Many auditors struggle with fraud risk assessments. This article provides audit guidance for assessing fraud risk.
No appreciable change has occurred in the detection of fraud since the issuance of SAS 99, Consideration of Fraud. Why? I fear the problem lies in how we as auditors use the risk assessment standards.
I still hear auditors say, “we are not responsible for fraud.” But are we not?
Without question, auditing standards require that we perform particular fraud risk assessment procedures. And we also know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option.
Why Auditors Don’t See Fraud Risk
Why do we not see fraud risks? Here are a few thoughts:
- We don’t understand how fraud occurs, so we avoid it
- We don’t know how to look for control weaknesses
- We think our time is better spent in other areas (namely performing substantive procedures)
- We still believe that a balance sheet approach to auditing is all we need
Signs of Weak Risk Assessments
So what are some signs of weak fraud risk assessments?
- We ask just one or two questions about fraud
- We limit our inquiries to as few people as possible (maybe even just one)
- We discount the potential effects of fraud (even after a client tells us it has occurred)
- We don’t perform walkthroughs
- We don’t conduct brainstorming sessions
- Our files reflect no responses to brainstorming and risk assessment procedures
- Our files have vague responses to the brainstorming and risk assessment procedures (e.g., “no means for fraud to occur; see standard audit program”)
In effect, some auditors dismiss the fraud risk assessment process. And if we are not aware of fraud risks, we can’t adequately plan our responses. Put another way, if fraud risks are present, and we follow a standard audit program, are we responding to threats?
So how can we understand and respond to fraud risks? Here are a few thoughts.
Start with Potential Fraud Incentives
Fraud comes in two flavors:
- Cooking the books (intentionally altering numbers)
Start your fraud risk assessment process by determining if there are any incentives to manipulate the financial statement numbers. Are there any bonuses or promotions based on profit or other metrics? Are there other potential motivations for playing with the numbers such as promotions? Cooking the books is more prominent in for-profit entities, but be aware that someone nonprofits also offer incentives based on financial statement targets.
Internal control weaknesses are the doorway to theft. Next, we’ll see how to find those defects in accounting systems.
Look for Fraud Opportunities
My go-to procedure in looking for fraud opportunities is to perform walkthroughs. Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging.
For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle and start at the beginning and follow the transaction to the end. Note who does what. Inspect the related documents.
Think of the accounting system as a story. Our job is to understand the narrative. As we (attempt to) describe the accounting system, we may find missing pieces. Sometimes we’ll need to go back and ask more questions to make the story flow from beginning to end.
The purpose of writing the storyline is to identify any “big, bad wolves.” The threats in our childhood stories were easy to recognize. Not so in the walkthroughs. It is only in connecting all the dots that the wolves materialize.
Our documentation of the walkthrough should be scalable. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more detail.
In documenting workflows for complex businesses, the old saying “How do you eat an elephant?” comes to mind. Break complicated systems into pieces, and you will understand them.
Observation of Control Weaknesses
The auditing standards require that we use the following:
Audit standards state that inquiry alone is not sufficient for performing the risk assessment process. So we must marry inquiry with either observation or inspection or inquiry with both observation and inspection. May I suggest that you do the latter? Take pictures of your observations (use your smartphone) and make copies of documents you inspect. I like to write my narrative and then insert images into the “story.” (Tip: You can insert pictures in a Word document by clicking “Insert,” and “Object.” Then browse to the picture you desire to add.)
Our walkthroughs can include:
- Highlights of control strengths and weaknesses
I summarize the internal control strengths and weaknesses within the narrative and usually highlight the wording. For example:
Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have a check sent to that vendor without anyone else’s involvement.
Highlighting weaknesses makes them more prominent. Then–when I am done–I can use the identified fraud opportunities to create audit procedures that are responsive.
Audit Standards (AU-C 240) state that we should inquire of management regarding:
- Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
- Management’s process for identifying, responding to and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
- Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
- Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
- The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they know of any actual, suspected, or alleged fraud affecting the entity
- For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures
If management has no method of identifying fraud, might this be an indicator of a control weakness? Yes. It is management’s responsibility to develop control systems to lessen the risk of fraud. It is the auditor’s responsibility to review the accounting system to see if it is designed and operating appropriately.
Notice that in these inquiries, we are not only asking if fraud has occurred but does management have a prevention system in place? And does management communicate these processes to those charged with governance?
Another risk assessment procedure is the use of planning analytics. As we compare prior year numbers with current year numbers or as we compare budgeted numbers with current, we may see red flags. You can also use ratios in your hunt for potential risks.
As you review the preliminary numbers, ask, “do these numbers make sense in light of current operations?”
The audit standards state that there is a rebuttable presumption that revenues are overstated. Why? Because many past frauds were carried out by managers intentionally overstating income numbers. In some cases, management posted false journal entries at year-end to inflate income. Then in the following period, the entries were reversed.
Video Concerning Fraud Risk Assessment
Here’s a video about how to perform fraud risk assessments:
Brainstorming and Planning Your Responses – My Next Post
Once you perform your risk assessment procedures, you are ready to brainstorm about how fraud will occur and then plan your audit responses. That’s the topic of our next post—so stay tuned. Subscribe to my blog (it’s free) to ensure that you see the next post (see below).
Consider reading this post again and think about how you use your audit forms to perform risk assessments. Understanding the process is 90% of the battle.
If you missed my first two posts in this series, check them out here:
Learn from the CPA Scribo newsletter!
Get my free weekly accounting and auditing digest with the latest content.