Fraud and government support – a guide for auditors

In the UK, the government has not imposed additional audit or assurance requirements in relation to government support schemes. Auditors in other jurisdictions should check whether any additional local requirements exist. However, all auditors should be aware of their existing responsibilities in relation to fraud and non-compliance with laws and regulations (NOCLAR). 

This Know-How guide from ICAEW’s Audit and Assurance Faculty provides some considerations for auditors when assessing the risks of fraud in relation to COVID-19 government support schemes. It is not however a comprehensive guide to ISA requirements.

Auditor responsibilities 

ISA 240 sets out the auditor’s responsibilities relating to fraud in the audit of financial statements. Auditors have a duty to obtain reasonable assurance that the financial statements taken as a whole are free from material misstatements, whether caused by fraud or error. For some entities, government support schemes will be material, either by value and/or nature. 

ISA 250 sets out the audit requirements relating to laws and regulations. Paragraph 6 of ISA 250 identifies two categories to consider:

1. Laws and regulation that have a direct effect on the determination of material amounts and disclosures in the financial statements; and
2. Those that do not have a direct effect, but where compliance is fundamental to operations, an entity’s ability to continue in business or avoiding material penalties.

Depending on the category of NOCLAR, auditor responsibilities differ. For the first category, auditors must obtain sufficient appropriate audit evidence regarding compliance. For the second, the auditor’s responsibility is limited to undertaking specified audit procedures to identify instances of NOCLAR that may have a material effect on financial statements.

Auditors will need to consider the extent to which government support impacts the numbers and disclosures in the financial statements, as well as the risk that the entity may have made improper support claims. For example, has the entity made furlough claims under the Coronavirus Job Retention Scheme (CJRS) for hours an employee was actually working? If so, this could result in liabilities for repayments and fines. 

In considering this, auditors should consider materiality from both a quantitative and qualitative point of view. Users may consider that disclosures about the level of government assistance, even where of low value, are material by nature. The Audit and Assurance guide COVID-19: determining materiality discusses out further considerations.

Auditors carry out a range of procedures aimed at detecting material fraud and NOCLAR, but an audit is not a guarantee against either. Both are difficult to detect.  ISA 240 and ISA 250 both note that collusion and deliberate concealment, especially when it involves management, make the risk of not detecting a material misstatement from fraud or NOCLAR higher than the risk of non-detection of error. 

Professional scepticism

Auditors must remain professionally sceptical throughout the audit and be alert for inaccurate or misleading information provided by management. This applies regardless of past experience of the honesty and integrity of management. 

COVID-19 may have created new and additional pressures on management compared to prior years. Many companies are facing existential risks. Auditors may find it useful to review the Audit and Assurance Faculty guide COVID-19: considering going concern when identifying risks to continuing operations. When business survival is at risk, management may rationalise submitting fraudulent support claims as a means of protecting their livelihoods and those of their employees. 

Engagement team discussion

ISA 240 requires that the engagement team discuss how and where financial statements may be susceptible to material misstatement due to fraud, including how fraud might occur. The team should set aside their beliefs about management’s integrity. 

Teams may find it helpful to structure their conversation around the three corners of the ‘fraud triangle’ and consider COVID specific impacts:

Opportunity

• Has working remotely or with modified controls given individuals greater opportunity to make fraudulent applications? 
• Could aspects of the support scheme applications, for example the availability of a wide range of support schemes, often with limited eligibility criteria, present opportunities to commit fraud?
• Could individuals have taken advantage of the complexity of rules while making claims? Limited checks during the application process may have provided opportunities to abuse schemes. While HMRC in the UK is expected to review CJRS compliance carefully, it will focus on detection, rather than prevention.

Pressure, motivation and incentives

• Are there motivations, such as working capital pressures, or incentives such as the need to continue to maintain profits in order to achieve bonuses or performance targets?
• Does the entity operate in an industry or sector which has been impacted more severely by COVID-19, such as hospitality or leisure, which might create greater incentives to commit fraud

Rationalisation

• What reasons might individuals use to justify their behaviour, for example, protecting jobs or the company as a whole?

It is important that auditors ensure that this is a holistic assessment by the team. People behave differently towards senior and junior audit staff respectively. Junior auditors may hear conversations that more senior members of the audit team would not – for example, complaints about having been made to work despite being on hours of furlough.

The team discussion could also focus on the government support schemes directly relevant to the entity, and review eligibility requirements, including where they may have changed over time. Consider whether any scheme requirements have changed over time. In the UK, a number of support schemes have changed since originally introduced. For example, the CJRS changed from 1 July 2020 to allow flexible furlough patterns. ICAEW’s guidance on CJRS provides information on these changes over time. Audit teams may find it helpful to involve tax experts in their discussions. 

The team could also discuss examples of fraud highlighted in the media, for example, furloughed employees being asked to work, inappropriate loan applications under the Coronavirus Business Interruption Loan Scheme (CBILS), or false claims under the Eat Out to Help Out scheme. It may be helpful to consider on a hypothetical basis how similar frauds could be committed by management or employees.

Audit partners should encourage the audit team to think about the people who produce the numbers and whether organisational dynamics could, for example, impact the effectiveness of certain financial controls, particularly while remote working. The Audit Assurance Faculty thought leadership essay Fraudulent Financial Reporting: Fresh Thinking provides examples of organisational behaviour and cultural considerations that may also help with highlighting fraud risk areas.

Fraud risk assessments

ISA 240 requires auditors to discuss the risk of fraud with management, and where relevant, the internal audit team. For companies which have applied for significant government support, auditors will need to consider this as part of their assessment. Questions that may be helpful are:

• What, if any, government funding has management applied for? This could include receipts under government schemes such as Eat Out to Help Out or a CBILS loan. How material are these receipts in value?
• Is it likely that any amounts may need to be repaid, including interest and penalties in the event of an incorrect claim? How material would repayments be, taking into account both in quantitative and qualitative factors?
• Have any loans been denied? Have any funds had to be repaid, for example, for overclaims on furloughs?
• What controls have management put in place to prevent fraud, for example, in relation to furloughed staff working or for claims under schemes such as Eat Out to Help Out? 
• Have employees been furloughed? What proportion of the work force were furloughed? If only a few employees were furloughed, these claims may not be material to the accounts. However, if a large proportion were furloughed, or the business closed, there is a higher risk of potential material misstatements.
• Where employees have been furloughed, how many have been furloughed, and has the business continued in operation? Do these employees have the capability to work remotely with access to the entity’s IT? If so, the risk of employees working while furloughed may be heightened.
• Has internal audit found any cases of actual or suspected fraud?
• Has management involved any independent external advisors in the process? This may help to mitigate the risk of fraud.
• Has any money been withdrawn through the business via directors’ loan accounts? Consider if there is a risk, for example, of CBILS loans being withdrawn by management in advance of a potential collapse.

While discussing these schemes with management, auditors will need to remain professionally sceptical. It will be helpful to consider in particular whether management has made any inconsistent statements or been generally evasive in discussing support received.

Auditors should also consider any unusual or unexpected relationships identified from analytical procedures, as well as any other information obtained. Auditors may find it helpful for example, to review press coverage, as UK news articles have already highlighted some potential abuses of government support schemes. 

Audit procedures

Depending on the outcome of risk assessments, auditors may need to perform work on government support claims. They will need to determine what audit procedures to perform which may differ depending on the support scheme. For CJRS claims, this might include, for example:

• Considering which set of rules and eligibility requirements applied during the claim period and whether the business has used the appropriate scheme for the period;
• Checking that relevant employees have been included on the necessary PAYE RTI submission(s) to be eligible for the scheme;
• Checking and comparing amounts claimed to previous payroll amounts;
• Checking the employer has confirmed to relevant employees (or reached collective agreement with a trade union) in writing that they have been furloughed and any variation in their employment contract has been agreed; 
• Determining whether operational controls were in place to ensure employees did not work whilst on hours of furlough and testing those controls; and
• Checking on a substantive basis for whether evidence supports claims, for example, checking whether furloughed employees have worked in the period claimed as not working, for example, by checking email or system access records.

Auditors should also consider reviewing correspondence with tax authorities. It may also be helpful to check the firm’s whistleblowing process and see whether any employees have complained about being asked to work while on hours of furlough or whether they are aware of other complaints being made.

Auditors may also consider consulting with tax and/or payroll experts to understand whether there are elements of the claim that were made inappropriately, particularly in more complex areas such as where there are substantial elements of variable pay. In such situations, claims might be made in error, but could also be made fraudulently. For schemes such as CJRS, that have changed over time, this may make mistakes more likely.

Due to the ongoing public health risk, many audit procedures may need to be performed remotely. Discussions with management and finance teams may be conducted via calls, rather than in person. This can present additional challenges for fraud detection, as the ability to observe subtle signs of deception or evasion in body language and tone may be reduced. Contacting management and finance teams by video call wherever possible may be helpful. The Audit and Assurance Faculty guide Remote auditing in practice considers issues around remote auditing in more detail.

Auditors may find it helpful to use technology to look for other signs of fraud. Software may help to identify journals posted by staff whilst on hours of furlough or highlight control overrides during remote working.

What to do if fraud or NOCLAR is suspected

If auditors suspect an entity has fraudulently claimed government support, they will need to act in accordance with legal, ethical and auditing requirements.

In the UK, this will require auditors to consider anti-money laundering obligations and whether there is a need for a suspicious activity report (SAR). Monies fraudulently obtained by a company from government support schemes would be proceeds of crime, and therefore, a SAR may be required. Materiality does not apply in relation to SARs, making any quantum of monies obtained fraudulently reportable. The ICAEW guide Suspicious Activity Reports (SARS) provides further information, including an example on CJRS.

Auditors of UK public interest entities should also be aware of their additional reporting obligations under ISA 250B. The FRC’s December 2020 COVID-19 bulletin discusses this further.

If you have questions, you may also discuss your specific situation with the Ethics Advisory Service on +44 (0)1908 248 250 – if you are concerned about potential fraudulent activity, please call anonymously.