ICAEW.com works better with JavaScript enabled.
Exclusive content
Access to our exclusive resources is for specific groups of subscribers and members.
In this edition, John Selwood considers questions relating to risk assessment, sample sizes and auditing revenue.

My firm uses third-party audit software. About 18 months ago, we found that the sample size calculator started producing very large sample sizes, particularly for testing revenue. The providers of the software told us this is necessary because the FRC required much larger sample sizes. Is that correct?

This sort of question has been very common over the past six months and there is a lot for me to unpack as I try to answer it.

First, it is true that the Financial Reporting Council (FRC) has made it known, during inspections, that sample sizes should not be subject to a nominal cap. Some service providers, supplying audit methodologies, have responded to this, which has led to changes in certain proprietary sampling methodologies.

However, this does not necessarily result in the very significant increases in sample sizes that are being reported by some auditors.

When I first came across this issue, I immediately noticed that it was revenue testing where the sample sizes were being identified as being ‘too large’ by auditors. On closer inspection, it seems that auditors were often determining inherent risk in revenue as very high and this determination was driving up the sample size.

When I asked these auditors what the actual inherent risks were, many simply responded that it was the ISA 240 presumption of a significant risk of fraud in revenue and nothing more specific than that. When I asked why the presumption was not rebutted their responses led on to the following question, below.

Based on all of this, it seems to me that although there have been changes in audit methodologies, these are not necessarily always responsible for driving up sample sizes. But these changes to audit methodologies are shining a spotlight on some incorrect assessments of inherent risk.

I understood that the presumption of fraud in revenue could only be rebutted in exceptional circumstances and that the risk of fraud in revenue is always a significant risk. Is this correct?

Quite simply, no. This is a surprisingly misunderstood area. In part, this misunderstanding is driven by the (as good as) universal recognition that it is remarkably common for fraudsters to manipulate revenue to produce misleading financial statements. Redcentric and Patisserie Valerie are two notable recent examples of this, but there are many, many more.

The intentions of the standard setters, when producing ISA 240’s rebuttable presumption of a significant risk of fraud in revenue, was to ensure that auditors adequately focused on what is a high-risk area.

This is not to say that the risk of fraud in revenue exists in every audit, but that it must be specifically considered in every audit. In particular, there is a requirement to document why the auditor considers that the presumption should be rebutted. In other words, the fraud risk in revenue is a risk that must be documented, even in its absence.

More crucially, auditors need to consider the nature of the fraud risk, so that the audit work can be properly targeted. It is most common for the fraud risk to exist in year-end cut-off and not elsewhere. This means that the auditors’ revenue transaction testing might be responding to fairly low risk and consequently a smaller sample size might be adequate, whereas the audit work on cut-off will often need to be more robust to address the greater risk.

Nonetheless, it’s important to recognise that fraud risk might also exist as a consequence of inappropriate journals posted to revenue (not necessarily just posted at the year-end), and therefore auditors need to consider whether their work on journals testing adequately addresses the risk.

If the most common area of fraud risk in revenue is the year-end cut-off, how should auditors be addressing this risk?

When auditing revenue cut-off, increasing sample sizes to address a significant risk of fraud is rarely the complete response to the issue.

Obviously, testing the last five sales of the year, and the first sales of the next year, will often be inadequate. Remember that the auditor is trying to detect fraud and only a remarkably uninformed fraudster would not design their fraud well enough to avoid such an unsophisticated testing approach.

To detect fraud, the auditor needs to think like a fraudster and consider, for example, how cut-off might be manipulated. This could involve:

Another point to consider is whether the auditor has concluded that the risk of fraud relates to potential overstatement or understatement of revenue, based on management’s incentive. If it is the former, then there needs to be more of a focus on revenue transactions before the year-end to establish that they are valid (and credit notes applied after the year-end). If it is the latter, there needs to be greater focus on revenue transactions after the year-end to establish whether they should have been recorded pre-year-end.

Also, auditors need to introduce some unpredictability into their testing – a requirement under ISA 240 – so that individuals within the audit entity who are familiar with previous audit engagements are less able to conceal fraudulent financial reporting.

This unpredictability could be achieved by, for example:

If auditors always use the same approach, fraudsters can learn to work round that.

Improving audit of revenue

The audit of revenue is often mentioned by the Financial Reporting Council and by ICAEW’s Quality Assurance Department as an area where improvements are needed, based on their audit quality review findings. So, auditors may be able to improve their audit of revenue by considering some of the most common shortcomings in this key area.

Examples of opportunities for improvement include:

There is a faculty webinar on auditing revenue that firms may find helpful. It covers:

Questions asked by auditors during this webinar are answered in an Audit & Beyond article.

About the author
John Selwood, freelance lecturer and writer

Audit & Beyond

This article was first featured in the December 2022/January 2023 edition of Audit & Beyond.

Audit & Beyond Dec/Jan 2022/23