How to report on irregularities, including fraud, in the auditor’s report – a guide for auditors
For audits of financial periods commencing on or after 15 December 2019, auditors (where ISAs (UK) apply) are required to explain in the auditor’s report to what extent the audit was considered capable of detecting irregularities, including fraud. This was already a requirement for auditors of public interest entities (PIEs) in ISA (UK) 700 (Revised June 2016).
This Know-How guide from ICAEW’s Audit and Assurance Faculty covers:
- What irregularities are and a reminder of the extant auditing standards
- How the requirements have changed in ISA (UK) 700 (Revised January 2020)
- What should be reported on in the auditor’s report
- How COVID-19 may impact what is reported.
The guide focuses primarily on the implications for the auditor’s report, rather than reporting to those charged with governance or to regulators.
What are irregularities?
“Irregularity” is not defined in UK legislation, but is deemed to correspond to the definition in ISA (UK) 250A1) of non-compliance: ‘Acts of omission or commission by the entity, either intentional or unintentional, which are contrary to the prevailing laws or regulations.’
A Reminder of the extant ISA (UK) 700
ISA (UK) 700 Forming an Opinion and Reporting on Financial Statements (Revised June 2016) states that for audits of complete sets of general purpose financial statements of PIEs, the auditor’s report shall explain to what extent the audit was considered capable of detecting irregularities, including fraud. This requirement is derived from Article 10 of the Audit Regulation. This means that the auditor of a PIE is required to include an explanation setting out the capability of the audit, as performed, to detect irregularities.
Changes in the Revised ISA (UK) 700
The revisions to UK auditing standards, which are applicable for audits of financial periods commencing on or after 15 December 2019, extend the requirement to include an explanation of the extent to which the audit was considered capable of detecting irregularities, including fraud, to all audit reports.
ISA (UK) 700 (Revised January 2020) thus goes further than the 2016 iteration by requiring all entities and not just PIEs that the auditor's report explains to what extent the audit was considered capable of detecting irregularities, including fraud.
What is included in the auditor's report?
The FRC suggests use of the following wording in the section of the auditor’s report which describes the auditor’s responsibilities for the audit of the financial statements
The FRC also states that the auditor considers how this is tailored to each entity’s individual circumstances. The auditor needs to ensure that such an explanation reports matters of significance clearly and concisely, without the use of boilerplate text.
The explanation would be expected to cover how the auditor has assessed the risk of material misstatement in respect of irregularities, including fraud (and NOCLAR), and the auditor’s approach to responding to those risks as part of the audit.
The level of detail required will depend on the specific circumstances of the entity and the significance of the irregularities in the context of the financial statements as a whole. Further details on the level of detail required can be found in paragraphs A39-2 to A39-5 of ISA (UK) 700.
In determining what information the auditor should include in the auditor’s report, the auditor may consider the extent to which the following aspects of the auditor’s approach affected the auditor’s capability to detect irregularity (this is not an exhaustive list):
- The auditor’s assessment of the susceptibility of the entity’s financial statements to material misstatement, including how fraud might occur.
- Which laws and regulations the auditor identified as being of significance in the context of the entity.
- How the auditor obtained an understanding of the legal and regulatory framework applicable to the entity and how the entity is complying with that framework.
- How the auditor obtained an understanding of the entity’s policies and procedures on compliance with laws and regulations, including documentation of any instances of non-compliance.
- How the auditor obtained an understanding of the entity’s policies and procedures on fraud risks, including knowledge of any actual, suspected or alleged fraud.
- The engagement partner’s assessment of whether the engagement team collectively had the appropriate competence and capabilities to identify or recognise non-compliance with laws and regulations, details of those matters about non-compliance with laws and regulations and fraud that were communicated to the engagement team, and any discussions with specialists on areas of the financial statements particularly susceptible to fraud.
- In the case of a group, how the auditor addressed these matters at both the group and component levels.
- Communications with component auditors to request identification of any instances of non-compliance with laws and regulations that could give rise to a material misstatement of the group financial statements.
- In the case of a regulated entity, how the auditor obtained an understanding of the entity’s current activities, the scope of its authorisation and the effectiveness of its control environment
In explaining the extent to which the audit was considered capable of detecting irregularities, the auditor should consider how their approach to the audit has affected the likelihood of detection. This will be affected by:
- the inherent difficulty in detecting irregularities;
- the effectiveness of the entity’s controls; and
- the nature, timing and extent of the audit procedures performed.
Irregularities that result from fraud might be inherently more difficult to detect than irregularities that result from error. The auditor’s responsibilities for the engagement will mean that detection of those types of irregularity which give rise to a risk of material misstatement are those on which the auditor is able to provide the most comprehensive explanation.
- Where the auditor identified legislation of particular relevance to the entity2, the procedures the auditor designed to obtain sufficient appropriate audit evidence regarding compliance with that legislation.
- Whether the audit team identified particular areas that were susceptible to misstatement as part of their fraud discussions.
In determining those matters that are of significance, both quantitative and qualitative factors are relevant to such consideration. ISA (UK) paragraph 250A (November 2019) states that acts of non-compliance may not generate material fines or penalties, and therefore not be quantitatively material, but they may have a direct effect on disclosures where disclosures of non-compliance are important to users of the financial statements. In addition, fraud is more often than not qualitatively material.
Detail on the auditor’s understanding of the industry or sector the entity operates in, its performance and its remuneration policies, may also be helpful in providing an understanding of the risks of NOCLAR and fraud.
The auditor’s explanation of its audit response will depend on the risks identified but may include:
- Enquiry of management, those charged with governance and the entity’s solicitors (or in-house legal team) around actual and potential litigation and claims.
- Enquiry of entity staff in tax and compliance functions to identify any instances of non-compliance with laws and regulations.
- Reviewing minutes of meetings of those charged with governance.
- Reviewing internal audit reports.
- Reviewing financial statement disclosures and testing to supporting documentation to assess compliance with applicable laws and regulations.
- Auditing the risk of management override of controls, including through testing journal entries and other adjustments for appropriateness, and evaluating the business rationale of significant transactions outside the normal course of business.
Interaction with KAMs
For those entities where the auditor is required to report on KAMs , the auditor may also have determined that certain matters relating to NOCLAR or fraud are key audit matters. This does not exempt the auditor from also including the required explanation in their report, as to what extent the audit was considered capable of detecting irregularities, including fraud. This explanation can be cross referenced to a KAM, where that KAM provides further explanation.
The following risks of fraud and NOCLAR may be impacted by the COVID-19 pandemic , and hence impact the assessment performed by the auditor and described in the auditor’s report.
ICAEW’s guidance on the ICAEW’s 2020 Code of Ethics and NOCLAR notes the following areas as being relevant to NOCLAR:
- insolvency processes and procedures;
- fraud, corruption and bribery;
- money laundering, terrorist financing and proceeds of crime;
- securities markets and trading;
- banking and other financial products and services;
- data protection;
- tax and pension liabilities and payments;
- environmental protection; and
- public health and safety.
During the COVID-19 pandemic, from the above list, fraud, money laundering, and insolvency processes and procedures are likely to be key considerations. Public health and safety is also likely to be of great public interest.
Implementation of government support schemes, such as the Coronavirus Job Retention Scheme, carries risks of NOCLAR, for example where the related rules are complex and there is a risk of claiming in error.
The COVID-19 working environment increases the inherent risk of fraud. ISA (UK) 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements discusses fraud risk factors, being events or conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud.
The current environment may also give rise to these incentives and pressures where there is a going concern risk, including a pressure to meet covenants.
Government support schemes carry their own fraud risks, for example deliberately claiming payments for furlough of staff when the staff are still working.
There may be opportunities for fraud with more remote working. Employees and management may be focused on sustaining revenue, developing alternative revenue streams, and applying for and implementing government support schemes. Internal controls may not be operating the way they usually do, and a greater number of internal controls will be being operated remotely. Suspicious or unusual activity that may indicate fraud may be even more difficult to spot by management, and by auditors.
Threats in terms of public health may come about due to the prevalence of fraudulent schemes in this area. For example the sale of defective personal protective equipment (PPE), or PPE sold under fraudulent schemes, whereby the goods are never delivered.
The above is not an exhaustive list, and there will be other fraud risks that have arisen in the COVID-19 environment. The Further Guidance section at the end of this guide includes links to other ICAEW articles relevant to COVID-19 and fraud.
Where auditors are assessing fraud risks and performing testing remotely, there may be additional difficulties. Therefore, when the auditor describes the extent to which the audit was capable of detecting irregularities, including fraud, and describes procedures carried out as part of the audit response, the wording should be sufficiently tailored to describe changes to the audit approach due to the current environment.
- ICAEW’s 2020 Code of Ethics and NOCLAR.
- NOCLAR provisions in the revised Insolvency Code of Ethics: what they are and how to comply
- COVID-19 fraud: be on the lookout and act fast
- Fraudulent COVID-19 claims: an ICAEW Chartered Accountant’s responsibilities
- COVID-19 Fraud Watch
- What to do if you suspect your client of furlough fraud
- ICAEW’s Technical Advisory Service helpsheet - COVID-19: ethical issues for members in business
- ICAEW’s Technical Advisory Service helpsheet on Suspicious Activity Reports (SARS)
- ICAEW’s Audit and Assurance Faculty’s thought leadership essay, Fraudulent financial reporting: fresh thinking, looks at the fraud aspects.
1 In this guide we refer to the date of the newest revision of the standard where the requirement is only included in that version. Where requirements are the same in both versions, we refer to the standard without reference to its date.
2 ISA (UK) 250A Consideration of Laws and Regulations in an Audit of Financial Statements notes that the effect on financial statements of laws and regulations varies considerably. Those laws and regulations to which an entity is subject constitute the legal and regulatory framework. The provisions of some laws or regulations have a direct effect on the financial statements in that they determine the reported amounts and disclosures in an entity's financial statements. Other laws or regulations are to be complied with by management or set the provisions under which the entity is allowed to conduct its business but do not have a direct effect on an entity's financial statements.