Sir Donald Brydon’s review on the quality and effectiveness of audit noted a perceived expectation gap related to the auditor’s responsibility for fraud, stating that where material fraud occurs, there can be concerns about whether auditors have done enough to detect it.
In May 2021, the Financial Reporting Council (FRC) published revised ISA (UK) 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements. The revisions aim to provide clarity about the auditor’s obligations and further guidance.
While the amendments introduce several new requirements, particularly around risk assessment, the revisions mostly serve to clarify and formalise existing requirements. For many engagement teams, these revisions will effectively reinforce good practice.
In this article from ICAEW’s Audit and Assurance Faculty, Ishana Mahadea of Smith & Williamson describes the key changes.
1) Auditor’s responsibilities and professional scepticism
The revisions clarify the auditor’s objectives, which include obtaining reasonable assurance about whether the financial statements are free from material misstatement due to fraud. They also highlight that the risk of not detecting a misstatement due to fraud may be higher than the risk related to error. Exercising professional scepticism remains pervasive in achieving these objectives, including requirements to:
- Remain unbiased and alert to both corroborative and contradictory audit evidence.
- Remain alert for conditions that might suggest that a document or record is not genuine, such as last edited dates on electronic documents being after the purported final date of the document.
- Not only investigate inconsistent responses to inquiries received, but also those that are implausible.
2) Risk assessment procedures and related activities
Supplemental guidance clarifies that when performing risk assessment procedures, an understanding of fraud risk factors is required. The revisions introduce new requirements to:
- Obtain an understanding of the process management undertakes to assess, identify, respond, and communicate the risks of fraud.
- Make inquiries of any other individuals who deal with allegations of fraud raised by employees or other parties, for example, a Money Laundering Reporting Officer (‘MLRO’) if applicable.
- Discuss the risks of fraud, including those that are specific to the relevant business sector, with those charged with governance.
- Evaluate the impact on the audit of any inconsistencies between the responses to fraud inquiries received from management and others.
- Determine whether the engagement team requires specialised skills or knowledge to perform audit procedures, such as, for example, a fraud specialist.
3) Responses to the assessed risks and evaluation of audit evidence and documentation
The revisions focus on reinforcing existing principles, including a requirement to perform an overall assessment of the sufficiency and appropriateness of audit evidence, including both contradictory and corroborative evidence. This ‘stand-back’ requirement is reflected in other standards, such as ISA 540 (UK) (Revised December 2018) on the audit of accounting estimates. In performing this overall assessment, the revisions also require an understanding of how any identified misstatements arose, and whether this is due to fraud or error.
4) The auditor’s report, communication to those charged with governance, representations
The revisions include the requirement for the audit report to explain to what extent the audit was considered capable of detecting irregularities, including fraud, in line with ISA (UK) 700 (Revised November 2019) and a new requirement that written representations obtained from management should explicitly acknowledge that management believes they have fulfilled these responsibilities. There is also additional emphasis on considering any matters for communication to those charged with governance related to management’s process for identifying and responding to fraud.
The revised standard is effective for audits of financial periods beginning on or after 15 December 2021, alongside ISA (UK) 315 (Revised July 2020) Identifying and Assessing the Risks of Material Misstatement.