This report from the Audit and Assurance Faculty describes the significant resources devoted to fraud-related activities within individual audit firms, and across the profession and looks at what more can be done by all players in the financial reporting ecosystem to improve fraud deterrence and detection.
Trust is hard won, and easily lost. The objective of an external audit is to provide confidence in the quality of financial reporting and improve trust in the corporate reporting regime more widely. When a company fails because of fraud, or a fraud is uncovered not long after an unqualified audit report has been issued, it damages stakeholder trust in financial reporting, as well as audit quality, auditors and in particular, the audit firm involved. Reputational damage spreads far and wide.
Many players in the financial reporting ecosystem - not just auditors - directly or indirectly influence the quality and reliability of financial reporting and the likelihood that fraud will be prevented or detected. There is, however, a public perception that auditors can and should be doing much more to deter and detect fraud and prevent the unexpected failure of large UK companies due to fraud.
In late 2021, ICAEW spoke to auditors at the largest UK audit firms to learn more about the reality of fraud, to support a better-informed discussion about what is being done to improve the likelihood that auditors will detect it. This snapshot of recent and ongoing audit firm initiatives helps demonstrate the direction of travel and the scope, scale and significance of the transition that is happening across the audit profession, as firms take steps to better facilitate fraud deterrence and detection.
We reflected on what we heard, and we have included in this publication a series of recommendations for consideration by audit firms, company directors, and government and audit regulators. The recommendations are summarised and grouped together below. They explain what more we believe can be done, and what can be done differently, by all of these groups to better deter and detect fraud, and thereby reduce the risk of disorderly corporate failure. We also set out what we think stakeholders can and should be doing now, in anticipation of the expected reforms reflected in the Government’s May 2022 response to the consultation on strengthening the UK’s audit, corporate reporting and corporate governance systems (the ‘Feedback Statement’).
Summary of recommendations
Audit firms
- consider doing things differently: assess the need for greater specialist and forensic involvement at all stages of the audit, on a risk-assessed basis; step up efforts to change ingrained cultures, behaviours and mindsets.
- consider doing more: reinforce professional scepticism; embed fraud-related learnings across the firm; widen the scope of the risk assessment using external data and information; encourage the robust challenge of management.
- prepare for change: consider the implications of management and voluntary auditor reporting on internal controls; engage with investor representatives on the implications of and need for audit committees to develop audit and assurance policies.
Executive and non-executive directors
- consider doing things differently: reconsider the adequacy of the company’s current approach to fraud risk management.
- consider doing more: better understand auditors’ concerns about the risk of fraud and re-evaluate the overall company ethos.
- prepare for change: renew efforts to engage all stakeholders in the audit process, consider the value of evaluating and reporting on internal controls, develop an audit and assurance policy.
Government and audit regulators
- consider doing things differently: involve all stakeholders in a debate about fraud risk management to inform new fraud-related requirements for companies and related requirements for auditors.
- consider doing more: share more and better-quality examples of best practice in fraud deterrence and detection for auditors; engage with HMRC, the FCA and others to enable more effective sharing of fraud-related learnings; enforce existing sanctions against those who mislead auditors; share more and better-quality examples of best practice in fraud risk management for companies.
- prepare for change: encourage recognition among international auditing standard-setters of the increasing importance of technology; consider the role of sanctions in an improvement regime; encourage best practice among audit committees.