Fraud and Error
With recent changes to sections 5090 and 5135 of the CICA Handbook, auditors have more guidance to deal with fraud and error in financial statements.
If you are engaged in public practice or provide audit services, you will be particularly interested in revisions to two sections of the CICA Handbookreleased last March. Amendments were made to section 5090,Audit of Financial Statements — An Introduction, and section 5135, The Auditor's Responsibility to Consider Fraud and Error in an Audit of Financial Statements.
Typically revisions to assurance standards take effect from the date of release; however, these changes are effective for audits relating to periods ending on or after December 15, 2002. In other words, they are effective for December 2002year-ends. This means the fiscal periods subject to the revised recommendations have already started. Auditors must begin preparations now to comply with the new requirements.
Practitioners must ensure they promptly communicate the additional guidance to any audit staff. In particular, auditors should familiarize themselves with fraud risk factors and the example procedures for responding to identified fraud risk.
These revised recommendations regarding fraud and error move Canadian standards in line with international standards and much closer to the AICPA Statement on Auditing Standards 82, Consideration of Fraud in a Financial Statement Audit.
Section 5090 has been amended to incorporate changes made to its equivalent International Standard on Auditing, ISA 200, Objective and General Principles Governing an Audit of Financial Statements. These changes to ISA 200 were made to make it conform to ISA 240, which in turn has been incorporated into the Handbook. There have been no changes to the fundamental responsibilities of any of the parties — auditors, management and the board of directors — to detect fraud. Rather, section 5090 now incorporates language from ISA 200 to clarify the relationship between the assumption of "management's good faith" and the need to exercise professional skepticism. It reiterates the auditor's responsibility to be alert for evidence that this assumption may not be valid.
As a consequence of adopting guidance from ISAs, terminology changes have become necessary. The term "management" now excludes directors and members of the audit committee. In addition, the revised section introduces two phrases commonly found in ISAs, namely "those charged with governance," and "those with oversight responsibility for the financial reporting process."
Guidance on Fraud
The revision to section 5135 replaces the existing material with new content that incorporates guidance found in ISA 240, The Auditor's Responsibility to Consider Fraud and Error in an Audit of Financial Statements. The minimum necessary changes to ISA 240 have been made to make it conform to Canadian standards.
Generally, changes to ISA 240 have been limited to the
- Replacing cross-references to ISAs with appropriate Handbook sections;
- Conforming terminology to Handbook usage;
- Ensuring that the standards in the modified material are as rigorous as those they replaced; and
- Adding relevant Canadian examples to the appendices.
Compared to the previous version, the new section 5135 provides additional guidance, especially concerning the auditor's consideration of fraud risk factors, and examples of procedures to perform in response to such factors. Perhaps sensitive to the recent media coverage of U.S. business failures, the recommendations attempt to clarify the auditor's responsibility to detect fraud. In particular, the standards point out that a properly conducted audit is less likely to detect fraud than error, and less likely to detect management fraud than employee fraud.
Section 5135 now stresses that, with respect to fraud and error, the auditor's responsibility in planning an audit is related solely to obtaining reasonable assurance concerning the absence of material misstatements in the financial statements. As part of the risk assessment, the auditor must now consider whether fraud risk factors are present. And, as part of the assessment of inherent and control risks, the auditor must now evaluate how the financial statements might be materially misstated as a result of fraud or error.
Section 5135 also provides guidance regarding the auditor's responsibility to communicate findings of fraud and error detected during the audit to management and the audit committee (or its equivalent), whether or not the suspected fraud and error results in material misstatements in the financial statements. The section adds specific requirements to obtain management representations concerning fraud and error. The auditor must now obtain and document management's assessment of the risk of fraud and the controls in place to prevent and detect it. And, as part of the overall program, the auditor and the audit team members must discuss the susceptibility of the entity to material misstatements arising from fraud or error.
Finally, section 5135 now provides recommendations on steps to take when the auditor concludes he or she should withdraw from the engagement as a result of fraud detected.
Despite the enhanced guidance, it is essential for the auditor to remember that the primary responsibility for preventing and detecting fraud and error rests with management and those charged with governing the entity. The auditor must ensure that those relying on the report understand that an audit is designed to provide reasonable assurance that the financial statements — taken as a whole — are free from material misstatement, whether caused by fraud or error. The revisions to sections 5090and 5135 do not alter these fundamental responsibilities. Rather, the intent is to require certain additional procedures to assist the auditor in identifying the risk of material misstatement in the financial statements arising from fraud and error, and in deciding what further procedures to perform when identifying risks.
For this reason, it is critical that the auditor and any audit staff maintain an attitude of skepticism. The audit program must address the risk that fraud may occur; audit staff must not fail to address such risk when they identify it. However, the fact that a risk exists does not necessarily mean that there will always, or even usually, be a fraudulent act.
Even if an auditor identifies and pursues a fraud risk factor, it is still possible for the auditor to carry out appropriate procedures and fail to detect a material misstatement resulting from that fraud. This may be the case, for example, if management presents the auditor with documentary evidence that appears genuine, but is in fact cleverly forged, or if management persuades third parties or other employees to provide the auditor with false information.
All auditors can do in this, or any situation, is to stick to the facts as presented, follow the now clearer guidelines found in the Handbook, and maintain their independence.
[ TOP ]