For periods commencing on or after 15 December 2019, all auditors (where ISAs (UK) apply) are required to explain in the auditor’s report the extent to which the audit was considered capable of detecting irregularities, including fraud. This guide from ICAEW’s Audit and Assurance Faculty provides practical considerations for auditors who are required to report on irregularities, including fraud, for the first time.
The guide supplements the Faculty’s existing guide, 'How to report on irregularities, including fraud, in the auditor’s report – a guide for auditors'. We recommend reading that guide first to understand the requirements before using this guide as a basis for constructing wording in the auditor’s report.
This guide was prepared with auditors of Small and Medium-sized Entities/Enterprises (‘SMEs’) in mind, but its principles will also apply to other entities, including Public Interest Entities (PIEs).
We understand that the Financial Reporting Council (FRC) intends that the auditor’s explanation should be tailored to each entity’s individual circumstances, reporting matters of significance clearly and concisely, without the use of boilerplate text. This is likely to require the auditor to devote further time to think through the wording, especially in the first year of reporting.
We provide below areas that the auditor considers in developing the explanation, as well as questions to help develop that explanation - suitable wording in all cases will vary for each individual entity and according to the auditor’s approach to that particular audit. The explanation may also vary year to year for the same entity should the risk profile change - for example, the entity becomes subject to different laws and regulations or different fraud risks arise. Simply rolling forward the prior year explanation should be avoided. How the auditor developed their explanation, and the areas considered, would be expected to be documented in the audit file.
This guide is designed to walk auditors through the thought process. Not everything below will be pertinent to every explanation. Auditors should focus on those laws and regulations and those aspects of their approach which are most significant to that entity and audit - the FRC has been clear that the explanation reports matters of significance ‘clearly and concisely’. The explanation should be focused enough to be useful to a reader of the auditor’s report.
As you read through the guide, we recommend that you remain mindful that in simple terms, a concise explanation will be driven by:
The FRC’s bulletin of example audit reports includes this explanation in the section of the auditor’s report which describes the Auditor’s responsibilities for the audit of the financial statements. However, these are example templates and the auditor can choose to include this information elsewhere within the auditor’s report. The extant wording around Auditor’s responsibilities will help give context to the explanation as to what extent the audit was considered capable of detecting irregularities, including fraud.
Title and introductory text
The following introductory wording was suggested by the FRC:
Explanation as to what extent the audit was considered capable of detecting irregularities, including fraud
[Irregularities, including fraud, are instances of non-compliance with laws and regulations. We design procedures in line with our responsibilities, outlined above, to detect material misstatements in respect of irregularities, including fraud.
The extent to which our procedures are capable of detecting irregularities, including fraud is detailed below:]
The introductory text will lead into the explanation. We outline below the areas that the explanation is expected to cover, along with questions to consider to allow tailoring to the specific circumstances of the entity and of the audit.
The bold titles below do not constitute required headings – they are used in this guide merely to identify areas expected to be covered by the explanation.
Auditor's approach to assessing the risks of material misstatement due to irregularities, including fraud
Detail the auditor’s approach to assessing the risks of material misstatement due to fraud and NOCLAR.
Eg, [Our approach was as follows:]
Eg, [We obtained an understanding of the legal and regulatory frameworks that are applicable to the entity and determined that the most significant are those that relate to:]
Which laws and regulations are significant to the entity and why?
As a reminder, ISA (UK) 250 Section 'A Consideration of Laws and Regulations in an Audit of Financial Statements' paragraph 6 distinguishes the auditor’s responsibilities in relation to compliance with two different categories of laws and regulations:
Relevant questions for the auditor to consider in order to determine which laws and regulations are significant to the entity, and why, might include:
- Which financial reporting framework is significant to the entity? Eg, FRS 102, FRS 105, IFRS, IFRS for SMEs, Pensions SORP, Charities SORP, Housing SORP, etc.
- Is there any legislation, such as Companies Act 2006, which is significant to the entity? Is the entity a pension scheme where legislation allows the Pensions Regulator to fine the scheme or remove trustees?
- Are there any complex taxation issues which are significant to the entity and which might impact risks of material misstatement or elevate risks of non-compliance with laws and regulations?
- Are the relevant tax compliance regulations in the jurisdiction in which the entity operates significant to the entity?
- Are there any complex, cross-border taxation issues?
- Are there any uncertain tax positions?
- For a pension scheme, can HMRC rescind registered scheme status?
- Are there any other significant laws and regulations that may have an effect on the determination of the amounts and disclosures in the financial statements?
For example, in the 2020/21 reporting season, laws and regulations concerned with UK government COVID-19 support schemes might be considered by the auditor to be significant to the entity.
For example, the Coronavirus Jobs Retention Scheme (CJRS), Coronavirus Business Interruption Loan Scheme (CBILS), Bounce Back Loan Scheme, Covid-19 Corporate Financing Facility (CCFF), or the ban on business evictions.
Other laws and regulations which might be determined to be significant to the entity might be, for example:
- data protection laws (including UK General Data Protection Regulation (GDPR));
- employment matters;
- health and safety;
- food hygiene;
- licensing regulations;
- bribery and corruption practices; and/or
- fundraising regulations for charities.
- Does the company operate in a highly regulated environment that requires the Senior Statutory Auditor to have particular experience and expertise? Does the audit engagement team and experts have the appropriate competence and capabilities? Eg, the gaming industry, the charity sector, financial institutions, or nuclear power.
The financial reporting framework, including, where relevant, the Companies Act 2006 and the Charities Act 2011, are likely to be significant for most entities.
What were the particular considerations in respect of fraud?
Eg, [We assessed the risks of material misstatement in respect of fraud as follows:]
Who did you make fraud enquiries of during the audit?
- those charged with governance?
- internal audit?
- service organisations?
Were other analytical procedures used to identify any unusual or unexpected relationships?
Did the audit team discuss and identify particular areas that were susceptible to misstatement as part of their fraud discussion?
Did the audit team identify any fraud risk factors in its discussion of related party relationships and transactions?
ISA (UK) 550 states that fraud may be more easily committed through related parties.
Audit procedures designed to respond to the risks of NOCLAR
Describe the audit procedures performed in response to the risks identified.
Eg, [Based on the results of our risk assessment we designed our audit procedures to identify non-compliance with such laws and regulations identified above.]
Describe your approach to understanding the entity’s policies and procedures for compliance with those laws and regulations.
Describe how you gained an understanding of how instances of non-compliance with laws and regulations or knowledge of actual, suspected, or alleged fraud is documented.
Who did you make enquiries of during the audit?
- those charged with governance?
- the Company Secretary?
- legal counsel?
- internal audit?
- others responsible for risk or compliance procedures?
- other group auditors / component auditors?
- other third parties?
- review of the volume and nature of complaints received by the whistleblowing hotline during the year / other complaints channels?
Eg, [We corroborated our enquiries through:]
How did you corroborate your enquiries?
- review of Board minutes?
- review of correspondence with HMRC or Companies House?
- review of correspondence with other regulatory bodies?
- review of papers provided to the audit committee?
Was there any contradictory evidence, or if not, can you state that there was none?
Audit procedures designed to respond to the risks of fraud
Management override of controls
How was the risk of management override of controls addressed?
Eg, [We considered the risk of fraud through management override and, in response, we incorporated testing of manual journal entries into our audit approach.]
Did you test year-end journals only, or journal entries throughout the year? Did you use data analytics to identify journal entries demonstrating certain risk factors?
Did you consider the influence of performance targets on management to be a risk, and if so, were procedures designed to address this risk?
Were any transactions outside the normal course of business identified, and if so, how did you corroborate that they were made for valid business rationale?
Other fraud risks
Eg, [Based on the results of our risk assessment we designed our audit procedures to identify and to address material misstatements in relation to fraud.]
Were any other fraud risks considered and audited?
Did you consider and design audit procedures to address, for example:
- The possibility of fraudulent or corrupt payments made through third parties?
- The risk of bribery and corruption, including whether the entity operates overseas, or makes grants overseas?
- Where segregation of duties is limited or not in place at all?
How were the requirements of paragraphs 29 (b) and (c) of ISA (UK) 240 (see below) applied to the audit?
29 (b) Evaluate whether the selection and application of accounting policies by the entity, particularly those related to subjective measurements and complex transactions, may be indicative of fraudulent financial reporting resulting from management’s effort to manage earnings.
29 (c) Incorporate an element of unpredictability in the selection of the nature, timing and extent of audit procedures.
Transactions displaying identified risk criteria
Where transactions meeting risk criteria were identified, what further work was carried out?
- Was additional testing to source information carried out?
- Did you have any discussions with specialists on areas of the financial statements particularly susceptible to fraud?
For group audits, ISA (UK) 600.41(d) requires communication with component auditors to request identification of any instances of non-compliance with laws and regulations that could give rise to a material misstatement of the group financial statements. Has this been explained?
ISA (UK) 700 (Revised) also encourages the auditor to explain the engagement partner’s assessment of whether the engagement team collectively had the appropriate competence and capabilities to identify or recognise non-compliance with laws and regulations.
In order to address this, relevant questions that the auditor might ask themselves are:
- Did the engagement partner conclude that more experienced audit team members needed to be allocated to perform work on certain account balances, classes of transaction or disclosures?
- Did the engagement partner conclude that any specialists were required on the audit, such as a forensic specialist?
Considerations around likelihood of detection
In explaining the extent to which the audit was considered capable of detecting irregularities, the auditor should consider how their approach to the audit has affected the likelihood of detection.
Has the explanation considered how the audit affected likelihood of detection?
This might include discussion of:
- the inherent difficulty in detecting irregularities;
- the effectiveness of the entity’s internal controls; and
- the nature, timing and extent of audit procedures performed.
Reminder of responsibilities for the audit
Consider ending the explanation by further clarifying the responsibilities for the audit with respect to fraud:
Eg, [A further description of our responsibilities for the audit of the financial statements is located on the FRC’s website at https:// www.frc.org.uk/auditorsresponsibilities. This description forms part of our auditor’s report.]
This might already be included in another part of the Auditor’s responsibilities for the audit of the financial statements section.
ICAEW Know-How from the Audit and Assurance Faculty
This guidance is created by the Audit and Assurance Faculty – recognised internationally as a leading authority and source of expertise and know-how on audit and assurance matters. Join the Faculty to connect with like-minded professionals and gain access to essential guidance and technical advice.