The IRBA issued a staff audit practice alert in June 2020 to provide auditors with implementation guidance in responding to the risks of material misstatements due to fraud and/or non-compliance with laws and regulations. As is normally the case, this publication is quite lengthy and written in a format which makes it difficult for a practitioner to read and analyse in one sitting.
This is a shorter interpretation of the alert to reduce the volume thereof and to highlight the basic issues and additional important matters communicated. Please note that this is NOT an authoritative pronouncement of the IRBA, nor does it amend or override the International Standards or South African standards. Where an issue is encountered with an engagement, please perform more in-depth research.
1. Objectives of the audit and management’s responsibilities
The auditor’s objectives are to:
a. Assess RISK of material misstatement due to fraud
b. Obtain EVIDENCE in response to assessed risks
c. RESPOND appropriately to fraud or suspected fraud.
Management and those charged with governance are primarily responsible for the prevention and detection of fraud.
2. Professional scepticism
Scepticism entails the critical evaluation of evidence and is key to ensuring audit quality.
For the auditor to apply professional scepticism, it is necessary for the auditor to display certain attributes and attitudes as well as take certain actions.
3. Professional judgment
Auditors are reminded that professional judgment needs to be exercised throughout the audit and appropriately documented. Professional judgment is not to be used as the justification for decisions that are not otherwise supported by the facts and circumstances of the engagement or sufficient appropriate audit evidence.
This is especially relevant to judgments exercised when assessing and responding to fraud risks.
4. Discussions among team members
Auditors are encouraged to document the fraud discussions among engagement team members and are required to document the significant decisions reached during these discussions. As in any audit area the assistance of experts, like fraud examiners, should be sought where the audit team lacks the expertise to address fraud.
5. Making inquiries of management and others within the entity
It is recommended that these discussions be performed by a senior or more experienced member of the engagement team. The value of these discussions may be improved if a forensic expert is involved to conduct the interviews, where additional fraud risk factors are identified in relation to the individual from whom inquiries are made.
6. Fraud risk factors prevalent in the South African environment
Examples of fraud risk factors that are prevalent in the South African environment (there may be some overlap between these examples of fraud risk factors and those contained in Appendix 1 of ISA 240):
Poor controls in public sector related entities
Poor economic growth prospects
Trend of decline in the Rand
Poor performance of regulatory agencies
Non-compliance with procurement policies
Significant transactions with non-profit organisations
“State capture” through inappropriate relationships
Crime rate and money laundering
Undocumented and illegal workforce
Porous land borders and harbours
Lack of successful prosecution
Falsifications of qualifications for job applications
Onerous tax compliance requirements
Greater tolerance for fraud and corruption
7. Identification and assessment of risks of material misstatement due to fraud
Assess the overall risk of fraud and control environment of the industry and the entity.
Understand the industry and the entity’s ethical and anti-fraud culture, by considering:
• Incidences of fraud
• Fraud risk assessment procedures
• Mitigating measures
• Communication with employees on fraud
• Communication with those charged with governance on fraud
Determine whether there are indicators of an increased fraud risk.
This is done through discussions with appropriate members of management and independent research of the industry and the entity.
8. Audit evidence
The auditor is encouraged to evaluate whether the audit evidence obtained from the risk assessment procedures provides an appropriate basis for the identification and assessment of the risks of material misstatement. If not, the auditor is encouraged to perform additional risk assessment procedures until audit evidence has been obtained to provide such a basis. In identifying and assessing the risks of material misstatement, the auditor is encouraged to take into account all audit evidence obtained from the risk assessment procedures, whether corroborative or contradictory to assertions made by management.
9. Significant risks
Auditors are encouraged to clearly identify which of the risks of material misstatements are due to fraud and are therefore a significant risk.
ISA 315 requires an understanding to be obtained of systems of internal control over significant risks.
10. Presumed risk of fraud in revenue recognition
There is a presumed risk of fraud for the completeness and/or occurrence assertions of revenue. IRBA Staff Audit Practice Alert 4 includes examples of fraud schemes in revenue recognition as guidance to auditors in this regard.
11. Knowledge, skill and ability required of auditors
Consider the attributes of the team in order to address the challenges of the engagement regarding fraud.
Where there is a possibility or occurrence of an investigation against the entity or management, it is advisable to make use of the services of a forensic expert.
12. Responses to risk of fraud – general
The auditor must obtain more persuasive evidence.
Consider how the conduct of the audit can reflect increased professional scepticism:
• Sensitivity to the quality of documentary evidence
• Increased corroboration of management’s explanations
• Increased supervision of individuals with significant engagement responsibilities
• Sceptically evaluate selection and application of accounting policies
• Incorporate an element of unpredictability in selection of procedures
• Having less tolerance for limitations by management, of scope and time wasting.
Implement increased safeguards on audit and at firm level.
Create and maintain a culture of scepticism at firm level.
Involve the relevant experts from IT, Tax, Forensics, Valuations when required.
Follow up on existing investigations.
Design and perform more robust audit procedures, considering:
• Quality vs. profit consideration
• Client acceptance and continuance considerations
• Analytic review procedures
• Tax balances
• Related parties
• Possibility of IT-related fraud
• Audit evidence consideration
• Audit opinion consideration
Seven critical areas to perform differently:
1. Less predictability
2. More observation of and communication with employees of entity
3. Avoid limited access to employees
4. More independent confirmations from vendors and customers
5. Immediate response required to documentation requests
6. Consider having a certified fraud examiner as part of the audit team
7. Limit “friendly” interaction.
13. Responses to risk of fraud – management override of controls
Irrespective of the assessment of this fraud risk, auditors must:
• Test journal entries;
• Review accounting estimates; and
• Evaluate the business rationale of significant transactions outside the normal course of business.
These are not the only areas where management may override controls. Also consider:
• Increased credit terms granted
• Beneficial terms to customers
• Waiving standard operating procedures
• Back-dating transaction documentation
• Interference in supply chain management: communication with vendors submitting tenders
• Forcing use of certain vendors
• Premature payment of suppliers without necessary proof of delivery of goods or services
• Changing master files
• Changing banking details
• Payment of salaries/wages to employees outside of payroll, in cash or to connected persons without complying with standard payroll operating procedures
• Private expenditure
• Inconsistent practices
• Override controls over processes to make accounting estimates
• Omission or obscuring facts for disclosure in the financial statements.
When selecting journal entries for testing, consider characteristics of journal entries indicative of fraudulent entries:
• Entries made to unrelated, unusual, or seldom-used accounts
• Entries made by individuals and/or user profiles/user groups within the IT department who typically do not make journal entries
• Entries recorded at the end of the period or as post-closing entries that have little or no explanation or description
• Entries made either before or during the preparation of the financial statements that do not have account numbers
• Abnormal entries made immediately before a reporting period, such as before VAT returns, payroll or employees’ tax returns and/or monthly management reports
• Journal entries that are not sufficiently narrated
• Entries that contain round numbers or a consistent ending number
• The characteristics of the accounts affected by the entries:
o Accounts that contain transactions that are complex or unusual in nature
o Accounts that contain significant accounting estimates and period-end adjustments
o Accounts that have been prone to errors in the past
o Accounts that have not been reconciled or contain unreconciled differences
o Accounts that contain intercompany transactions
o Accounts that contain related party transactions and/or balances
o Accounts that are otherwise associated with identified risks of material misstatement due to fraud.
14. The auditor’s considerations relating to fraud when there is a fraud investigation in progress
When a forensic investigation into alleged fraud is in progress when an engagement takes place, consider:
• Scope of the investigation
• Parties performing investigation
• Management’s reporting obligations
• Impact on audit approach and reporting process
• Matters being investigated
• Additional audit procedures
• Audit report
- Key Audit Matter
- Emphasis of matter
- Modified opinion
15. The auditor’s responsibilities when fraud is discovered
When performing review, other assurance engagements or non-assurance engagements, consider responsibilities in accordance with the ISREs, ISAEs or the ISRSs respectively.
When performing an audit, consider additional responsibilities (beyond ISA 240) under law, regulation or relevant ethical requirements regarding the entity’s non-compliance with laws and regulations, such as:
• Responding to non-compliance: communicate with management, assess their response and determine whether further action is needed
• Communicating non-compliance to other auditors
• Documenting required details regarding non-compliance.
16. Appendices to the IRBA Staff Audit Practice Alert
Appendix A sets out increased focus on Fraud by IRBA when setting standards.
Appendix B sets out interviewing techniques where irregularities are uncovered.
Auditors need to carefully consider fraud during these turbulent times. LEAF stands ready to assist and guide you.
1. IRBA: Staff Audit Practice Alert 4, A South African perspective on the auditor’s considerations relating to fraud, June 2020