SA 240 (Revised): A Practical Insight

“Whatever I did was in the interest of the organisation without any intention of personal gratification whatsoever”.

“You need to pay bribes to get your work done, there is no other way”.

“If the senior executives can have their fat bonuses, then why can’t I have my piece of cake?”

“Cooking the books or creative accounting is not fraud; it is just bending the rules”.

These are the usual defences which one puts forth when faced with the prospect of being held answerable or responsible for fraud (or even potential fraud). But let us examine the auditor’s duty and responsibility relating to fraud in an audit of financial statements.

SA 240 (Revised) (which is effective for audits of financial statements for periods beginning on or after 1st April 2009) deals with “the auditor’s responsibility to consider fraud and error in an audit of financial statements” and defines fraud as “an intentional act by one or more individuals among management, those charged with governance, employees or third party, involving the use of deception to obtain an unjust or illegal advantage”. The distinction between ‘fraud’ and ‘error’ is whether the underlying action resulting in misstatements is intentional (i.e. fraud) or unintentional.

Let us understand the application of SA 240 (Revised) with the following two case studies. These cases represent ‘frauds’ as they were intentionally committed by the management/employees to gain an illegal advantage resulting in misstatement in financial statements resulting either from misappropriation of assets (cash in the first case) or fraudulent financial reporting (misstatement of inventories in the second case).

Case 1

Background
ABC Ltd. was engaged in the manufacturing of hot rolled steel plates. The manufacturing process involves melting iron ore and converting the molten ore into iron sheets of required size(s). During the course of production, a given proportion of ore had to be scrapped. The scrap generated was measurable in terms of standard yield and was also dependent on the quality of ore used. The scrap generated was sold to two scrap dealers at an agreed upon price. Scrap sales as a percentage of total income were insignificant. The entire process of scrap sales was handled by the CFO under the direct supervision of the Managing Director. The documentation maintained by the CFO for scrap sales included the quantity sold, the price charged and the quotations supporting the price charged as well payment of statutory levies such as excise and VAT. The realisation of scrap sales was never an issue as scrap was always sold on the basis of ‘advance payment by cheque’. From an audit standpoint, given that scrap sales (as recorded in the books) did not constitute a material amount, the auditors’ verification was restricted to ensuring compliance with excise and VAT rules and performing an overall analytical review.

The real situation was quite different. The actual quantity of scrap generated was much higher than that recorded in the books. The actual price realisation was also significantly higher with the difference between the amount disclosed in the books and actual price being received in cash. The cash was used to make facilitation payments (‘bribes’) to secure favours/approvals from various authorities in relation to day-to-day business operations. The actual scenario came to light when the business with the scrap dealer was discontinued on account of dispute and the scrap dealer informed the board of directors of the arrangement.

Analysis with respect to SA 240 (Revised)

Responsibility of management and those charged with governance

Per SA 240 (Revised), the primary responsibility to ensure prevention and detection of fraud and error rests with the management and those charged with governance. Since senior management was involved in the fraud, it was imperative that those charged with governance exercised much greater control and supervision over management function. They should have, using their authority of management oversight, ensured that this aspect of the company’s operation was reviewed independently and reported.

? Understanding the entity’s internal controls— The entire process of scrap sales was being managed by the CFO who had the authority to negotiate the rates with the scrap dealer, was responsible for dispatch of scrap and was also responsible for ultimate collection. There was no segregation of duties resulting in one individual being able to initiate and complete the entire transaction singlehandedly. There was an absence of an independent check of the overall reconciliation of materials consumed and goods produced. There was no independent verification of the quotes obtained to support the prices charged. This could have been mitigated by establishing a process of selection of scrap dealers such as tendering or by formulating a scrap negotiation committee comprising operational/functional heads responsible for negotiating terms with scrap dealers.

? Deterrents to improper conduct by management— The arrangement was being managed by the CFO with the knowledge of the Managing Director leading to management override of controls. Establishing a ‘code of conduct’ mandating compliance by one and all and stipulating disciplinary action (including termination and legal recourse) for non-compliance could have acted as a deterrent in fraud prevention/detection.

? Independent review by internal audit function reporting directly to those charged with governance could also have assisted in fraud detection/prevention. In situations where the entity has an internal audit function, the auditor can make enquiries of the internal auditor about any specific procedures performed to detect fraud and whether satisfactory responses were received from management to any findings resulting from those procedures.

? Whistle-blower mechanism—In terms of SA 315, responsibilities of those charged with governance include oversight of the design and effective operation of whistle blower procedures, establishment of these procedures could act as a ‘deterrent’.

Auditors’ Responsibilities
Per SA 240 (Revised), owing to the inherent limitations in an audit, the auditor cannot obtain absolute assurance that the material misstatements in the financial statements (either because of fraud or error) will be detected. The auditor has to, however, obtain reasonable assurance that the financial statements as a whole are free from material misstatement and should therefore ensure that they have followed the auditing procedures in accordance with the auditing standards generally accepted in India. However, the auditor could be held responsible where the misstatements due to fraud or error remained undetected due to nonapplication of the required audit procedures and professional scepticism.

In this regard it is important to note that the risk of not detecting a material misstatement due to fraud is greater than that arising from an error, since fraud may involve a sophisticated modus operandi, and could include collusion, forgery and intentional misrepresentation. This risk increases with management fraud since they are in a position to manipulate records and override controls.

In the given case, applying the guidance given in SA 240 (Revised) and SA 200 (Revised) Overall Objectives of the Independent Auditor and the Conduct of an Audit in accordance with Standards on Auditing, the auditors should have considered the following factors while auditing scrap sales:

Identify and assess fraud risk—the auditor should have designated scrap sales as an area susceptible to fraud in view of the fact that scrap sales were controlled entirely by the CFO and the Managing Director.

Understanding of the entity’s business and maintaining professional scepticism—the auditors should have considered obtaining deeper understanding of the manufacturing process, understood the relationship of scrap generated with quantity produced and enquired into reasons why the quantity of scrap generated as recorded in the books was low in relation to finished goods produced. The auditors could also have considered the usual quantum of scrap generated in similar/like industries and related this to the scrap quantity recorded in the company’s books. The auditors should have compared the rates charged to scrap dealers with independent sources such as market prices of steel scrap.

Understanding of internal control environment—There was no segregation of duties as the entire function was being performed by the CFO and MD. Further, as senior management was involved, there existed the risk of management override of controls. The auditor should have communicated these deficiencies in internal controls to those charged with governance and should also have formally enquired whether the governance body has any knowledge of actual, suspected or alleged fraud relating to scrap sales.

Respond appropriately to identified (or suspected) fraud—The auditors should have given due consideration to controls over scrap sales while reporting on internal controls in the Companies (Auditor’s Report)
Order, 2003 (‘CARO’) report. Post identification of the fraud, the auditor would have to appropriately modify the reporting relating to paragraph 4(xxi) of the CARO report.

As such, applying analytical procedures alone on the consideration that scrap income was insignificant to the overall financial statements was not appropriate and would not constitute sufficient appropriate audit evidence.

CASE 2

Background

XYZ Ltd. was engaged in the business of manufacturing gypsum boards, the primary raw material for which is natural gypsum. Gypsum was purchased in huge quantities in rock form in uneven size and shape. Given the quantity, size and shape, gypsum had to be stored in open spaces resulting in gypsum being exposed to the external environment. No physical verification was conducted during the year and at year-end, physical verification was not feasible given the huge quantum and uneven size/shape of the material in stock, the technical specifications (in terms of extent of exposure to light/air/water) as well as inability to draw inference based on test check. The quantity in stock was therefore certified by an independent surveyor and the auditors’ relied on the surveyor’s report. The quantity reported by the surveyor was used by the company to account for stocks in the books at the year-end.

The actual scenario was far different than that disclosed in the books. The quantity of gypsum in stock reported by the independent surveyor was as instructed by the factory manager. The factory manager reported the desired results given the arrangement with the valuer and the auditor’s reliance on the valuer’s work. The fraud came to light when during the course of interim audit for the subsequent financial year, the auditor insisted on physical verification of the stock by weighment at a point in time when the quantity of gypsum in the warehouse was at the lowest level. The quantity weighed physically was far less than that shown in the books at the time of physical verification.

Analysis with respect to SA 240 (Revised)

Responsibility of management and those charged with governance

In the present case, the perpetrator of the fraud was a functional manager (factory employee) as against a member of senior management in Case
1.    The responsibility for preventing and detecting fraud primarily rests with the management; however, the administration and monitoring of controls in Case 2 would be different. This could have been achieved by:
Management evaluation of the expertise of the independent valuer engaged by the factory manager including considering obtaining a separate valuation from another valuer (given the quantum of stocks involved). Management could also independently test the methodology applied and assumptions made by the valuer in arriving at the likely quantity of stocks lying in the open ware-house.

Mandating physical verification by physical weighment of stocks at least once in a year and reconciliation of physical balances with book records, and also considering increasing the frequency of verification (based on the significant value of such stocks).

Formulating a policy of rotation of valuers at appropriate intervals.

Employees performing functions having high susceptibility to fraud being made to compulsorily avail annual leave.

Monitoring control in the form of an over-all exercise reconciling quantity of gypsum purchased, expected gypsum consumption (relative to finished goods produced) and derived closing inventory of gypsum would have also revealed the overstatement of closing inventory as per books.

Establishing a ‘code of conduct’ mandating compliance by one and all and stipulating disciplinary action (including termination and legal recourse) for non-compliance could have acted as a deterrent in fraud prevention/detection.

Auditors’ Responsibilities

Per SA 240 (Revised), while performing risk assessment procedures to obtain an understanding of the entity and its environment, the auditor should perform procedures to identify material misstatements due to fraud which includes A 620—Using the Work of an Expert requires that an auditor ought to have satisfied himself as to the expert’s skills, competencies and objectivity. The auditor should have considered whether the source data used by the expert, the assumptions made and methodology used is reasonable having regard to the auditor’s knowledge of the client business.

incorporating an element of unpredictability in selecting the nature, timing and extent of audit procedures. Accordingly, the auditor could have mandated that management conduct actual physical verification of stocks at a time other than the year-end and the auditor being present at such count.

The auditor should have performed analytical procedures to deduce the expected quantity of gypsum that would be in closing inventory at the year-end considering the production and expected input-output yield.

The auditor would need to appropriately modify his opinion in relation to paragraph 4(ii) of the CARO report relating to physical verification of inventories. Consequent to the fraud being detected, the auditor would need to consider modifying the audit opinion as well as consider fraud reporting under paragraph 4(xxi) of CARO report.

As such, mere reliance on the expert’s work by the auditors could not be considered as sufficient audit evidence for the purpose of expressing an opinion.

Whom should the auditor communicate with when the fraud is detected?

On fraud being identified or where the auditor has obtained information that fraud exists, the auditor must inform the same to the appropriate level of management who are primarily responsible for the prevention and detection of fraud. If the auditor suspects the fraud involving management, the communication should be done to those charged with governance. In other cases it should be to the management, at least one level above the level at which the fraud is suspected.

Although the auditor’s professional duty to maintain the confidentiality of client information may preclude him from reporting to any outside entity, the auditor’s legal responsibilities may override his duty of confidentiality on certain occasions, for e.g., when an auditor is required to disclose information under any law or under a directive of a judicial body/court.

Management Representations

The auditor should obtain written representations from the management or those charged with governance which include acknowledging their responsibility for the design, implementation and maintaining internal controls to prevent and detect fraud, that they have disclosed to the auditor the results of management’s assessment of the risk that the financial statements may be misstated on account of fraud and their knowledge of actual, suspected or alleged fraud. However, the obtaining of mere representation does not absolve an auditor from the responsibilities cast upon him under SA 240.

Compatibility with the corresponding International Standards of Auditing-ISA 240

The application section of paragraph A6, A56 and A66 of ISA 240 specifically deals with the application of the requirement of ISA 240 to the audits of public sector entities. However, since SA 240 (Revised) applies to all entities irrespective of their form, nature and size, a specific reference to the applicability of the Standard to public sector entities has not been included.

However the spirit of the corresponding para-graphs in ISA 240 has been retained in SA 240 (Revised) as follows:

Para A6 has been retained such that in certain cases the auditor may be required by the legislature or the regulator to specifically report on the instances of the actual/ suspected fraud in the client entity.

Para A56 has been retained such that the auditors may not have an option to withdraw from the engagements in certain cases.

Para A66 has been retained such that the requirement for reporting fraud, whether or not discovered through the audit process, may be subject to the specific provisions of the audit mandate or related legislation or regulation.

Conclusion:

Considering the nature and characteristics of a fraudulent act and the responsibility cast upon the auditor, it is imperative that due professional scepticism is exercised throughout the audit and the requirements of SA 240 (Revised) are followed to assist the auditor in identifying and assessing the risk of material misstatement due to fraud and in designing procedures to detect such mis-statement.