FINDING FRAUDS IN FINANCIAL STATEMENTS — 10 COMANDMENTS FOR AUDITORS

“Auditor is a Watch Dog But Not a Blood Hound” is the famous quote well known amongst the entire professional community; but the expectations of society from the auditors may not be exactly on these lines and it expects the auditors to play a role bigger than mere accountants confirming the numbers recorded in the financial statements. The gap in the expectation and the reality gets widened primarily because of the interpretations of the responsibility of the auditors in finding frauds through their audit of the financial statements. Though the fact remains that the auditor is not an investigator or a fraud specialist, he does have certain responsibilities in responding to the fraud risks in the financial statements subjected to the audit process. This article summarises the 10 important commandments for the auditors in responding to such fraud risks while discharging his professional responsibility.

Auditors responsibility towards frauds

According to this standard, the primary responsibility for the prevention and detection of fraud and error rests with both those charged with governance and the management of an entity. It also explains that the objective of an audit of financial statements, prepared within a framework of recognised accounting policies and practices and relevant statutory requirements, if any, is to enable an auditor to express an opinion on such financial statements. An audit conducted in accordance with the auditing standards generally accepted in India is designed to provide reasonable assurance that the financial statements taken as a whole are free from material misstatements, whether caused by fraud or error. The fact that an audit is carried out may act as a deterrent, but the auditor is not and cannot be held responsible for the prevention of fraud and error. An auditor cannot obtain absolute assurance that material misstatements in the financial statements will be detected. Owing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements of the financial statements will not be detected, even though the audit is properly planned and performed in accordance with the auditing standards generally accepted in India.

The critical principle arising out of this auditing standard is that an audit does not guarantee that all material misstatements will be detected because of factors such as the use of judgment, the use of testing, the inherent limitations of internal control and the fact that much of the evidence available to the auditor is persuasive rather than conclusive in nature. For these reasons, the auditor is able to obtain only a reasonable assurance that material misstatements in the financial statements will be detected.

Challenges and audit techniques

Dr. Steven Albrecht, the famous Professor in Accountancy who has done extensive studies and research on business frauds and ethics, wrote that fraud is seldom witnessed firsthand. Instead, only fraud symptoms (or ‘red flags’) exist to alert management or the auditors about the possible existence of fraud. He has identified six categories of fraud symptoms:

•     Accounting or document symptoms: Anything that is wrong with the accounting records or documents of the entity — either electronic or paper (e.g., a copy where there should be an original, a journal entry or G/L that does not balance, a missing invoice, etc.).

•     Analytical symptoms: Things that are too big, too small, unusual, wrong person, wrong time, out of the ordinary, unexpected, etc. (e.g., balances or ratios changing too quickly, new vendors with unusually high transactions/balance amounts, etc.).

•     Lifestyle symptoms: This symptom is better for misappropriation of assets than for financial statement fraud, but when people embezzle money, they rarely save what they steal. Rather, they spend the ill-gotten gains to meet whatever financial pressures they had and then they start to increase their lifestyles. Sudden increases in lifestyles are fraud symptoms.

•     Behavioural symptoms: When people commit fraud, they feel stress. Because they have to cope with this stress, they usually change their behaviour. Sudden changes in behaviours are fraud symptoms.

•     Internal control overrides: It takes the combination of pressure, opportunity and rationalisation for someone to commit fraud, especially first-time offenders. Overriding internal controls provides fraud opportunities and often completes the fraud triangle. Such overrides are excellent fraud symptoms.

•     Tips and complaints: While tips and complaints are often great fraud risk factors, it is often difficult to know what motivates them. Like the other five types of symptoms, they should be seriously considered, but their presence does not mean that fraud is definitely occurring.

Auditors have to identify these symptoms and then carry out the required procedures to form an opinion about the financial statements.

Commandment No. 1: Identification of fraud risk factors

While carrying out the audits, the auditors have to keep in mind that “If you were management, how could you manipulate an account balance AND conceal it from the auditors”. If they approach the audit with this mindset, there is every possibility of identifying the fraud risks affecting the financial statements.

In considering the risk of material misstatement resulting from fraud, the auditor should consider whether fraud risk factors are present that indicate the possibility of either fraudulent financial reporting or misappropriation of assets while identifying and responding to the fraud risks. The fact that fraud is usually concealed can make it very difficult to detect. However, using the auditor’s knowledge of the business, the auditor may identify events or conditions that provide an opportunity, a motive or a means to commit fraud, or indicate that fraud may already have occurred.

The presence of fraud risk factors may indicate that the auditor will be unable to assess control risk at less than high for certain financial statement assertions. On the other hand, the auditor may be able to identify internal controls designed to mitigate those fraud risk factors that the auditor can test to support a control risk assessment below high.

•     obtaining an understanding of:

    i) Management’s assessment of the risk that the financial statements may be materially misstated as a result of fraud; and

    ii) The accounting and internal control systems management has put in place to address such risk;

•     to obtain knowledge of management’s understanding regarding the accounting and internal control systems in place to prevent and detect error;

•     to determine whether management is aware of any known fraud that has affected the entity or suspected fraud that the entity is investigating; and

•     to determine whether management has discovered any material errors.

The auditor should also have formal discussions with those in charge of governance to have an understanding of their concerns, if any, affecting the financial environment, the adequacy of accounting and internal control systems in place to prevent and detect fraud and error, the risk of fraud and error, and the competence and integrity of management.

In addition to the formal inquiries, the auditor should also have informal discussions with the entity personnel. He should always keep his eyes and ears open. Many times, such informal discussions with the entity personnel may provide valuable information to the auditor, which can be evaluated for determining the extent/nature of further inquiries. At times, discussion discloses more information than documents. As the term auditor emanates from the word ‘audire’, which means ‘to hear’, he should keep listening to people and should have more and more discussions with people. He will get to know more about the entity he is auditing when he talks to people rather than by only going through the documents.

Commandment No. 3: Brainstorming amongst the audit team members

According to SAS 99, Consideration of Fraud (US Auditing Standard), brainstorming is a required procedure and should be applied with the same degree of due care as any other audit procedure, such as inventory observation or confirmation of accounts receivable. Brainstorming amongst the audit team members facilitates the following objectives:

•     Reinforce importance of professional skepticism;

•     Discuss external and internal fraud risk factors;

•     Consideration of frauds on or by the entity which occurred in the past;

•     Exchange ideas about how fraud could occur, including through management override;

•     Consider how management could conceal financial reporting fraud and how assets could be misappropriated; and

•     Consider audit procedures to address fraud risks — the nature, timing and extent of audit procedures.

The importance attached to such brainstorming sessions facilitates greater awareness about the responsibility on the part of the audit team and helps in gaining a better understanding of the potential for material misstatements in the financial statements resulting from fraud or error in the specific areas of the audit assigned to them, and how the results of the audit procedures that they perform may affect other aspects of the audit.

Commandment No. 4: Journal entry testing/ review of year-end entries

As part of the audit process, the auditors could perform Journal Entry Testing to address key fraud considerations. There is also a need to examine journal entries and other adjustments for evidence of possible material misstatement due to fraud, to mitigate the risk of management override of controls. The auditors are required to include procedures in their audits to test for management override of controls and to test manual journal entries.

Material misstatements of financial statements due to fraud often involve the manipulation of the financial reporting process by (a) recording inappropriate or unauthorised journal entries throughout the year or at period end, or (b) making adjustments to amounts reported in the financial statements that are not reflected in formal journal entries, such as through consolidating adjustments, report combinations, and reclassifications. Accordingly, the auditor should design procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments (for example, entries posted directly to financial statement drafts) made in the preparation of the financial statements. More specifically, the auditor should

•     obtain an understanding of the entity’s financial reporting process and the controls over journal entries and other adjustments;

•     identify and select journal entries and other adjustments for testing;

•     determine the timing of the testing; and

•     inquire of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments.

To identify and select journal entries and other adjustments for testing, the auditor should use professional judgment in determining the nature, timing, and extent of the testing of journal entries and other adjustments. For purposes of identifying and selecting specific entries and other adjustments for testing, and determining the appropriate method of examining     the underlying support for the items selected, the auditor should consider

•     the auditor’s assessment of the risk of material misstatement due to fraud;

•     the effectiveness of controls that have been implemented over journal entries and other adjustments;

•     the entity’s financial reporting process and the nature of the evidence that can be examined;

•     the characteristics of fraudulent entries or adjustments;

•     the nature and complexity of the accounts; and

•     journal entries or other adjustments processed outside the normal course of business.

Inappropriate journal entries and other adjustments often have certain unique identifying characteristics. Such characteristics may include entries (a) made to unrelated, unusual, or seldom-used accounts, (b) made by individuals who typically do not make journal entries, (c) recorded at the end of the period or as post-closing entries that have little or no explanation or description, (d) made either before or during the preparation of the financial statements and do not have account numbers, or (e) containing round numbers or a consistent ending number.

Further, a detailed/specific review of the entries recorded at the end of the reporting period could also give critical inputs required for the auditors in drawing overall conclusions.

Commandment No. 5: Surprise elements in the audit

The auditor should incorporate an element of unpredictability with respect to the nature, timing, and extent of audit procedures. He should never allow the auditee to predict the exact procedures he is going to perform. Surprise verification of cash and inventory is a classic example of such surprise audit procedures. He could insist on obtaining certain new types of confirmations every year in addition to the past types of confirmations. Further, by way of introducing new audit procedures, every year, the auditor not only brings in robustness in the audit process, but also addresses the important fraud risk criteria through this process.

Many times, by following the approach of ‘Same As Last Year’ (SALY), there is a possibility of overlooking the fraud risks inherent in the control environment. The auditor should not only challenge the past practice, but also evaluate its applicability/relevance every time so as to make sure that the audit procedures do not become redundant/a formality, but always challenge the status quo and gives the required comfort to the auditor in discharging his duties.

Commandment No. 6: Audit is for the entity and not for the finance team

Invariably, the audit process is considered as an event that occurs once in a year and this has something to do with the finance department. This mindset and the approach needs to change totally and there should be awareness both on the part of the auditor and the auditee that the audit process is for the entity as a whole. This would imply that the auditor has to necessarily interact with business heads/other non-finance teams as well to have an understanding of the entity as a whole. Many times, such interactions with non-finance personnel will provide valuable insights and also throw light on the various red flags which need to be investigated further.

Further, the auditor while interacting with various personnel from the entity needs to observe closely, their behavioural pattern, their thought process, culture, etc.

Needless to insist that in all such interactions, the auditor needs to evaluate the responses by applying common sense. If he is not satisfied/clear about the explanations, he should challenge the same rather than accepting them without understanding the explanations totally. Many times, well -managed frauds are covered by way of providing confusing explanations/diverting from the core issues with some incidental/trivial matters, etc.

At times, dominating characters would like to push through some vague explanations/rosy presentations and the auditor should be watchful in dealing with such situations.

The client management and interaction skills are extremely important in the audit process and the auditor should sharpen his skills in those areas to effectively manage the audit engagements.

Commandment No. 7: Make your presence felt!

In the real sense, the process of audit is more to put a moral fear in the minds of the people to make sure that there is an oversight and if there are any issues, the same will be checked by someone else. By way of having an independent examination, the auditor brings in credibility to the financial statements and also is playing the role of providing important checks and balances to the financial reporting system.

Considering this in mind, the auditor has to make sure that his presence is felt by the system. This could be done by way of meeting up with various people, discussing with them, identifying and raising issues at the right forum, performing surprise audit procedures, etc. Interactions with the junior-most persons in the organisation could help him in getting a better understanding of ground level issues since the basic recording of transactions is done by them. Further, the auditor should talk about the importance of the audit process, consequences of false/ incorrect reporting, its repercussions, and statutory requirements, etc. so as to create awareness in the minds of the people. The moral fear created across the system will help in creating an atmosphere for preventing people from engaging in fraudulent activities.

Further, such an environment could also set the tone for having smooth/purposeful interactions and transparent discussions with the auditee.

Commandment No. 8: Sanctity to the audit processes

The auditor should never dilute the importance attached to any audit process. The audit procedures carried out in any form, such as physical verification of inventory, sending confirmation requests, investigating the differences arising on any reconciliation exercise, performing walkthroughs for the various business cycles, disposal of the issues raised by the audit team members, etc. should be given utmost sanctity and importance. The extent of importance provided by the auditor drives and dictates the importance attached to those processes/importance gained from the auditee. Further, the auditor should escalate the key issues arising out of the audit on a timely basis to the management and those in charge of governance.

Commandment No. 9: Corroboration of the information from more than one source

The information obtained as part of the audit process should always be corroborated with other information/other sources. This would help in ensuring appropriate checks and balances and provide a platform for validating/cross checking the information. Such an exercise would also help in mitigating the fraud risks.

Commandment No. 10: Trust but verify!

The auditor should be alert and should be looking out for circumstances/situations requiring detailed scrutiny. He should never take any information at face value and should follow the golden principle of ‘Trust but Verify’ which requires eloquent application of ‘professional skepticism’. There is a need for fine balancing of challenging everything vis-à-vis accepting the same at face value.

Conclusion

Professional skepticism is the backbone of the audit process and the auditor has to apply this diligently and carefully. While designing his audit procedures, he should always keep in mind that he should not miss the woods for trees. Considering the expectations of society and the professional responsibility, the auditor should pay more attention to identifying and responding to the fraud risks affecting the financial statements. The Ten Commandments explained above is a combination of procedures he should perform and the precautions he needs to take while discharging his duties. Further, based on the major accounting failures and the fraud stories all across the globe, the auditor should continuously learn and fine tune the audit process. As quoted by Russel Means, If you learn from an experience, that’s good — so nothing bad happened to you!