How to report on irregularities, including fraud, in the auditor’s report - Guide for auditors reporting for the first time

The guide supplements the Faculty’s existing guide, 'How to report on irregularities, including fraud, in the auditor’s report – a guide for auditors'. We recommend reading that guide first to understand the requirements before using this guide as a basis for constructing wording in the auditor’s report.

This guide was prepared with auditors of Small and Medium-sized Entities/Enterprises (‘SMEs’) in mind, but its principles will also apply to other entities, including Public Interest Entities (PIEs).

We understand that the Financial Reporting Council (FRC) intends that the auditor’s explanation should be tailored to each entity’s individual circumstances, reporting matters of significance clearly and concisely, without the use of boilerplate text. This is likely to require the auditor to devote further time to think through the wording, especially in the first year of reporting.

We provide below areas that the auditor considers in developing the explanation, as well as questions to help develop that explanation - suitable wording in all cases will vary for each individual entity and according to the auditor’s approach to that particular audit. The explanation may also vary year to year for the same entity should the risk profile change - for example, the entity becomes subject to different laws and regulations or different fraud risks arise. Simply rolling forward the prior year explanation should be avoided. How the auditor developed their explanation, and the areas considered, would be expected to be documented in the audit file. 

The FRC’s bulletin of example audit reports includes this explanation in the section of the auditor’s report which describes the Auditor’s responsibilities for the audit of the financial statements. However, these are example templates and the auditor can choose to include this information elsewhere within the auditor’s report. The extant wording around Auditor’s responsibilities will help give context to the explanation as to what extent the audit was considered capable of detecting irregularities, including fraud.

The following introductory wording was suggested by the FRC:

Explanation as to what extent the audit was considered capable of detecting irregularities, including fraud

[Irregularities, including fraud, are instances of non-compliance with laws and regulations. We design procedures in line with our responsibilities, outlined above, to detect material misstatements in respect of irregularities, including fraud. 

The extent to which our procedures are capable of detecting irregularities, including fraud is detailed below:]

The introductory text will lead into the explanation. We outline below the areas that the explanation is expected to cover, along with questions to consider to allow tailoring to the specific circumstances of the entity and of the audit. 

Detail the auditor’s approach to assessing the risks of material misstatement due to fraud and NOCLAR.

Eg, [Our approach was as follows:]

Eg, [We obtained an understanding of the legal and regulatory frameworks that are applicable to the entity and determined that the most significant are those that relate to:]

Which laws and regulations are significant to the entity and why?

Relevant questions for the auditor to consider in order to determine which laws and regulations are significant to the entity, and why, might include:

1. Which financial reporting framework is significant to the entity? Eg, FRS 102, FRS 105, IFRS, IFRS for SMEs, Pensions SORP, Charities SORP, Housing SORP, etc.
2. Is there any legislation, such as Companies Act 2006, which is significant to the entity? Is the entity a pension scheme where legislation allows the Pensions Regulator to fine the scheme or remove trustees?
3. Are there any complex taxation issues which are significant to the entity and which might impact risks of material misstatement or elevate risks of non-compliance with laws and regulations?
    
   

   For example:

   • Are the relevant tax compliance regulations in the jurisdiction in which the entity operates significant to the entity?
   • Are there any complex, cross-border taxation issues?
   • Are there any uncertain tax positions?
   • For a pension scheme, can HMRC rescind registered scheme status?
     
     
4. Are there any other significant laws and regulations that may have an effect on the determination of the amounts and disclosures in the financial statements?
    
   For example, in the 2020/21 reporting season, laws and regulations concerned with UK government COVID-19 support schemes might be considered by the auditor to be significant to the entity.
    
   

   For example, the Coronavirus Jobs Retention Scheme (CJRS), Coronavirus Business Interruption Loan Scheme (CBILS), Bounce Back Loan Scheme, Covid-19 Corporate Financing Facility (CCFF), or the ban on business evictions.

   Other laws and regulations which might be determined to be significant to the entity might be, for example:

   • data protection laws (including UK General Data Protection Regulation (GDPR)); 
   • employment matters;
   • environmental;
   • health and safety;
   • food hygiene;
   • licensing regulations;
   • bribery and corruption practices; and/or
   • fundraising regulations for charities.
     
     
5. Does the company operate in a highly regulated environment that requires the Senior Statutory Auditor to have particular experience and expertise? Does the audit engagement team and experts have the appropriate competence and capabilities? Eg, the gaming industry, the charity sector, financial institutions, or nuclear power.

What were the particular considerations in respect of fraud?

Eg, [We assessed the risks of material misstatement in respect of fraud as follows:]

Who did you make fraud enquiries of during the audit?

• management?
• those charged with governance?
• internal audit?
• service organisations?

Were other analytical procedures used to identify any unusual or unexpected relationships?

Did the audit team discuss and identify particular areas that were susceptible to misstatement as part of their fraud discussion?

Did the audit team identify any fraud risk factors in its discussion of related party relationships and transactions?

Describe the audit procedures performed in response to the risks identified.

Eg, [Based on the results of our risk assessment we designed our audit procedures to identify non-compliance with such laws and regulations identified above.]

Describe your approach to understanding the entity’s policies and procedures for compliance with those laws and regulations. 

Describe how you gained an understanding of how instances of non-compliance with laws and regulations or knowledge of actual, suspected, or alleged fraud is documented.

Who did you make enquiries of during the audit?

• management?
• those charged with governance?
• the Company Secretary?
• legal counsel?
• internal audit?
• others responsible for risk or compliance procedures?
• other group auditors / component auditors?
• other third parties?
• review of the volume and nature of complaints received by the whistleblowing hotline during the year / other complaints channels?

Eg, [We corroborated our enquiries through:]

How did you corroborate your enquiries?

• review of Board minutes?
• review of correspondence with HMRC or Companies House?
• review of correspondence with other regulatory bodies?
• review of papers provided to the audit committee?

Was there any contradictory evidence, or if not, can you state that there was none?

Management override of controls

How was the risk of management override of controls addressed?

Eg, [We considered the risk of fraud through management override and, in response, we incorporated testing of manual journal entries into our audit approach.]

Did you test year-end journals only, or journal entries throughout the year? Did you use data analytics to identify journal entries demonstrating certain risk factors?

Did you consider the influence of performance targets on management to be a risk, and if so, were procedures designed to address this risk?

Were any transactions outside the normal course of business identified, and if so, how did you corroborate that they were made for valid business rationale?

Other fraud risks

Eg, [Based on the results of our risk assessment we designed our audit procedures to identify and to address material misstatements in relation to fraud.]

Were any other fraud risks considered and audited? 

Did you consider and design audit procedures to address, for example:

• The possibility of fraudulent or corrupt payments made through third parties?
• The risk of bribery and corruption, including whether the entity operates overseas, or makes grants overseas?
• Where segregation of duties is limited or not in place at all?

How were the requirements of paragraphs 29 (b) and (c) of ISA (UK) 240 (see below) applied to the audit? 

Where transactions meeting risk criteria were identified, what further work was carried out?

• Was additional testing to source information carried out?
• Did you have any discussions with specialists on areas of the financial statements particularly susceptible to fraud?

For group audits, ISA (UK) 600.41(d) requires communication with component auditors to request identification of any instances of non-compliance with laws and regulations that could give rise to a material misstatement of the group financial statements. Has this been explained?

ISA (UK) 700 (Revised) also encourages the auditor to explain the engagement partner’s assessment of whether the engagement team collectively had the appropriate competence and capabilities to identify or recognise non-compliance with laws and regulations.

In order to address this, relevant questions that the auditor might ask themselves are:

• Did the engagement partner conclude that more experienced audit team members needed to be allocated to perform work on certain account balances, classes of transaction or disclosures? 
• Did the engagement partner conclude that any specialists were required on the audit, such as a forensic specialist?

In explaining the extent to which the audit was considered capable of detecting irregularities, the auditor should consider how their approach to the audit has affected the likelihood of detection.

Has the explanation considered how the audit affected likelihood of detection? 

This might include discussion of:

• the inherent difficulty in detecting irregularities;
• the effectiveness of the entity’s internal controls; and 
• the nature, timing and extent of audit procedures performed.

Consider ending the explanation by further clarifying the responsibilities for the audit with respect to fraud: 

Eg, [A further description of our responsibilities for the audit of the financial statements is located on the FRC’s website at https:// www.frc.org.uk/auditorsresponsibilities. This description forms part of our auditor’s report.]

This might already be included in another part of the Auditor’s responsibilities for the audit of the financial statements section.

• How to report on irregularities, including fraud, in the auditor’s report – a guide for auditors
• The FRC’s Staff Guidance Note 02/2017 (Revised November 2018) provides guidance to auditors on explaining to what extent the audit was considered capable of detecting irregularities, including fraud. This was published when the requirements only applied to audits of public interest entities, but it may be helpful to auditors of all entities (where ISAs UK apply).
• ISA (UK) 240 Revised June 2016 (Updated January 2020) The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
• ISA (UK) 700 (Revised January 2020) Forming an Opinion and Reporting on Financial Statements
• Fraud and government support – a guide for auditors