SA 240 entitled “The Auditor’s Responsibility to Consider Fraud and Error in an Audit of Financial Statements” gives guidance on what ought to be the responsibility of an auditor for identifying fraud and error and reporting on them.
The important guidelines laid down under SA 240 regarding an auditor’s responsibility towards fraud and error are summarized in the points below:
Who holds the primary responsibility as per SA 240?
SA 240 clarifies that the primary responsibility for the prevention and detection of fraud and error lies with the company’s management and those charged with governance (essentially people making strategic decisions in the company).
It is crucial that the management, with the oversight of those charged with governance, puts emphasis on fraud prevention, which may minimize the possibility of the occurrence of fraud, and also fraud deterrence, which may encourage individuals not to commit fraud due to the fear of being punished. Further, a culture of honesty and ethical behaviour should be encouraged in the company as far as possible.
What are the responsibilities of an auditor?
According to SA 240, an auditor conducts a financial audit of an entity in order to obtain a reasonable assurance (and not absolute assurance) that its financials are free from any fraud/error and material misstatements.
In addition, as provided in SA 200, “Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing,” because of the inherent limitations of an audit, there is an inescapable risk that some major misstatements in the financial statements will go undetected, even if the audit is properly planned and done in line with the SAs.
The risk of failing to discover a major misstatement caused by fraud is higher than the risk of failing to detect one caused by error. The reason is that fraud can involve sophisticated and well-planned tactics to conceal it, such as forgeries, deliberate attempts to omit recording transactions, or intentional misrepresentations being made to the auditor.
Meaning of fraud under SA 240
Misstatements in financial statements can result from either fraud or error. The distinction between fraud and error is whether the underlying conduct that results in the falsification of financial accounts is purposeful or inadvertent. Hence, fraud is intentional.
The Standard defines the term “fraud” as “an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage”.
Although fraud is a broad legal term, for the purposes of the SAs, the auditor is concerned with fraud that results in a serious falsification (misstatement) of the financial statements.
The auditor is concerned with two types of intentional misstatements. These include misstatements caused by misleading financial reporting and misstatements caused by asset misappropriation.
- Fraudulent financial reporting
- Asset misappropriation
To deceive the users of financial statements, fraudulent financial reporting comprises intentional misstatements, such as omissions of amounts or disclosures in financial statements. It may be in the form of forgery, alteration, misrepresentation, misapplication of accounting policies, etc.
Misappropriation, on the other hand, is the theft of an entity’s assets and is commonly committed by employees in fairly small and insignificant amounts. But it can also involve the management, who are generally better off at disguising or concealing the misappropriation in a manner that is difficult to detect.
What audit procedures are to be used as per SA 240?
This auditing standard dictates the following audit procedures to be adopted by an auditor:
- The auditor must approach the work with a certain degree of professional skepticism. He must always be alert to any signs of misstatement. If there are any doubtful situations, the auditor should extend his procedures to confirm or dispel that doubt.
- To obtain reasonable assurance, an attitude of professional skepticism has to be maintained by the auditor throughout the conduct of the audit. He should consider the likelihood that management might be manipulating internal controls and that the techniques that might be effective in detecting errors might not be as effective in detecting fraud.
- Except when the auditor has reasons to believe to the contrary, he is justified in accepting the client’s records as genuine.
- The auditor should discuss with his audit team the possibility that the entity’s financial statements may have material misstatements resulting from fraud and error. Based on such discussions, he should design his audit procedures.
- As part of his audit procedures, an auditor can make inquiries from the company’s management regarding any possibility of misstatements being present in the financial statements.
- When a misstatement is identified, the auditor has to evaluate whether such misstatement is indicative of fraud or not. He has to also consider whether the representations given by management in this regard are satisfactory or not. He should look for situations that may indicate fraud involving management, employees, or third parties. The possibility of such fraud and its implications for the audit must be evaluated well.
Communication of misstatements
On identification of misstatements or where the auditor suspects fraud, he must communicate it to the appropriate level of management. If he suspects the management’s involvement in fraud, he must communicate the same to those charged with governance and must discuss with them the nature, timing, and extent of audit procedures necessary to complete the audit.
Moreover, if any law or regulation necessitates that the occurrence or suspicion of fraud must be communicated to regulatory or enforcement authorities outside the entity, the auditor must comply with it.
The auditor must ensure that there is appropriate disclosure of identified misstatements either in the financial statements by management or in his own audit report. Whatever the case is, the fact of material misstatements has to be properly disclosed.
The subsequent discovery of fraud
SA 240 explains the duty of the auditor to consider the risk of material misstatements while carrying out an audit and also lays down the procedures that he must follow when circumstances indicate the possibility of fraud or error. However, it should be noted that he is not responsible for the subsequent discovery of frauds. He has to only make sure that adequate audit procedures are adopted and that a fair opinion is given in his audit report based on sufficient audit evidence.
Thus, the subsequent discovery of misstatements in financial statements resulting from any fraud or error existing during the accounting period covered under the auditor’s report does not, by itself, show whether the auditor has properly complied with the basic principles governing an audit or not.
In fact, the question of whether or not he has complied with the basic principles governing an audit (for example, the conduct of the audit work with required skills and competence, complete documentation of all matters, designing of the audit plan, reliance placed on internal controls, nature, and extent of compliance & substantive tests carried out, etc.) is determined by the level of adequacy of audit procedures undertaken in the relevant circumstances and the suitability of audit report based on the results of such procedures.
The auditor is liable for failure to detect fraud only when such failure is substantially due to a lack of reasonable care and skill being exercised on his part.
In nutshell, SA 240 requires the auditor to communicate all frauds (especially where they materially cause misstatements) to the management if his suspicion is aroused. Moreover, in case of errors, the material errors affecting the entity’s financial statements should also be communicated.
The full text of SA 240 can be downloaded from this link.
You might also like: