ICAEW.com works better with JavaScript enabled.
Exclusive

Q&A: September 2023

Helpsheets and support

Published: 08 Sep 2023 Update History

Exclusive content
Access to our exclusive resources is for specific groups of students, subscribers, users and members.
Log in Find out more
Back to top
Fraud risk is a perennial area of concern for auditors and prompts many questions. This Audit & Assurance Faculty Q&A considers some.

One of our audit clients has made it perfectly clear that they prefer remote auditing. They don’t seem to want us to visit their offices and factories. I’m concerned, but uncertain about how to respond. What do you suggest?

Since the pandemic, working practices have changed and yours is not the only audit firm to find that certain clients would rather be audited remotely, when the firm itself would rather be at the client’s premises, according to findings by ICAEW’s Quality Assurance Department (QAD).

The client cannot refuse the auditor entry. There are, however, many possible reasons for your client’s reluctance – and for your concerns. Perhaps the client has something to hide, such as modern slavery or fraud. Perhaps the audit team has spotted red flags that may indicate a material fraud risk. Perhaps you want to see the whites of their eyes when you challenge management. 

Although hybrid working is now normal, it can be difficult to find the appropriate mix of work done remotely and conducted face to face. When determining this, it’s worth remembering that International Standards on Auditing (ISAs) assume in many cases that auditors can be physically present at the entity's premises.

While the four basic techniques for gathering audit evidence – observation, inspection, inquiry and analytical procedures – do not necessarily require auditors to be on-site, auditors will need to consider how to compensate for a lack of physical proximity in some areas when conducting auditing procedures remotely - inventory count and stock check, for example. 

A different mix of techniques is likely to be essential in the vast majority of cases, to provide sufficient appropriate audit evidence and the quality and quantity of audit evidence required will need to be carefully considered – as will the matter of whether and in which scenarios remote audit is or is not appropriate and necessary. 

QAD has reminded all audit firms to consider this when assessing the effectiveness of their approach to audits post-pandemic. Statutory audit is not just about numbers and checklists, but a deep understanding of the audit client and how its owners, managers and employees work.

Key resources:

Remote auditing – professional scepticism, fraud and error

Remote auditing – obtaining evidence

Fraud and audit: challenging clients remotely

 

I understand that the risk of fraud in revenue is almost always a significant risk because the presumption of fraud in revenue can only be rebutted in exceptional circumstances. Is this correct?

Quite simply, no. This is a surprisingly misunderstood area. In part, this misunderstanding is driven by the (as good as) universal recognition that it is remarkably common for fraudsters to manipulate revenue to produce misleading financial statements. Redcentric and Patisserie Valerie are two notable recent examples of this, but there are many, many more.

The intentions of the standard setters, when producing ISA 240’s rebuttable presumption of a significant risk of fraud in revenue, was to ensure that auditors adequately focused on what is a high-risk area.

The risk of fraud in revenue will not exist in every audit, but it must be specifically considered in every audit. In particular, there is a requirement to document why the auditor considers that the presumption should be rebutted. In other words, the fraud risk in revenue is a risk that must be documented, even in its absence.

More crucially, auditors need to consider the nature of the fraud risk so that the audit work can be properly targeted. For example, based upon an entity’s circumstances, the fraud risk recognition could relate to year-end cut-off and not elsewhere. This means that the auditors’ revenue transaction testing might be responding to a fairly low assessed risk and consequently a smaller sample size might be adequate, whereas the audit work on cut-off will often need to be more robust to address the greater risk.

Nonetheless, it’s important to recognise that fraud risk might also exist as a consequence of inappropriate journals posted to revenue (not necessarily just at the year-end) and therefore auditors need to consider whether their work on journals testing adequately addresses the risk.

Key resources:

Audit & Beyond Question Corner featuring this Q&A and another on revenue and fraud risk with examples of ways to improve the audit of this area.

Apprehending fraud in audits

Focusing on fraud in financial statements

Audit and fraud - a resource hub

Fraud risk factors in a financial statement audit

 

An external file reviewer has told me that I have not been sufficiently sceptical in a recent audit. I “must do more” to validate the authenticity of digital documents and demonstrate that I have done so. Apparently, it’s because of changes to the UK fraud ISA. What have I missed?

Let’s begin with some basics. The revised ISA (UK) 240 was issued by the Financial Reporting Council (FRC) in May 2021 and is effective for audits of periods beginning on or after 15 December 2021. In most cases, this means that the changes will apply to year ends from December 2022 onwards. 

To assist with implementation, you will find fraud detection tips and pointers to ISA (UK) 240 support resources from ICAEW, the FRC and the International Auditing and Assurance Standards Board in a March 2022 Audit & Beyond article. You may benefit from reading this and the resources it points to.

Among various changes in the revised ISA (UK) 240 is a requirement that the auditor be vigilant for conditions that indicate that a record or document may not be authentic. To assist with this, the auditing standard includes a list of indicators for auditors to look out for: 

  • unexplained alterations to documents received from external sources;
  • serial numbers used out of sequence or duplicated;
  • addresses and company emblems not as expected;
  • document style different to others of the same type from the same source (for example, changes in fonts and formatting);
  • an absence of information that would be expected;
  • invoice references that differ from others;
  • unusual terms of trade, such as unusual prices, interest rates, guarantees and repayment terms (for example, purchase costs that appear unreasonable for the goods or services being charged for);
  • information that appears implausible or inconsistent with the auditor’s understanding and knowledge;
  • a change from the authorised signatory;
  • ‘copy’ documents presented rather than originals; and
  • electronic documents with a ‘last edited’ date that is after the date they were represented as finalised.

Technology has made it easier to forge documents. In some scenarios, auditors may want to fight fire with fire. Software-based products are available to help with (and automate) some aspects of digital document forgery detection. You may want to research what is available on the market. You should definitely make time to read the revised fraud standard: as an auditor you need to be very clear on your responsibilities relating to fraud in an audit of financial statements.

Among many other things, ISA (UK) 240 also includes some very useful application and explanatory material and the appendices offer examples of: fraud risk factors; possible audit procedures to address the assessed risks of material misstatements due to fraud; and circumstances that indicate the possibility of fraud.

Key resources:

ISA (UK) 240 The Auditors Responsibilities Relating to Fraud in an Audit of Financial Statements

Sharpening the focus on corporate fraud: an audit firm perspective

Sharpening the focus on corporate fraud: audit committee

Recommended content

ICAEW Faculty
5 white paper aeroplanes in flight, and one blue one peeling off upwards.
Join the Audit and Assurance Faculty

Stay ahead of the rest with our comprehensive package of essential guidance and technical advice.

Find out more
Audit and Assurance conference
Audit and assurance conference and webinars

The annual Audit & Assurance Conference, upcoming webinars, and recordings of past webinars to watch on demand.

Webinars
hijab business woman in office
Audit in depth

In-depth guidance on completing all stages of an audit as well as how to make the decision as to whether or not an audit is required.

Find out more
Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.
Login

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields
Next step

Add this page to your CPD activity

Step 2 of 3
Mandatory field
Back Next step

Add activity to my record

Step 3 of 3
Mandatory field
Back Add activity to my record

Activity added

Go to my CPD record

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250
Add activity to my record