This article examines the definitions given by International Standard on Auditing (ISA) 240 (Redrafted) of fraud and error, and the historical expectations of the audit role. It also defines the extent of auditor responsibilities for the prevention and detection of fraud, including the need for professional scepticism and discussion among the engagement team. The article then summarises the key risk assessment procedures required of auditors by ISA 240 (Redrafted), and concludes that the traditional ‘watchdog not bloodhound’ philosophy regarding the extent of auditor responsibilities for fraud detection is no longer valid in the context of the requirements of the redrafted ISA.
Fraud is a highly controversial area, and the extent of auditor responsibility for the prevention and detection of fraud has generated considerable discussion in recent years. This article aims to summarise the current extent of auditor responsibilities for fraud, as per the requirements of ISA 240 (Redrafted), The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements. ISA 240 (Redrafted) was issued in December 2006 and is effective for audits of financial statements for periods beginning on or after 15 December 2008. The International Auditing and Assurance Standards Board (IAASB) Clarity Project was launched in 2004 in order to encourage greater use of its standards and to facilitate the process of translation of standards into other languages. ISA 240 is described by the IAASB Handbook (reference 1) as ‘redrafted’ because it has been revised in the past few years and is not in need of further revision by the Clarity Project. As a result, the ‘clarified’ version of ISA 240 is the same as the redrafted version. See the IAASB Handbook, and the section ‘Background Information on the Clarity Project of the IAASB’ for further details (reference 2).
The traditional ‘passive philosophy’ towards auditor responsibility for fraud detection is well summarised by the Lord Justice Lopes’ ruling, in the UK, given in the 1896 Kingston Cotton Mill case (re Kingston Cotton Mill Company (No.2)): ‘An auditor is not bound to be a detective, or … to approach his work with suspicion, or with a foregone conclusion that there is something wrong. He is a watchdog, not a bloodhound.’ (Reference 3). Watchdogs and Bloodhounds (below) gives formal definitions of a ‘watchdog’ and a ‘bloodhound’.
Clearly, auditing has changed considerably since 1896, although auditor responsibility for fraud detection has remained a low priority. We now consider the requirements of the recently revised audit standard regarding the role of the auditor and fraud detection, and then form a conclusion about the current extent of auditor responsibility for fraud detection.
The key distinguishing factor between fraud and error is whether the underlying action that results in a misstatement of the financial statements is intentional or unintentional. The term ‘fraud’ is a broad legal concept, but the auditor is concerned with fraud that causes a material misstatement in the financial statements. ISA 240 (Redrafted) defines fraud as: ‘An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage.’ ISA 240 (Redrafted), paragraph 11.
The two types of fraud most relevant to the auditor, according to ISA 240 (Redrafted), are misstatements arising from fraudulent financial reporting, and misstatements arising from the misappropriation of assets. By way of contrast to fraud, the term ‘error’ refers to an unintentional misstatement in financial statements, including the omission of an amount or a disclosure. ISA 240 (Redrafted) says: ‘The distinguishing factor between fraud and error is whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional.’ ISA 240 (Redrafted), paragraph 2.
The emphasis of this article is on fraud, because fraud responsibilities are more controversial than error. Fraud may involve sophisticated and carefully organised schemes, designed to conceal fraudulent activity, such as forgery, deliberate failure to record transactions, or intentional misrepresentations being made to the auditor. However, in order to better understand error, more consideration of internal control effectiveness is required.
ISA 240 (Redrafted) makes it clear who has the main responsibility for the prevention and detection of fraud: ‘The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management.’ ISA 240 (Redrafted) paragraph 4.
ISA 240 (Redrafted) also goes on to state, however, that: ‘An auditor conducting an audit in accordance with ISAs is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error.’ ISA 240 (Redrafted), paragraph 5.
Hence, both the entity itself and the auditors have responsibilities for fraud and error. It could be said that management, and those charged with governance, have the primary responsibility for fraud and error, whereas the auditor has a secondary responsibility. It is important, however, to ensure that the extent of these secondary responsibilities are clearly understood, which is the area discussed in the rest of this article.
ISA 200 (Revised and Redrafted), Overall Objective of the Independent Auditor and the Conduct of an Audit in Accordance with ISAs, requires the auditor to maintain an attitude of professional scepticism: ‘The auditor shall plan and perform an audit with professional scepticism, recognising that circumstances may exist that cause the financial statements to be materially misstated.’ ISA 200 (Revised and Redrafted), paragraph 15.
ISA 200 (Revised and Redrafted) describes professional scepticism as: ‘An attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence.’ ISA 200 (Revised and Redrafted), paragraph 13 (l).
ISA 240 (Redrafted) further requires that: ‘The auditor is responsible for maintaining an attitude of professional scepticism throughout the audit.’ ISA 240 (Redrafted), paragraph 8.
Professional scepticism is of key importance to the audit, for example requiring auditors to be alert to:
ISA 240 (Redrafted) refers to the requirement in ISA 315 (Redrafted), Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment, that members of the engagement team discuss the susceptibility of the entity’s financial statements to material misstatement due to fraud. ISA 240 (Redrafted) requires that: ‘This discussion shall place particular emphasis on how and where the entity’s financial statements may be susceptible to material misstatement due to fraud, including how fraud might occur.’ ISA 240 (Redrafted), paragraph 15.
Ordinarily, the key members of the engagement team should be involved in the discussion, and the engagement partner should then consider which matters are to be communicated to those in the team not involved in the discussion. Discussion is expected to occur with a questioning mind, setting aside any beliefs held by the engagement team members that the management and those charged with governance are honest and have integrity. Interestingly, this discussion is also expected to include a consideration of how an element of unpredictability will be incorporated into the nature, timing, and extent of the audit procedures to be performed.
ISA 240 (Redrafted) requires that the auditor performs risk assessment procedures to obtain information for use in identifying the risks of material misstatement due to fraud. Paragraphs 17 to 24 of ISA 240 (Redrafted) outline the required risk assessment procedures, which are summarised in the Risk Assessment Procedures box below.
The redrafting of ISA 240 has allowed for a timely review of audit responsibilities relating to fraud. It should be noted, however, that there are minor differences of emphasis between the requirements of ISA 240 (Redrafted) and the current requirements of ISA (UK and Ireland) 240 The Auditor’s Responsibility to Consider Fraud in an Audit of Financial Statements, which became effective for periods commencing on or after 15 December 2004. According to ISA 240 (Redrafted) the difference between fraud and error depends upon whether deception has been used, and the distinction between the responsibilities of those charged with governance and auditors for fraud prevention can be described respectively as primary and secondary responsibilities. Auditors are required, however, to maintain an attitude of professional scepticism throughout the audit, and members of the audit engagement team are required to discuss the susceptibility of the entity’s financial statements to material misstatement due to fraud.
ISA 240 (Redrafted) requires auditors to perform risk assessment procedures to obtain information for use in identifying the risks of material misstatement due to fraud.
Finally, it can be concluded that to describe the audit role as that of a ‘watchdog, not a bloodhound‘ is no longer valid in the context of the requirements of the redrafted and revised ISAs; these negate the traditional ‘passive philosophy’ towards auditor responsibility for fraud detection, marking a significant shift away from a ‘monitoring’ role and towards the requirement for a very keen ‘sense of smell’.
Written by a Paper F8 exam panel member