal financial obligations may create pressure on management or employees with access to cash or other assets susceptible to theft. The pressure to steal assets may be even greater if, for example, an employee anticipates future layoffs or changes to compensation plans.
- Opportunities. Examples of conditions that present the opportunity for fraud to occur include significant related party transactions, the use of subjective accounting estimates, significant complex transactions, foreign operations in locations with differing regulatory environments, and inadequate internal controls. Likewise, the risk of asset theft increases if the company processes large amounts of cash or if inventory items and fixed assets are small in size, of high value, or in high demand.
- Attitudes and rationalizations. Those committing fraud typically rationalize their dishonesty. For instance, an embezzler might justify theft because the owner is domineering, bickers with shareholders, or commingles personal and business assets.
That is why auditors evaluate not only morale among employees but also the “tone at the top” of the organization. Legal and ethical issues in the C-suite — such as sexual harassment or unlawful termination claims, a win-at-all-costs mentality, evasive tax practices or known regulatory violations — tend to trickle down the organization. Auditors also consider how management responds to their inquiries; an auditor may view an adversarial relationship as an indication that management is hiding fraud.
Each organization faces unique risk factors. These are just a few examples of what is on your auditor’s radar when assessing fraud. If you notice these risk factors or any other suspicious behaviors, contact your auditor to investigate the matter further.