Consideration of Fraud in a Financial Statement Audit

Consideration of Fraud in a Financial Statement Audit 163

AU-C Section 240

Consideration of Fraud in a Financial

Statement Audit

Source: SAS No. 122; SAS No. 128; SAS No. 134; SAS No. 135; SAS

No. 136.

Effective for audits of nancial statements for periods ending on or

after December 15, 2012, unless otherwise indicated.

NOTE

In July 2020, the Auditing Standards Board issued Statement on Auditing

Standards No. 143, Auditing Accounting Estimates and Related Disclosures,

which contains amendments to this section.

The amendments are effective for audits of nancial statements for periods

ending on or after December 15, 2023, and can be viewed in appendix C of

section 540 until the effective date, when they will be applied to this section.

Introduction

Scope o f This Section

.01 This section addresses the auditor's responsibilities relating to fraud

in an audit of nancial statements. Specically, it expands on how section 315,

Understanding the Entity and Its Environment and Assessing the Risks of Ma-

terial Misstatement, and section 330, Performing Audit Procedures in Response

to Assessed Risks and Evaluating the Audit Evidence Obtained, are to be ap-

plied regarding risks of material misstatement due to fraud.

Characteristics of Fraud

.02 Misstatements in the nancial statements can arise from either fraud

or error. The distinguishing factor between fraud and error is whether the un-

derlying action that results in the misstatement of the nancial statements is

intentional or unintentional.

.03 Although fraud is a broad legal concept, for the purposes of generally

accepted auditing standards (GAAS), the auditor is primarily concerned with

fraud that causes a material misstatement in the nancial statements. Two

types of intentional misstatements are relevant to the auditor — misstate-

ments resulting from fraudulent nancial reporting and misstatements result-

ing from misappropriation of assets. Although the auditor may suspect or, in

rare cases, identify the occurrence of fraud, the auditor does not make legal

determinations of whether fraud has actually occurred. (Ref: par. .A1–.A8)

Responsibility for the Prevention and Detection of Fraud

.04 The primary responsibility for the prevention and detection of fraud

rests with both those charged with governance of the entity and management.

164 General Principles and Responsibilities

It is important that management, with the oversight of those charged with gov-

ernance, places a strong emphasis on fraud prevention, which may reduce op-

portunities for fraud to take place, and fraud deterrence, which could persuade

individuals not to commit fraud because of the likelihood of detection and pun-

ishment. This involves a commitment to creating a culture of honesty and ethi-

cal behavior, which can be reinforced by active oversight by those charged with

governance. Oversight by those charged with governance includes considering

the potential for override of controls or other inappropriate inuence over the

nancial reporting process, such as efforts by management to manage earnings

in order to inuence the perceptions of nancial statement users regarding the

entity's performance and protability.

Responsibilities of the Auditor

.05 An auditor conducting an audit in accordance with GAAS is responsi-

ble for obtaining reasonable assurance that the nancial statements as a whole

are free from material misstatement, whether caused by fraud or error. Due

to the inherent limitations of an audit, an unavoidable risk exists that some

material misstatements of the nancial statements may not be detected, even

though the audit is properly planned and performed in accordance with GAAS.

.06 As described in section 200, Overall Objectives of the Independent Au-

ditor and the Conduct of an Audit in Accordance With Generally Accepted Au-

diting Standards, the potential effects of inherent limitations are particularly

signicant in the case of misstatement resulting from fraud.

Theriskofnot

detecting a material misstatement resulting from fraud is higher than the risk

of not detecting one resulting from error. This is because fraud may involve

sophisticated and carefully organized schemes designed to conceal it, such as

forgery, deliberate failure to record transactions, or intentional misrepresenta-

tions being made to the auditor. Such attempts at concealment may be even

more difcult to detect when accompanied by collusion. Collusion may cause

the auditor to believe that audit evidence is persuasive when it is, in fact, false.

The auditor's ability to detect a fraud depends on factors such as the skillful-

ness of the perpetrator, the frequency and extent of manipulation, the degree

of collusion involved, the relative size of individual amounts manipulated, and

the seniority of those individuals involved. Although the auditor may be able

to identify potential opportunities for fraud to be perpetrated, it is difcult for

the auditor to determine whether misstatements in judgment areas, such as

accounting estimates, are caused by fraud or error.

.07 Furthermore, the risk of the auditor not detecting a material misstate-

ment resulting from management fraud is greater than for employee fraud be-

cause management is frequently in a position to directly or indirectly manip-

ulate accounting records, present fraudulent nancial information, or override

control procedures designed to prevent similar frauds by other employees.

.08 When obtaining reasonable assurance, the auditor is responsible for

maintaining professional skepticism throughout the audit, considering the po-

tential for management override of controls, and recognizing the fact that au-

dit procedures that are effective for detecting error may not be effective in

detecting fraud. The requirements in this section are designed to assist the

auditor in identifying and assessing the risks of material misstatement due to

fraud and in designing procedures to detect such misstatement.

Paragraphs .A55–.A56 of section 200, Overall Objectives of the Independent Auditor and the

Conduct of an Audit in Accordance With Generally Accepted Auditing Standards.

Paragraph .A55 of section 200.

Consideration of Fraud in a Financial Statement Audit 165

Effective Date

.09 This section is effective for audits of nancial statements for periods

ending on or after December 15, 2012.

Objectives

.10 The objectives of the auditor are to

a. identify and assess the risks of material misstatement of the -

nancial statements due to fraud;

b. obtain sufcient appropriate audit evidence regarding the as-

sessed risks of material misstatement due to fraud, through de-

signing and implementing appropriate responses; and

c. respond appropriately to fraud or suspected fraud identied dur-

ing the audit.

Deﬁnitions

.11 For purposes of GAAS, the following terms have the meanings at-

tributed as follows:

Fraud. An intentional act by one or more individuals among man-

agement, those charged with governance, employees, or third par-

ties, involving the use of deception that results in a misstatement

in nancial statements that are the subject of an audit.

Fraudriskfactors.Events or conditions that indicate an incentive

or pressure to perpetrate fraud, provide an opportunity to commit

fraud, or indicate attitudes or rationalizations to justify a fraud-

ulent action. (Ref: par. .A11, .A30, and .A57)

Signicant unusual transactions. Signicant transactions that

are outside the normal course of business for the entity or that

otherwise appear to be unusual due to their timing, size, or

nature.

[As amended, effective for audits of nancial statements for periods ending on

or after December 15, 2021, by SAS No. 135.]

Requirements

Professional Skepticism

.12 In accordance with section 200, the auditor should maintain profes-

sional skepticism throughout the audit, recognizing the possibility that a ma-

terial misstatement due to fraud could exist, notwithstanding the auditor's past

experience of the honesty and integrity of the entity's management and those

charged with governance.

(Ref: par. .A9–.A10)

.13 Unless the auditor has reason to believe the contrary, the auditor may

accept records and documents as genuine. If conditions identied during the

audit cause the auditor to believe that a document may not be authentic or

that terms in a document have been modied but not disclosed to the auditor,

the auditor should investigate further. (Ref: par. .A11)

Paragraph .17 of section 200.

166 General Principles and Responsibilities

.14 When responses to inquiries of management, those charged with gov-

ernance, or others are inconsistent or otherwise unsatisfactory (for example,

vague or implausible), the auditor should further investigate the inconsisten-

cies or unsatisfactory responses.

Discussion Among the Engagement Team

.15 Section 315 requires a discussion among the key engagement team

members, including the engagement partner, and a determination by the en-

gagement partner of which matters are to be communicated to those team

members not involved in the discussion.

This discussion should include an

exchange of ideas or brainstorming among the engagement team members

about how and where the entity's nancial statements (including the individual

statements and the disclosures) might be susceptible to material misstatement

due to fraud, how management could perpetrate and conceal fraudulent nan-

cial reporting, and how assets of the entity could be misappropriated. The dis-

cussion should occur setting aside beliefs that the engagement team members

may have that management and those charged with governance are honest and

have integrity, and should, in particular, also address (Ref: par. .A12–.A13)

a. known external and internal factors affecting the entity that may

create an incentive or pressure for management or others to com-

mit fraud, provide the opportunity for fraud to be perpetrated,

and indicate a culture or environment that enables management

or others to rationalize committing fraud;

b. the risk of management override of controls;

c. consideration of circumstances that might be indicative of earn-

ings management or manipulation of other nancial measures

and the practices that might be followed by management to man-

age earnings or other nancial measures that could lead to fraud-

ulent nancial reporting;

d. the importance of maintaining professional skepticism through-

out the audit regarding the potential for material misstatement

duetofraud;and

e. how the auditor might respond to the susceptibility of the entity's

nancial statements to material misstatement due to fraud.

Communication among the engagement team members about the risks of ma-

terial misstatement due to fraud should continue throughout the audit, partic-

ularly upon discovery of new facts during the audit. [As amended, effective for

audits of nancial statements for periods ending on or after December 15, 2021,

by SAS No. 134.]

Risk Assessment Procedures and Related Activities

.16 When performing risk assessment procedures and related activities

to obtain an understanding of the entity and its environment, including the

entity's internal control, required by section 315, the auditor should perform the

procedures in paragraphs .17–.24 to obtain information for use in identifying

the risks of material misstatement due to fraud.

Paragraph .11 of section 315, Understanding the Entity and Its Environment and Assessing the

Risks of Material Misstatement.

Paragraphs .05–.25 of section 315.

Consideration of Fraud in a Financial Statement Audit 167

Discussions With Management and Others Within the Entity

.17 The auditor should make inquiries of management regarding

a. management's assessment of the risk that the nancial state-

ments may be materially misstated due to fraud, including the na-

ture, extent, and frequency of such assessments; (Ref: par. .A14–

.A15)

b. management's process for identifying, responding to, and mon-

itoring the risks of fraud in the entity, including any specic

risks of fraud that management has identied or that have been

brought to its attention, or classes of transactions, account bal-

ances, or disclosures for which a risk of fraud is likely to exist;

(Ref: par. .A16)

c. management's communication, if any, to those charged with gov-

ernance regarding its processes for identifying and responding to

the risks of fraud in the entity;

d. management's communication, if any, to employees regarding its

views on business practices and ethical behavior; and

e. whether the entity has entered into any signicant unusual

transactions and, if so, the nature, terms, and business purpose

(or the lack thereof) of those transactions and whether such trans-

actions involved related parties.

[As amended, effective for audits of nancial statements for periods ending on

or after December 15, 2021, by SAS No. 135.]

.18 The auditor should make inquiries of management, and others

within the entity as appropriate, to determine whether they have knowl-

edge of any actual, suspected, or alleged fraud affecting the entity. (Ref: par.

.A17–.A20)

.19 For those entities that have an internal audit function,

the auditor

should make inquiries of appropriate individuals within the internal audit

function to obtain their views about the risks of fraud; determine whether they

have knowledge of any actual, suspected, or alleged fraud affecting the entity;

whether they have performed any procedures to identify or detect fraud dur-

ing the year; whether management has satisfactorily responded to any ndings

resulting from these procedures; and whether they are aware that the entity

has entered into any signicant unusual transactions. [As amended, effective

for audits of nancial statements for periods ending on or after December 15,

2014, by SAS No. 128. As amended, effective for audits of nancial statements

for periods ending on or after December 15, 2021, by SAS No. 135.]

Those Charged With Governance

.20 Unless all of those charged with governance are involved in man-

aging the entity,

the auditor should obtain an understanding of how those

charged with governance exercise oversight of management's processes for

identifying and responding to the risks of fraud in the entity and the inter-

nal control that management has established to mitigate these risks. (Ref: par.

.A21–.A23)

Section 610, Using the Work of Internal Auditors, provides guidance in audits of those entities

that have an internal audit function. [Footnote amended, effective for audits of nancial statements

for periods ending on or after December 15, 2014, by SAS No. 128.]

Paragraph .09 of section 260, The Auditor's Communication With Those Charged With Gover-

nance.

168 General Principles and Responsibilities

.21 Unless all of those charged with governance are involved in managing

the entity, the auditor should make inquiries of those charged with governance

(or the audit committee or, at least, its chair) to determine their views about the

risks of fraud, whether they have knowledge of any actual, suspected, or alleged

fraud affecting the entity, and whether the entity has entered into any signi-

cant unusual transactions. These inquiries are made, in part, to corroborate the

responses received from the inquiries of management. [As amended, effective

for audits of nancial statements for periods ending on or after December 15,

2021, by SAS No. 135.]

Unusual or Unexpected Relationships Identiﬁed

.22 Based on analytical procedures performed as part of risk assessment

procedures,

the auditor should evaluate whether unusual or unexpected re-

lationships that have been identied indicate risks of material misstatement

due to fraud. To the extent not already included, the analytical procedures,

and evaluation thereof, should include procedures relating to revenue accounts.

(Ref: par. .A24–.A26 and .A46)

Other Information

.23 The auditor should consider whether other information obtained by

the auditor indicates risks of material misstatement due to fraud. (Ref:

par. .A27)

Evaluation of Fraud Risk Factors

.24 The auditor should evaluate whether the information obtained from

the risk assessment procedures and related activities performed indicates that

one or more fraud risk factors are present. Although fraud risk factors may

not necessarily indicate the existence of fraud, they have often been present in

circumstances in which frauds have occurred and, therefore, may indicate risks

of material misstatement due to fraud. (Ref: par. .A28–.A32)

Identiﬁcation and Assessment of the Risks of Material

Misstatement Due to Fraud

.25 In accordance with section 315, the auditor should identify and as-

sess the risks of material misstatement due to fraud at the nancial statement

level, and at the assertion level for classes of transactions, account balances,

and disclosures.

The auditor's risk assessment should be ongoing throughout

the audit, following the initial assessment.

.26 When identifying and assessing the risks of material misstatement

due to fraud, the auditor should, based on a presumption that risks of fraud

exist in revenue recognition, evaluate which types of revenue, revenue trans-

actions, or assertions give rise to such risks. Paragraph .46 species the doc-

umentation required when the auditor concludes that the presumption is not

applicable in the circumstances of the engagement and, accordingly, has not

identied revenue recognition as a risk of material misstatement due to fraud.

(Ref: par. .A33–.A35)

.27 The auditor should treat those assessed risks of material misstatement

due to fraud as signicant risks and, accordingly, to the extent not already done

so, the auditor should obtain an understanding of the entity's related controls,

Paragraphs .06(b) and .A7–.A10 of section 315.

Paragraph .26 of section 315.

Consideration of Fraud in a Financial Statement Audit 169

including control activities, relevant to such risks, including the evaluation of

whether such controls have been suitably designed and implemented to miti-

gate such fraud risks. (Ref: par. .A36–.A37)

Responses to the Assessed Risks of Material Misstatement

Due to Fraud

Overall Responses

.28 In accordance with section 330, the auditor should determine overall

responses to address the assessed risks of material misstatement due to fraud

at the nancial statement level.

(Ref: par. .A38)

.29 In determining overall responses to address the assessed risks of ma-

terial misstatement due to fraud at the nancial statement level, the auditor

should

a. assign and supervise personnel, taking into account the knowl-

edge, skill, and ability of the individuals to be given signicant

engagement responsibilities and the auditor's assessment of the

risks of material misstatement due to fraud for the engagement;

(Ref: par. .A39–.A40)

b. evaluate whether the selection and application of accounting poli-

cies by the entity, particularly those related to subjective mea-

surements and complex transactions, may be indicative of fraud-

ulent nancial reporting resulting from management's effort to

manage earnings, or a bias that may create a material misstate-

ment; and (Ref: par. .A41)

c. incorporate an element of unpredictability in the selection of the

nature, timing, and extent of audit procedures. (Ref: par. .A42)

Audit Procedures Responsive to Assessed Risks of Material Misstatement

Due to Fraud at the Assertion Level

.30 In accordance with section 330, the auditor should design and perform

further audit procedures whose nature, timing, and extent are responsive to the

assessed risks of material misstatement due to fraud at the assertion level.

(Ref: par. .A43–.A46)

Audit Procedures Responsive to Risks Related to Management Override

of Controls

.31 Management is in a unique position to perpetrate fraud because of

management's ability to manipulate accounting records and prepare fraudu-

lent nancial statements by overriding controls that otherwise appear to be

operating effectively. Although the level of risk of management override of con-

trols will vary from entity to entity, the risk is, nevertheless, present in all en-

tities. Due to the unpredictable way in which such override could occur, it is a

risk of material misstatement due to fraud and, thus, a signicant risk.

.32 Even if specic risks of material misstatement due to fraud are not

identied by the auditor, a possibility exists that management override of con-

trols could occur. Accordingly, the auditor should address the risk of manage-

ment override of controls apart from any conclusions regarding the existence

Paragraph .05 of section 330, Performing Audit Procedures in Response to Assessed Risks and

Evaluating the Audit Evidence Obtained.

Paragraph .06 of section 330.

170 General Principles and Responsibilities

of more specically identiable risks by designing and performing audit proce-

dures to

a. test the appropriateness of journal entries recorded in the general

ledger and other adjustments made in the preparation of the -

nancial statements, including entries posted directly to nancial

statement drafts. In designing and performing audit procedures

for such tests, the auditor should (Ref: par. .A47–.A50 and .A56)

i. obtain an understanding of the entity's nancial report-

ing process and controls over journal entries and other

adjustments,

and the suitability of design and imple-

mentation of such controls;

ii. make inquiries of individuals involved in the nancial re-

porting process about inappropriate or unusual activity re-

lating to the processing of journal entries and other adjust-

ments;

iii. consider fraud risk indicators, the nature and complexity

of accounts, and unusual entries processed;

iv. select journal entries and other adjustments made at the

end of a reporting period; and

v. consider the need to test journal entries and other adjust-

ments throughout the period.

b. review accounting estimates for biases and evaluate whether the

circumstances producing the bias, if any, represent a risk of ma-

terial misstatement due to fraud. In performing this review, the

auditor should

i. evaluate whether the judgments and decisions made by

management in making the accounting estimates included

in the nancial statements, even if they are individually

reasonable, indicate a possible bias on the part of the en-

tity's management that may represent a risk of mate-

rial misstatement due to fraud. If so, the auditor should

reevaluate the accounting estimates taken as a whole,

and

ii. perform a retrospective review of management judgments

and assumptions related to signicant accounting esti-

mates reected in the nancial statements of the prior

year. Estimates selected for review should include those

that are based on highly sensitive assumptions or are oth-

erwise signicantly affected by judgments made by man-

agement. (Ref: par. .A51–.A53)

c. evaluate, given the auditor's understanding of the entity and its

environment and other information obtained during the audit,

whether the business purpose (or the lack thereof) of signicant

unusual transactions suggests that they may have been entered

into to engage in fraudulent nancial reporting or to conceal mis-

appropriation of assets. The procedures should include the follow-

ing: (Ref: par. .A54–.A55)

i. Reading the underlying documentation and evaluating

whether the terms and other information about the trans-

action are consistent with explanations from inquiries and

Paragraph .19 of section 315.

Consideration of Fraud in a Financial Statement Audit 171

other audit evidence about the business purpose (or the

lack thereof) of the transaction

ii. Determining whether the transaction has been authorized

and approved in accordance with the entity's established

policies and procedures

iii. Evaluating whether signicant unusual transactions that

the auditor has identied have been properly accounted

for and disclosed in the nancial statements

[As amended, effective for audits of nancial statements for periods ending on

or after December 15, 2021, by SAS No. 135.]

Other Audit Procedures

.33 The auditor should determine whether, in order to respond to the iden-

tied risks of management override of controls, the auditor needs to perform

other audit procedures in addition to those specically referred to previously

(that is, when specic additional risks of management override exist that are

not covered as part of the procedures performed to address the requirements

in paragraph .32). (Ref: par. .A56)

Evaluation o f Audit Evidence (Ref: par. .A57)

.34 The auditor should evaluate, at or near the end of the audit, whether

the accumulated results of auditing procedures (including analytical proce-

dures that were performed as substantive tests or when forming an overall

conclusion) affect the assessment of the risks of material misstatement due to

fraud made earlier in the audit or indicate a previously unrecognized risk of

material misstatement due to fraud. If not already performed when forming an

overall conclusion, the analytical procedures relating to revenue, required by

paragraph .22, should be performed through the end of the reporting period.

(Ref: par. .A58–.A59)

.35 If the auditor identies a misstatement, the auditor should evaluate

whether such a misstatement is indicative of fraud. If such an indication exists,

the auditor should evaluate the implications of the misstatement with regard

to other aspects of the audit, particularly the auditor's evaluation of materi-

ality, management and employee integrity, and the reliability of management

representations, recognizing that an instance of fraud is unlikely to be an iso-

lated occurrence. (Ref: par. .A60–.A63)

.36 If the auditor identies a misstatement, whether material or not, and

the auditor has reason to believe that it is, or may be, the result of fraud and

that management (in particular, senior management) is involved, the auditor

should reevaluate the assessment of the risks of material misstatement due to

fraud and its resulting effect on the nature, timing, and extent of audit proce-

dures to respond to the assessed risks.The auditor should also consider whether

circumstances or conditions indicate possible collusion involving employees,

management, or third parties when reconsidering the reliability of evidence

previously obtained. (Ref: par. .A61)

.37 If the auditor concludes that, or is unable to conclude whether, the -

nancial statements are materially misstated as a result of fraud, the auditor

should evaluate the implications for the audit. (Ref: par. .A62)

172 General Principles and Responsibilities

Auditor Unable to Continue the Engagement

.38 If, as a result of identied fraud or suspected fraud, the auditor en-

counters circumstances that bring into question the auditor's ability to continue

performing the audit, the auditor should

a. determine the professional and legal responsibilities applicable

in the circumstances, including whether a requirement exists for

the auditor to report to the person or persons who engaged the

auditor or, in some cases, to regulatory authorities;

b. consider whether it is appropriate to withdraw from the engage-

ment, when withdrawal is possible under applicable law or regu-

lation; and

c. if the auditor withdraws

i. discuss with the appropriate level of management and

those charged with governance the auditor's withdrawal

from the engagement and the reasons for the withdrawal,

and

ii. determine whether a professional or legal requirement ex-

ists to report to the person or persons who engaged the

auditor or, in some cases, to regulatory authorities, the au-

ditor's withdrawal from the engagement and the reasons

for the withdrawal. (Ref: par. .A64–.A67)

Communications to Management and With Those Charged

With Governance

.39 If the auditor has identied a fraud or has obtained information that

indicates that a fraud may exist, the auditor should communicate these matters

on a timely basis to the appropriate level of management in order to inform

those with primary responsibility for the prevention and detection of fraud of

matters relevant to their responsibilities. (Ref: par. .A68)

.40 Unless all of those charged with governance are involved in managing

the entity, if the auditor has identied or suspects fraud involving

a. management,

b. employees who have signicant roles in internal control, or

c. others, when the fraud results in a material misstatement in the

nancial statements,

the auditor should communicate these matters to those charged with gover-

nance on a timely basis. If the auditor suspects fraud involving management,

the auditor should communicate these suspicions to those charged with gover-

nance and discuss with them the nature, timing, and extent of audit procedures

necessary to complete the audit. (Ref: par. .A69–.A71)

.41 The auditor should communicate with those charged with governance

any other matters related to fraud that are, in the auditor's professional judg-

ment, relevant to their responsibilities. (Ref: par. .A72)

Communications to Regulatory and Enforcement Authorities

.42 If the auditor has identied or suspects a fraud, the auditor should

determine whether the auditor has a responsibility to report the occurrence or

suspicion to a party outside the entity. Although the auditor's professional duty

Consideration of Fraud in a Financial Statement Audit 173

to maintain the condentiality of client information may preclude such report-

ing, the auditor's legal responsibilities may override the duty of condentiality

in some circumstances. (Ref: par. .A73–.A75)

Documentation

.43 The auditor should include in the audit documentation

of the audi-

tor's understanding of the entity and its environment and the assessment of

the risks of material misstatement required by section 315 the following:

a. The signicant decisions reached during the discussion among

the engagement team regarding the susceptibility of the entity's

nancial statements to material misstatement due to fraud, and

how and when the discussion occurred and the audit team mem-

bers who participated

b. The identied and assessed risks of material misstatement due to

fraud at the nancial statement level and at the assertion level

(See paragraphs .16–.27.)

.44 The auditor should include in the audit documentation of the auditor's

responses to the assessed risks of material misstatement required by section

330 the following:

a. The overall responses to the assessed risks of material misstate-

ment due to fraud at the nancial statement level and the nature,

timing, and extent of audit procedures, and the linkage of those

procedures with the assessed risks of material misstatement due

to fraud at the assertion level

b. The results of the audit procedures, including those designed to

address the risk of management override of controls

.45 The auditor should include in the audit documentation communica-

tions about fraud made to management, those charged with governance, regu-

lators, and others.

.46 If the auditor has concluded that the presumption that there is a risk of

material misstatement due to fraud related to revenue recognition is overcome

in the circumstances of the engagement, the auditor should include in the audit

documentation the reasons for that conclusion.

Application and Other Explanatory Material

Characteristics of Fraud (Ref: par. .03)

.A1 Fraud, whether fraudulent nancial reporting or misappropriation of

assets, involves incentive or pressure to commit fraud, a perceived opportunity

to do so, and some rationalization of the act, as follows:

•

Incentive or pressure to commit fraudulent nancial reporting

may exist when management is under pressure, from sources out-

side or inside the entity, to achieve an expected (and perhaps,

unrealistic) earnings target or nancial outcome — particularly

because the consequences to management for failing to meet -

nancial goals can be signicant. Similarly, individuals may have

Paragraphs .08–.12 and .A8 of section 230, Audit Documentation.

Paragraph .33 of section 315.

Paragraph .30 of section 330.

174 General Principles and Responsibilities

an incentive to misappropriate assets (for example, because the

individuals are living beyond their means).

•

A perceived opportunity to commit fraud may exist when an in-

dividual believes internal control can be overridden (for example,

because the individual is in a position of trust or has knowledge

of specic deciencies in internal control).

•

Individuals may be able to rationalize committing a fraudulent

act. Some individuals possess an attitude, character, or set of ethi-

cal values that allow them knowingly and intentionally to commit

a dishonest act. However, even otherwise honest individuals can

commit fraud in an environment that imposes sufcient pressure

on them.

.A2 Fraudulent nancial reporting involves intentional misstatements, in-

cluding omissions of amounts or disclosures in nancial statements to deceive

nancial statement users. It can be caused by the efforts of management to

manage earnings in order to deceive nancial statement users by inuenc-

ing their perceptions about the entity's performance and protability. Such

earnings management may start out with small actions or inappropriate ad-

justment of assumptions and changes in judgments by management. Pres-

sures and incentives may lead these actions to increase to the extent that they

result in fraudulent nancial reporting. Such a situation could occur when,

due to pressures to meet expectations or a desire to maximize compensation

based on performance, management intentionally takes positions that lead

to fraudulent nancial reporting by materially misstating the nancial state-

ments. In some entities, management may be motivated to reduce earnings

by a material amount to minimize tax or to inate earnings to secure bank

nancing.

.A3 An auditor conducting an audit in accordance with GAAS is responsi-

ble for obtaining reasonable assurance about whether the nancial statements

as a whole are free from material misstatement, whether caused by fraud or

error. Accordingly, the auditor is primarily concerned with fraud that causes

a material misstatement of the nancial statements. However, in conducting

the audit, the auditor may identify misstatements arising from fraud that are

not material to the nancial statements. Paragraphs .35–.36 and .39–.42 ad-

dress the auditor's responsibilities in such circumstances in evaluating audit

evidence and in communicating audit ndings, respectively.

.A4 Intent is often difcult to determine, particularly in matters involving

accounting estimates and the application of accounting principles. For example,

unreasonable accounting estimates may be unintentional or may be the result

of an intentional attempt to misstate the nancial statements. Although an

audit is not designed to determine intent, the auditor's objective is to obtain

reasonable assurance about whether the nancial statements as a whole are

free from material misstatement, whether due to fraud or error.

.A5 Fraudulent nancial reporting may be accomplished by the following:

•

Manipulation, falsication (including forgery), or alteration of ac-

counting records or supporting documentation from which the -

nancial statements are prepared

•

Misrepresentation in, or intentional omission from, the nancial

statements of events, transactions, or other signicant informa-

tion

Paragraph .12 of section 200.

Consideration of Fraud in a Financial Statement Audit 175

•

Intentional misapplication of accounting principles relating to

amounts, classication, manner of presentation, or disclosure

.A6 Fraudulent nancial reporting often involves management override

of controls that otherwise may appear to be operating effectively. Fraud can be

committed by management overriding controls intentionally using such tech-

niques as the following:

•

Recording ctitious journal entries, particularly close to the end of

an accounting period, to manipulate operating results or achieve

other objectives

•

Inappropriately adjusting assumptions and changing judgments

used to estimate account balances

•

Omitting,advancing, or delaying recognition in the nancial state-

ments of events and transactions that have occurred during the

reporting period

•

Omitting, obscuring, or misstating disclosures required by the ap-

plicable nancial reporting framework or disclosures that are nec-

essary to achieve fair presentation

•

Concealing facts that could affect the amounts recorded in the -

nancial statements

•

Engaging in complex transactions that are structured to misrep-

resent the nancial position or nancial performance of the entity

•

Altering records and terms related to signicant and unusual

transactions

[As amended, effective for audits of nancial statements for periods ending on

or after December 15, 2021, by SAS No. 134.]

.A7 Misappropriation of assets involves the theft of an entity's assets and

is often perpetrated by employees in relatively small and immaterial amounts.

However, it can also involve management, who is usually better able to disguise

or conceal misappropriations in ways that are difcult to detect. Misappropria-

tion of assets can be accomplished in a variety of ways including the following:

•

Embezzling receipts (for example, misappropriating collections on

accounts receivable or diverting receipts from written-off accounts

to personal bank accounts)

•

Stealing physical assets or intellectual property (for example,

stealing inventory for personal use or for sale, stealing scrap for

resale, or colluding with a competitor by disclosing technological

data in return for payment)

•

Causing an entity to pay for goods and services not received (for

example, payments to ctitious vendors, kickbacks paid by ven-

dors to the entity's purchasing agents in return for approving pay-

ment at inated prices, or payments to ctitious employees)

•

Using an entity's assets for personal use (for example, using the

entity's assets as collateral for a personal loan or a loan to a related

party)

Misappropriation of assets is often accompanied by false or misleading records

or documents in order to conceal the fact that the assets are missing or have

been pledged without proper authorization.

176 General Principles and Responsibilities

Considerations Speciﬁc to Governmental Entities and Not-for-Proﬁt

Organizations

.A8 The auditor of governmental entities and not-for-prot organizations

may have additional responsibilities relating to fraud

•

as a result of being engaged to conduct an audit in accordance with

law or regulation applicable to governmental entities and not-for-

prot organizations,

•

because of a governmental audit organization's mandate, or

•

because of the need to comply with Government Auditing Stan-

dards.

Consequently, the responsibilities of the auditor of governmental entities and

not-for-prot organizations may not be limited to consideration of risks of ma-

terial misstatement of the nancial statements, but may also include a broader

responsibility to consider risks of fraud.

Professional Skepticism (Ref: par. .12–.14)

.A9 Maintaining professional skepticism requires an ongoing questioning

of whether the information and audit evidence obtained suggests that a mate-

rial misstatement due to fraud may exist. It includes considering the reliabil-

ity of the information to be used as audit evidence and the controls over its

preparation and maintenance when relevant. Due to the characteristics of

fraud, the auditor's professional skepticism is particularly important when con-

sidering the risks of material misstatement due to fraud.

.A10 Although the auditor cannot be expected to disregard past experience

of the honesty and integrity of the entity's management and those charged with

governance, the auditor's professional skepticism is particularly important in

considering the risks of material misstatement due to fraud because there may

have been changes in circumstances.

.A11 An audit performed in accordance with GAAS rarely involves the au-

thentication of documents, nor is the auditor trained as, or expected to be, an

expert in such authentication.

However, when the auditor identies condi-

tions that cause the auditor to believe that a document may not be authentic,

that terms in a document have been modied but not disclosed to the auditor, or

that undisclosed side agreements may exist, possible procedures to investigate

further may include

•

conrming directly with the third party.

•

using the work of a specialist to assess the document's authentic-

ity.

Appendix C, "Examples of Circumstances That Indicate the Possibility of

Fraud," contains examples of circumstances that may indicate the possibility

of fraud.

Discussion Among the Engagement Team (Ref: par. .15)

.A12 Discussing the susceptibility of the entity's nancial statements to

material misstatement due to fraud with the engagement team

Paragraph .A51 of section 200.

Consideration of Fraud in a Financial Statement Audit 177

•

provides an opportunity for more experienced engagement team

members to share their insights about how and where the nan-

cial statements may be susceptible to material misstatement due

to fraud.

•

enables the auditor to consider an appropriate response to such

susceptibility and to determine which members of the engagement

team will conduct certain audit procedures.

•

permits the auditor to determine how the results of audit proce-

dures will be shared among the engagement team and how to deal

with any allegations of fraud that may come to the auditor's atten-

tion during the audit.

.A13 The discussion may lead to a thorough probing of the issues, acquir-

ing of additional evidence as necessary, and consulting with other team mem-

bers and, if appropriate, specialists in or outside the rm. The discussion may

include the following matters:

•

A consideration of the risk that management may attempt to

present disclosures in a manner that may obscure a proper under-

standing of the matters disclosed (for example, by using unclear

or ambiguous language)

•

A consideration of management's involvement in overseeing em-

ployees with access to cash or other assets susceptible to misap-

propriation

•

A consideration of any unusual or unexplained changes in behav-

ior or lifestyle of management or employees that have come to the

attention of the engagement team

•

A consideration of the types of circumstances that, if encountered,

might indicate the possibility of fraud

•

A consideration of how an element of unpredictability will be in-

corporated into the nature, timing, and extent of the audit proce-

durestobeperformed

•

A consideration of the audit procedures that might be selected to

respond to the susceptibility of the entity's nancial statements

to material misstatement due to fraud and whether certain types

of audit procedures are more effective than others

•

A consideration of any allegations of fraud that have come to the

auditor's attention

A number of factors may inuence the extent of the discussion and how it may

occur. For example, if the audit involves more than one location, there could be

multiple discussions with team members in differing locations. Another factor

in planning the discussions is whether to include specialists assigned to the

audit team. [As amended, effective for audits of nancial statements for periods

ending on or after December 15, 2021, by SAS No. 134.]

Risk Assessment Procedures and Related Activities

Inquiries of Management

Management's Assessment of the Risk of Material Misstatement Due to Fraud

(Ref: par. .17a)

.A14 Management accepts responsibility for the entity's internal con-

trol and for the preparation and fair presentation of the entity's nancial

178 General Principles and Responsibilities

statements. Accordingly, it is appropriate for the auditor to make inquiries of

management regarding management's own assessment of the risk of fraud and

the controls in place to prevent and detect it. The nature, extent, and frequency

of management's assessment of such risk and controls may vary from entity

to entity. In some entities, management may make detailed assessments on

an annual basis or as part of continuous monitoring. In other entities, man-

agement's assessment may be less structured and less frequent. The nature,

extent, and frequency of management's assessment are relevant to the audi-

tor's understanding of the entity's control environment. For example, the fact

that management has not made an assessment of the risk of fraud may, in some

circumstances, be indicative of the lack of importance that management places

on internal control.

.A15 Considerations specic to smaller, less complex entities. In some enti-

ties, particularly smaller entities, the focus of management's assessment may

be on the risks of employee fraud or misappropriation of assets.

Management's Process for Identifying and Responding to the Risks of Fraud

(Ref: par. .17b)

.A16 In the case of entities with multiple locations, management's pro-

cesses may include different levels of monitoring of operating locations or busi-

ness segments. Management may also have identied particular operating lo-

cations or business segments for which a risk of fraud may be more likely to

exist.

Discussions With Management and Others Within the Entity

(Ref: par. .17–.19)

.A17 Inquiries of management and others within the entity are generally

most effective when they involve an in-person discussion. The auditor may also

determine it useful to provide the interviewee with specic questions and ob-

tain written responses in advance of the discussion.

.A18 The auditor's inquiries of management may provide useful informa-

tion concerning the risks of material misstatements in the nancial statements

resulting from employee fraud. However, such inquiries are unlikely to provide

useful information regarding the risks of material misstatement in the nan-

cial statements resulting from management fraud. Making inquiries of others

within the entity, in addition to management, may provide individuals with

an opportunity to convey information to the auditor that may not otherwise be

communicated. It may be useful in providing the auditor with a perspective that

is different from that of individuals in the nancial reporting process. The re-

sponses to these other inquiries might serve to corroborate responses received

from management or, alternatively, might provide information regarding the

possibility of management override of controls. The auditor may also obtain in-

formation about how effectively management has communicated standards of

ethical behavior throughout the organization.

.A19 Examples of others within the entity to whom the auditor may direct

inquiries about the existence or suspicion of fraud include the following:

•

Operating personnel not directly involved in the nancial report-

ing process

•

Employees with different levels of authority

•

Employees involved in initiating, processing, or recording com-

plex or unusual transactions (for example,a sales transaction with

multiple elements or a signicant related party transaction) and

those who supervise or monitor such employees

Consideration of Fraud in a Financial Statement Audit 179

•

In-house legal counsel

•

Chief ethics ofcer or equivalent person

•

The person or persons charged with dealing with allegations of

fraud

[As amended, effective for audits of nancial statements for periods ending on

or after December 15, 2021, by SAS No. 135.]

.A20 Management is often in the best position to perpetrate fraud. Accord-

ingly, when evaluating management's responses to inquiries with professional

skepticism, the auditor may judge it necessary to corroborate responses to in-

quiries with other information.

Obtaining an Understanding of Oversight Exercised by Those Charged

With Governance (Ref: par. .20)

.A21 Those charged with governance of an entity oversee the entity's sys-

tems for monitoring risk, nancial control, and compliance with the law. In some

circumstances, governance practices are well developed, and those charged

with governance play an active role in oversight of the entity's assessment of

the risks of fraud and of the relevant internal control. Because the responsibili-

ties of those charged with governance and management may vary by entity, it is

important that the auditor understands the respective responsibilities of those

charged with governance and management to enable the auditor to obtain an

understanding of the oversight exercised by the appropriate individuals.

.A22 An understanding of the oversight exercised by those charged with

governance may provide insights regarding the susceptibility of the entity to

management fraud, the adequacy of internal control over risks of fraud, and

the competency and integrity of management. The auditor may obtain this un-

derstanding in a number of ways, such as by attending meetings during which

such discussions take place, reading the minutes from such meetings, or mak-

ing inquiries of those charged with governance.

Considerations Specic to Smaller, Less Complex Entities

.A23 In some cases, all of those charged with governance are involved in

managing the entity. This may be the case in a small entity in which a single

owner manages the entity, and no one else has a governance role. In these cases,

ordinarily, no action exists on the part of the auditor because no oversight exists

separate from management.

Unusual or Unexpected Relationships Identiﬁed (Ref: par. .22)

.A24 Analytical procedures may include data analysis techniques ranging

from a high-level review of data patterns, relationships, and trends to highly

sophisticated, computer-assisted investigation of detailed transactions using

electronic tools, such as data mining, business intelligence, and le query tools.

The degree of reliance that can be placed on such techniques is a function pri-

marily of the source (for example, nancial, nonnancial), completeness and re-

liability of the data, the level of disaggregation, and the nature of the analysis.

.A25 Analytical procedures relating to revenue that are performed with

the objective of identifying unusual or unexpected relationships that may indi-

cate a material misstatement due to fraudulent nancial reporting may include

Paragraphs .A6–.A12 of section 260 discuss with whom the auditor communicates when the

entity's governance structure is not well dened.

180 General Principles and Responsibilities

a. a comparison of sales volume, as determined from recorded rev-

enue amounts, with production capacity. An excess of sales vol-

ume over production capacity may be indicative of recording c-

titious sales.

b. a trend analysis of revenues by month and sales returns by

month, during and shortly after the reporting period. This may

indicate the existence of undisclosed side agreements with cus-

tomers involving the return of goods, which, if known, would pre-

clude revenue recognition.

c. a trend analysis of sales by month compared with units shipped.

This may identify a material misstatement of recorded revenues.

.A26 Analytical procedures performed during planning may be helpful in

identifying the risks of material misstatement due to fraud. However, if such

analytical procedures use data aggregated at a high level, generally the re-

sults of those analytical procedures provide only a broad initial indication about

whether a material misstatement of the nancial statements may exist. Accord-

ingly, the results of analytical procedures performed during planning may be

considered along with other information gathered by the auditor in identifying

the risks of material misstatement due to fraud.

Other Information (Ref: par. .23)

.A27 In addition to information obtained from applying analytical proce-

dures, other information obtained about the entity and its environment may be

helpful in identifying the risks of material misstatement due to fraud. The dis-

cussion among team members may provide information that is helpful in iden-

tifying such risks. In addition, information obtained from the auditor's client

acceptance and retention processes, and experience gained on other engage-

ments performed for the entity, for example, engagements to review interim

nancial information, may be relevant in the identication of the risks of ma-

terial misstatement due to fraud.

Evaluation of Fraud Risk Factors (Ref: par. .24)

.A28 The fact that fraud is usually concealed can make it very difcult to

detect. Nevertheless, the auditor may identify events or conditions that indicate

an incentive or pressure to commit fraud or provide an opportunity to commit

fraud (fraud risk factors), such as the following:

•

The need to meet expectations of third parties to obtain additional

equity nancing may create pressure to commit fraud.

•

The granting of signicant bonuses if unrealistic prot targets are

met may create an incentive to commit fraud.

•

A control environment that is not effective may create an oppor-

tunity to commit fraud.

.A29 Fraud risk factors cannot easily be ranked in order of importance.

The signicance of fraud risk factors varies widely. Some of these factors will

be present in entities in which the specic conditions do not present risks of

material misstatement. Accordingly, the determination of whether a fraud risk

factor is present and whether it is to be considered in assessing the risks of

material misstatement of the nancial statements due to fraud requires the

exercise of professional judgment.

.A30 Examples of fraud risk factors related to fraudulent nancial report-

ing and misappropriation of assets are presented in appendix A, "Examples of

Fraud Risk Factors." These illustrative risk factors are classied based on the

three conditions that are generally present when fraud exists:

Consideration of Fraud in a Financial Statement Audit 181

•

An incentive or pressure to commit fraud

•

A perceived opportunity to commit fraud

•

An ability to rationalize the fraudulent action

The inability to observe one or more of these conditions does not necessarily

mean that no risk of material misstatement due to fraud exists.

Risk factors reective of an attitude that permits rationalization of the fraudu-

lent action may not be susceptible to observation by the auditor. Nevertheless,

the auditor may become aware of the existence of such information. Although

the fraud risk factors described in appendix A cover a broad range of situations

that may be faced by auditors, they are only examples and other risk factors

may exist.

.A31 The size, complexity, and ownership characteristics of the entity have

a signicant inuence on the consideration of relevant fraud risk factors. For

example, in the case of a large entity, there may be factors that generally con-

strain improper conduct by management, such as

•

effective oversight by those charged with governance.

•

an effective internal audit function.

•

the existence and enforcement of a written code of conduct.

Furthermore, fraud risk factors considered at a business segment operating

level may provide different insights when compared with those obtained when

considered at an entity-wide level.

Considerations Specic to Smaller, Less Complex Entities

.A32 In the case of a small entity, some or all of these considerations may

be inapplicable or less relevant. For example, a smaller entity may not have a

written code of conduct but, instead, may have developed a culture that em-

phasizes the importance of integrity and ethical behavior through oral commu-

nication and by management example. Domination of management by a single

individual in a small entity does not generally, in and of itself, indicate a failure

by management to display and communicate an appropriate attitude regarding

internal control and the nancial reporting process. In some entities, the need

for management authorization can compensate for otherwise decient controls

and reduce the risk of employee fraud. However, domination of management by

a single individual can be a potential deciency in internal control because an

opportunity exists for management override of controls.

Identiﬁcation and Assessment of the Risks of Material

Misstatement Due to Fraud

Risks of Fraud in Revenue Recognition (Ref: par. .26)

.A33 Material misstatement due to fraudulent nancial reporting relat-

ing to revenue recognition often results from an overstatement of revenues

through, for example, premature revenue recognition or recording ctitious rev-

enues. It may result also from an understatement of revenues through, for ex-

ample, improperly shifting revenues to a later period.

.A34 The risks of fraud in revenue recognition may be greater in some enti-

ties than others. For example, there may be pressures or incentives on manage-

ment to commit fraudulent nancial reporting through inappropriate revenue

recognition when, for example, performance is measured in terms of year over

year revenue growth or prot. Similarly, for example, there may be greater risks

182 General Principles and Responsibilities

of fraud in revenue recognition in the case of entities that generate a substan-

tial portion of revenues through cash sales.

.A35 The presumption that risks of fraud exist in revenue recognition may

be rebutted. For example, the auditor may conclude that no risk of material

misstatement due to fraud relating to revenue recognition exists in the case in

which a single type of simple revenue transaction exists, for example, leasehold

revenue from a single unit rental property.

Identifying and Assessing the Risks of Material Misstatement Due to Fraud

and Understanding the Entity’s Related Controls (Ref: par. .27)

.A36 Management may make judgments on the nature and extent of the

controls it chooses to implement, and the nature and extent of the risks it

chooses to assume.

In determining which controls to implement to prevent

and detect fraud, management considers the risks that the nancial statements

may be materially misstated as a result of fraud. As part of this consideration,

management may conclude that it is not cost effective to implement and main-

tain a particular control in relation to the reduction in the risks of material

misstatement due to fraud to be achieved.

.A37 It is, therefore, important for the auditor to obtain an understanding

of the controls that management has designed, implemented, and maintained

to prevent and detect fraud. In doing so, the auditor may learn, for example, that

management has consciously chosen to accept the risks associated with a lack

of segregation of duties. Information from obtaining this understanding may

also be useful in identifying fraud risks factors that may affect the auditor's

assessment of the risks that the nancial statements may contain material

misstatement due to fraud.

Responses to the Assessed Risks of Material Misstatement

Due to Fraud

Overall Responses (Ref: par. .28)

.A38 Determining overall responses to address the assessed risks of ma-

terial misstatement due to fraud generally includes the consideration of how

the overall conduct of the audit can reect increased professional skepticism

through, for example, increased

•

sensitivity in the selection of the nature and extent of documen-

tation to be examined in support of material transactions.

•

recognition of the need to corroborate management explanations

or representations concerning material matters.

Determining overall responses to address the assessed risks of material mis-

statement due to fraud also involves more general considerations apart from

the specic procedures otherwise planned; these considerations include the

matters listed in paragraph .29, which are discussed in the following sections.

Assignment and Supervision of Personnel (Ref: par. .29a)

.A39 The auditor may respond to identied risks of material misstatement

due to fraud by, for example, assigning additional individuals with specialized

Paragraph .A49 of section 315.

Consideration of Fraud in a Financial Statement Audit 183

skill and knowledge, such as forensic and IT specialists, or by assigning more

experienced individuals to the engagement.

.A40 The extent of supervision reects the auditor's assessment of risks of

material misstatement due to fraud and the competencies of the engagement

team members performing the work.

Accounting Principles (Ref: par. .29b)

.A41 Management bias in the selection and application of accounting prin-

ciples may individually or collectively involve matters such as contingencies,

fair value measurements, revenue recognition, accounting estimates, related

party transactions, or other transactions without a clear business purpose.

Unpredictability in the Selection of Audit Procedures

(Ref: par. .29c)

.A42 Incorporating an element of unpredictability in the selection of the

nature, timing, and extent of audit procedures to be performed is important be-

cause individuals within the entity who are familiar with the audit procedures

normally performed on engagements may be better able to conceal fraudulent

nancial reporting. This can be achieved by, for example,

•

performing substantive procedures on selected account balances

and assertions not otherwise tested due to their materiality or

risk.

•

adjusting the timing of audit procedures from that otherwise ex-

pected.

•

using different sampling methods.

•

performing audit procedures at different locations or at locations

on an unannounced basis.

Audit Procedures Responsive to Assessed Risks of Material Misstatement

Due to Fraud at the Assertion Level (Ref: par. .30)

.A43 The auditor's responses to address the assessed risks of material mis-

statement due to fraud at the assertion level may include changing the nature,

timing, and extent of audit procedures in the following ways:

•

The nature of audit procedures to be performed may need to be

changed to obtain audit evidence that is more reliable and rele-

vant or to obtain additional corroborative information. This may

affect both the type of audit procedures to be performed and their

combination. For example:

— Physical observation or inspection of certain assets may

become more important, or the auditor may choose to use

computer-assisted audit techniques to gather more evi-

dence about data contained in signicant accounts or elec-

tronic transaction les.

— The auditor may design procedures to obtain additional

corroborative information. For example, if the auditor

identies that management is under pressure to meet

earnings expectations, there may be a related risk that

management is inating sales by entering into sales agree-

ments that include terms that preclude revenue recog-

nition or by invoicing sales before delivery. In these cir-

cumstances, the auditor may, for example, design external

184 General Principles and Responsibilities

conrmations not only to conrm outstanding amounts,

but also to conrm the details of the sales agreements, in-

cluding date, any rights of return, and delivery terms. In

addition, the auditor might nd it effective to supplement

such external conrmations with inquiries of nonnancial

personnel in the entity regarding any changes in sales

agreements and delivery terms.

•

The timing of substantive procedures may need to be modied.

The auditor may conclude that performing substantive testing at

or near the period end better addresses an assessed risk of ma-

terial misstatement due to fraud. The auditor may conclude that,

given the assessed risks of intentional misstatement or manipula-

tion, audit procedures to extend audit conclusions from an interim

date to the period end would not be effective. In contrast, because

an intentional misstatement — for example, a misstatement in-

volving improper revenue recognition — may have been initiated

in an interim period, the auditor may elect to apply substantive

procedures to transactions occurring earlier in or throughout the

reporting period.

•

The extent of the procedures applied reects the assessment of the

risks of material misstatement due to fraud. For example, increas-

ing sample sizes or performing analytical procedures at a more

detailed level may be appropriate. Also, computer-assisted audit

techniques may enable more extensive testing of electronic trans-

actions and account les. Such techniques can be used to select

sample transactions from key electronic les, to sort transactions

with specic characteristics, or to test an entire population instead

of a sample.

.A44 If the auditor identies a risk of material misstatement due to fraud

that affects inventory quantities, examining the entity's inventory records may

help to identify locations or items that require specic attention during or after

the physical inventory count. Such a review may lead to a decision to observe

inventory counts at certain locations on an unannounced basis or to conduct

inventory counts at all locations on the same date.

.A45 The auditor may identify a risk of material misstatement due to fraud

affecting a number of accounts and assertions. These may include asset valu-

ation, estimates relating to specic transactions (such as acquisitions, restruc-

turings, or disposals of segments of the business), and other signicant accrued

liabilities (such as pension and other postemployment benet obligations, or

environmental remediation liabilities). The risk may also relate to signicant

changes in assumptions relating to recurring estimates. Information gathered

through obtaining an understanding of the entity and its environment may

assist the auditor in evaluating the reasonableness of such management esti-

mates and underlying judgments and assumptions. A retrospective review of

similar management judgments and assumptions applied in prior periods may

also provide insight about the reasonableness of judgments and assumptions

supporting management estimates.

.A46 Examples of possible audit procedures to address the assessed risks

of material misstatement due to fraud, including those that illustrate the in-

corporation of an element of unpredictability, are presented in appendix B,

"Examples of Possible Audit Procedures to Address the Assessed Risks of Mate-

rial Misstatement Due to Fraud." The appendix includes examples of responses

to the auditor's assessment of the risks of material misstatement resulting from

Consideration of Fraud in a Financial Statement Audit 185

both fraudulent nancial reporting, including fraudulent nancial reporting re-

sulting from revenue recognition, and misappropriation of assets.

Audit Procedures Responsive to Risks Related to Management Override

of Controls

Journal Entries and Other Adjustments (Ref: par. .32a)

.A47 Material misstatements of nancial statements due to fraud often

involve the manipulation of the nancial reporting process by (a) recording in-

appropriate or unauthorized journal entries throughout the year or at period

end, or (b) making adjustments to amounts reported in the nancial statements

that are not reected in formal journal entries, such as through consolidating

adjustments, report combinations, and reclassications.

.A48 The auditor's consideration of the risks of material misstatement as-

sociated with inappropriate override of controls over journal entries is impor-

tant because automated processes and controls may reduce the risk of inadver-

tent error but do not overcome the risk that individuals may inappropriately

override such automated processes, for example, by changing the amounts be-

ing automatically passed to the general ledger or to the nancial reporting

system. Furthermore, when IT is used to transfer information automatically,

there may be little or no visible evidence of such intervention in the information

systems.

.A49 When identifying and selecting journal entries and other adjust-

ments for testing and determining the appropriate method of examining

the underlying support for the items selected, the following matters may be

relevant:

•

The assessment of the risks of material misstatement due to fraud.

The presence of fraud risk factors and other information obtained

during the auditor's assessment of the risks of material mis-

statement due to fraud may assist the auditor to identify specic

classes of journal entries and other adjustments for testing.

•

Controls that have been implemented over journal entries and

other adjustments. Effective controls over the preparation and

posting of journal entries and other adjustments may reduce the

extent of substantive testing necessary, provided that the auditor

has tested the operating effectiveness of the controls.

•

The entity's nancial reporting process and the nature of evidence

that can be obtained. For many entities, routine processing of

transactions involves a combination of manual and automated

steps and procedures. Similarly, the processing of journal entries

and other adjustments may involve both manual and automated

procedures and controls. When IT is used in the nancial report-

ing process, journal entries and other adjustments may exist only

in electronic form.

•

The characteristics of fraudulent journal entries or other adjust-

ments. Inappropriate journal entries or other adjustments often

have unique identifying characteristics. Such characteristics may

include entries (a) made to unrelated, unusual, or seldom-used ac-

counts; (b) made by individuals who typically do not make journal

entries; (c) recorded at the end of the period or as postclosing en-

tries that have little or no explanation or description; (d) made ei-

ther before or during the preparation of the nancial statements

186 General Principles and Responsibilities

that do not have account numbers; or (e) containing round num-

bers or consistent ending numbers.

•

The nature and complexity of the accounts. Inappropriate journal

entries or adjustments may be applied to accounts that (a)contain

transactions that are complex or unusual in nature, (b)contain

signicant estimates and period-end adjustments, (c) have been

prone to misstatements in the past, (d) have not been reconciled

on a timely basis or contain unreconciled differences, (e)contain

intercompany transactions, or (f) are otherwise associated with an

identied risk of material misstatement due to fraud. In audits

of entities that have several locations or components, considera-

tion is given to the need to select journal entries from multiple

locations.

•

Journal entries or other adjustments processed outside the normal

course of business. Nonstandard journal entries, and other entries

such as consolidating adjustments, may not be subject to the same

level of internal control as those journal entries used on a recur-

ring basis to record transactions such as monthly sales, purchases,

and cash disbursements.

.A50 The auditor exercises professional judgment in determining the na-

ture, timing, and extent of testing of journal entries and other adjustments.

However, because fraudulent journal entries and other adjustments are often

made at the end of a reporting period, paragraph .32a(iv) requires the au-

ditor to select the journal entries and other adjustments made at that time.

Further, because material misstatements in nancial statements due to fraud

can occur throughout the period and may involve extensive efforts to conceal

how the fraud is accomplished, paragraph .32a(v) requires the auditor to con-

sider whether a need also exists to test journal entries and other adjustments

throughout the period.

Accounting Estimates (Ref: par. .32b)

.A51 The preparation and fair presentation of the nancial statements re-

quires management to make a number of judgments or assumptions that af-

fect signicant accounting estimates and monitor the reasonableness of such

estimates on an ongoing basis. Fraudulent nancial reporting is often accom-

plished through intentional misstatement of accounting estimates. This may be

achieved by, for example, understating or overstating all provisions or reserves

in the same fashion so as to be designed either to smooth earnings over two

or more accounting periods, or to achieve a designated earnings level in order

to deceive nancial statement users by inuencing their perceptions about the

entity's performance and protability.

.A52 The purpose of performing a retrospective review of management

judgments and assumptions related to signicant accounting estimates re-

ected in the nancial statements of the prior year is to determine whether

an indication exists of a possible bias on the part of management. This review

is not intended to call into question the auditor's professional judgments made

in the prior year that were based on information available at the time.

.A53 A retrospective review is also required by section 540, Auditing Ac-

counting Estimates, Including Fair Value Accounting Estimates, and Related

Disclosures.

That review is conducted as a risk assessment procedure to

Paragraph .09 of section 540A, Auditing Accounting Estimates, Including Fair Value Account-

ing Estimates, and Related Disclosures.

Consideration of Fraud in a Financial Statement Audit 187

obtain information regarding the effectiveness of management's prior period

estimation process, audit evidence about the outcome, or when applicable, the

subsequent reestimation of prior period accounting estimates that is pertinent

to making current period accounting estimates, and audit evidence of matters,

such as estimation uncertainty, that may be required to be disclosed in the -

nancial statements. As a practical matter, the auditor's review of management

judgments and assumptions for biases that could represent a risk of material

misstatement due to fraud in accordance with this section may be carried out

in conjunction with the review required by section 540A.

Business Purpose for Signicant Unusual Transactions (Ref: par. .32c)

.A54 Indicators that may suggest that signicant unusual transactions

may have been entered into to engage in fraudulent nancial reporting or to

conceal misappropriation of assets include the following:

•

The form of such transactions appears overly complex (for exam-

ple, the transaction involves multiple entities within a consoli-

dated group or multiple unrelated third parties).

•

Management has not discussed the nature of and accounting for

such transactions with those charged with governance of the en-

tity, and inadequate documentation exists.

•

Management is placing more emphasis on the need for a partic-

ular accounting treatment than on the economic substance of the

transaction.

•

Transactions involve nonconsolidated related parties, including

special purpose entities, have not been properly reviewed or ap-

proved by those charged with governance of the entity.

•

Transactions involve related parties or relationships or transac-

tions with related parties previously undisclosed to the auditor.

•

Transactions involve other parties that do not have the substance

or the nancial strength to support the transaction without as-

sistance from the entity under audit or any related party of the

entity.

•

Transactions lack commercial or economic substance or are part

of a larger series of connected, linked, or otherwise interdepen-

dent arrangements that lack commercial or economic substance

individually or in the aggregate (for example, a transaction is en-

tered into shortly prior to period end and is unwound shortly after

period end).

•

Transactions occur with a party that falls outside the denition

of a related party (as dened by the applicable nancial reporting

framework), with either party able to negotiate terms that may

not be available for other, more clearly independent parties on an

arm's-length basis.

•

Transactions exist to enable the entity to achieve certain nancial

targets.

[As amended, effective for audits of nancial statements for periods ending on

or after December 15, 2021, by SAS No. 135.]

.A55 Procedures for evaluating signicant unusual transactions may in-

clude evaluating the nancial capability of the other parties with respect to sig-

nicant uncollected balances, loan commitments, supply arrangements, guar-

antees and other obligations, if any. Examples of information that might be

relevant to the auditor's evaluation of a related party's nancial capability

188 General Principles and Responsibilities

include, among other things, the audited nancial statements of the related

party, reports issued by regulatory agencies, nancial publications, and income

tax returns of the related party, to the extent available. [Paragraph added, effec-

tive for audits of nancial statements for periods ending on or after December

15, 2021, by SAS No. 135.]

Other Audit Procedures (Ref: par. .32a and .33)

.A56 Risks of material misstatement, including misstatements due to

fraud, cannot be reduced to an appropriately low level by performing only tests

of controls.

[Paragraph renumbered by the issuance of SAS No. 135, May

2019.]

Evaluation of Audit Evidence (Ref: par. .34–.37)

.A57 Section 330 requires the auditor, based on the audit procedures per-

formed and the audit evidence obtained, to evaluate whether the assessments

of the risks of material misstatement at the assertion level remain appropri-

ate.

This evaluation is primarily a qualitative matter based on the auditor's

professional judgment. Such an evaluation may provide further insight into the

risks of material misstatement due to fraud and whether a need exists to per-

form additional or different audit procedures. Appendix C contains examples

of circumstances that may indicate the possibility of fraud. [Paragraph renum-

bered by the issuance of SAS No. 135, May 2019.]

Analytical Procedures Performed Near the End of the Audit in For ming an

Overall Conclusion (Ref: par. .34)

.A58 Determining which particular trends and relationships may indicate

a risk of material misstatement due to fraud requires professional judgment.

Unusual relationships involving year-end revenue and income are particularly

relevant. These might include, for example, uncharacteristically large amounts

of income being reported in the last few weeks of the reporting period or un-

usual transactions or income that is inconsistent with trends in cash ow from

operations. [Paragraph renumbered by the issuance of SAS No. 135, May 2019.]

.A59 Some unusual or unexpected analytical relationships may have been

identied and may indicate a risk of material misstatement due to fraud be-

cause management or employees generally are unable to manipulate certain

information to create seemingly normal or expected relationships. Some exam-

ples are as follows:

•

The relationship of net income to cash ows from operations may

appear unusual because management recorded ctitious revenues

and receivables but was unable to manipulate cash.

•

Changes in inventory, accounts payable, sales, or cost of sales from

the prior period to the current period may be inconsistent, indicat-

ing a possible employee theft of inventory, because the employee

was unable to manipulate all of the related accounts.

•

A comparison of the entity's protability to industry trends, which

management cannot manipulate, may indicate trends or differ-

ences for further consideration when identifying risks of material

misstatement due to fraud.

Paragraph .A9 of section 330.

Paragraph .27 of section 330.

Consideration of Fraud in a Financial Statement Audit 189

•

A comparison of bad debt write-offs to comparable industry data,

which employees cannot manipulate, may provide unexplained re-

lationships that could indicate a possible theft of cash receipts.

•

An unexpected or unexplained relationship between sales volume,

as determined from the accounting records and production statis-

tics maintained by operations personnel, which may be more dif-

cult for management to manipulate, may indicate a possible mis-

statement of sales.

[Paragraph renumbered by the issuance of SAS No. 135, May 2019.]

Consideration of Identiﬁed Misstatements (Ref: par. .35–.37)

.A60 Because fraud involves incentive or pressure to commit fraud, a per-

ceived opportunity to do so, or some rationalization of the act, an instance of

fraud is unlikely to be an isolated occurrence. Accordingly, misstatements, such

as numerous misstatements at a specic location even though the cumulative

effect is not material, may be indicative of a risk of material misstatement due

to fraud. [Paragraph renumbered by the issuance of SAS No. 135, May 2019.]

.A61 The implications of identied fraud depend on the circumstances. For

example, an otherwise insignicant fraud may be signicant if it involves se-

nior management. In such circumstances, the reliability of evidence previously

obtained may be called into question because there may be doubts about the

completeness and truthfulness of representations made and the genuineness of

accounting records and documentation. There may also be a possibility of col-

lusion involving employees, management, or third parties. [Paragraph renum-

bered by the issuance of SAS No. 135, May 2019.]

.A62 Section 450, Evaluation of Misstatements Identied During the Audit,

and section 700, Forming an Opinion and Reporting on Financial Statements,

and section 703, Forming an Opinion and Reporting on Financial Statements

of Employee Benet Plans Subject to ERISA, address the evaluation and dispo-

sition of misstatements and the effect on the auditor's opinion in the auditor's

report. [Paragraph renumbered by the issuance of SAS No. 135, May 2019. As

amended, effective for audits of nancial statements for periods ending on or

after December 15, 2021, by SAS No. 136.]

.A63 Section 580, Written Representations, addresses obtaining appropri-

ate representations from management in the audit. In addition to acknowledg-

ing its responsibility for the nancial statements, it is important that, irrespec-

tive of the size of the entity, management acknowledges its responsibility for

internal control designed, implemented, and maintained to prevent and detect

fraud. [Paragraph renumbered by the issuance of SAS No. 135, May 2019.]

Auditor Unable to Continue the Engagement (Ref: par. .38)

.A64 Examples of circumstances that may arise and bring into question

the auditor's ability to continue performing the audit include the following:

a. The entity does not take the appropriate action regarding fraud

that the auditor considers necessary in the circumstances, even

when the fraud is not material to the nancial statements.

b. The auditor's consideration of the risks of material misstatement

due to fraud and the results of audit tests indicate a signicant

risk of material and pervasive fraud.

c. The auditor has signicant concern about the competence or in-

tegrity of management or those charged with governance.

[Paragraph renumbered by the issuance of SAS No. 135, May 2019.]

190 General Principles and Responsibilities

.A65 Because of the variety of circumstances that may arise, it is not pos-

sible to describe denitively when withdrawal from an engagement is appro-

priate. Factors that affect the auditor's conclusion include the implications of

the involvement of a member of management or of those charged with gov-

ernance (which may affect the reliability of management representations) and

the effects on the auditor of a continuing association with the entity. [Paragraph

renumbered by the issuance of SAS No. 135, May 2019.]

.A66 The auditor has professional and legal responsibilities in such cir-

cumstances, and these responsibilities may vary by engagement. In some cir-

cumstances, for example, the auditor may be entitled to, or required to, make

a statement or report to the person or persons who engaged the auditor or, in

some cases, to regulatory authorities. Given the nature of the circumstances

and the need to consider the legal requirements, the auditor may consider it

appropriate to seek legal advice when deciding whether to withdraw from an

engagement and in determining an appropriate course of action, including the

possibility of reporting to regulators or others.

[Paragraph renumbered by the

issuance of SAS No. 135, May 2019.]

Considerations Speciﬁc to Governmental Entities and Not-for-Proﬁt

Organizations

.A67 For governmental entities and not-for-prot organizations, the option

of withdrawing from the engagement may not be available to the auditor due to

the nature of the mandate, public interest considerations, contractual require-

ments, or law or regulation. [Paragraph renumbered by the issuance of SAS No.

135, May 2019.]

Communications to Management and With Those Charged

With Governance

Communication to Management (Ref: par. .39)

.A68 When the auditor has obtained evidence that fraud exists or may

exist, it is important that the matter be brought to the attention of the ap-

propriate level of management as soon as practicable. This is true even if the

matter might be considered inconsequential (for example, a minor defalcation

by an employee at a low level in the entity's organization). The determination

of which level of management is the appropriate one is a matter of professional

judgment and is affected by such factors as the likelihood of collusion and the

nature and magnitude of the suspected fraud. Ordinarily, the appropriate level

of management is at least one level above the persons who appear to be involved

with the suspected fraud. [Paragraph renumbered by the issuance of SAS No.

135, May 2019.]

Communication With Those Charged With Governance (Ref: par. .40)

.A69 The auditor's communication with those charged with governance

may be made orally or in writing. Section 260, The Auditor's Communication

With Those Charged With Governance, identies factors the auditor considers

in determining whether to communicate orally or in writing.

Duetothena-

ture and sensitivity of fraud involving senior management, or fraud that results

Section 510, Opening Balances—Initial Audit Engagements, Including Reaudit Engagements,

provides guidance on communications with an auditor replacing the existing auditor.

Paragraph .A49 of section 260.

Consideration of Fraud in a Financial Statement Audit 191

in a material misstatement in the nancial statements, the auditor communi-

cates such matters on a timely basis and may consider it necessary to also com-

municate such matters in writing. [Paragraph renumbered by the issuance of

SAS No. 135, May 2019.]

.A70 In some cases, the auditor may consider it appropriate to commu-

nicate with those charged with governance when the auditor becomes aware

of fraud involving employees other than management that does not result in

a material misstatement. Similarly, those charged with governance may wish

to be informed of such circumstances. The communication process is assisted

if the auditor and those charged with governance agree at an early stage in

the audit about the nature and extent of the auditor's communications in this

regard. [Paragraph renumbered by the issuance of SAS No. 135, May 2019.]

.A71 When the auditor has doubts about the integrity or honesty of man-

agement or those charged with governance, the auditor may consider it appro-

priate to obtain legal advice to assist in determining the appropriate course of

action. [Paragraph renumbered by the issuance of SAS No. 135, May 2019.]

Other Matters Related to Fraud (Ref: par. .41)

.A72 Other matters related to fraud to be discussed with those charged

with governance of the entity may include, for example, the following:

•

Concerns about the nature, extent, and frequency of manage-

ment's assessments of the controls in place to prevent and detect

fraud and of the risk that the nancial statements may be mis-

stated.

•

A failure by management to appropriately address identied sig-

nicant deciencies or material weaknesses in internal control, or

to appropriately respond to an identied fraud.

•

The auditor's evaluation of the entity's control environment, in-

cluding questions regarding the competence and integrity of man-

agement.

•

Actions by management that may be indicative of fraudulent -

nancial reporting, such as management's selection and application

of accounting policies that may be indicative of management's ef-

fort to manage earnings in order to deceive nancial statement

users by inuencing their perceptions concerning the entity's per-

formance and protability.

•

Concerns about the adequacy and completeness of the authoriza-

tion of signicant unusual transactions.

•

The absence of programs or controls to address risks of material

misstatement due to fraud that are signicant deciencies or ma-

terial weaknesses.

[Paragraph renumbered and amended, effective for audits of nancial state-

ments for periods ending on or after December 15, 2021, by SAS No. 135.]

Communications to Regulatory and Enforcement Authorities

(Ref: par. .42)

.A73 The auditor's professional duty to maintain the condentiality of

client information may preclude reporting fraud to a party outside the client

See section 265, Communicating Internal Control Related Matters Identied in an Audit.

192 General Principles and Responsibilities

entity. However, in certain circumstances, the duty of condentiality may be

overridden by statute, regulation, courts of law, specic requirements of audits

of entities that receive government nancial assistance, or waived by agree-

ment. In some circumstances, the auditor has a statutory duty to report the

occurrence of fraud to supervisory authorities. Also, in some circumstances, the

auditor has a duty to report misstatements to authorities in those cases when

management and those charged with governance fail to take corrective action.

[Paragraph renumbered by the issuance of SAS No. 135, May 2019.]

.A74 The auditor may consider it appropriate to obtain legal advice to de-

termine the appropriate course of action in the circumstances, the purpose of

which is to ascertain the steps necessary in considering the public interest as-

pects of identied fraud. [Paragraph renumbered by the issuance of SAS No.

135, May 2019.]

Considerations Speciﬁc to Governmental Entities and Not-for-Proﬁt

Organizations

.A75 For governmental entities and not-for-prot organizations, require-

ments for reporting fraud, whether or not discovered through the audit process,

may be subject to specic provisions of the audit mandate or related law or reg-

ulation. [Paragraph renumbered by the issuance of SAS No. 135, May 2019.]

Consideration of Fraud in a Financial Statement Audit 193

.A76

Appendix A—Examples of Fraud Risk Factors

(Ref: par. .11, .24, and .A30)

The fraud risk factors identied in this appendix are examples of such factors

that may be faced by auditors in a broad range of situations. Separately pre-

sented are examples relating to the two types of fraud relevant to the auditor's

consideration — that is, fraudulent nancial reporting and misappropriation

of assets. For each of these types of fraud, the risk factors are further classied

based on the three conditions generally present when material misstatements

due to fraud occur: (a) incentives and pressures, (b) opportunities, and (c)at-

titudes and rationalizations. Although the risk factors cover a broad range of

situations, they are only examples and, accordingly, the auditor may identify

additional or different risk factors. Not all of these examples are relevant in

all circumstances, and some may be of greater or lesser signicance in entities

of different size or with different ownership characteristics or circumstances.

Also, the order of the examples of risk factors provided is not intended to reect

their relative importance or frequency of occurrence.

Risk Factors Relating to Misstatements Arising From

Fraudulent Financial Reporting

The following are examples of risk factors relating to misstatements arising

from fraudulent nancial reporting.

Incentives and Pressures

Financial stability or protability is threatened by economic, industry, or entity

operating conditions, such as (or as indicated by) the following:

•

High degree of competition or market saturation, accompanied by

declining margins

•

High vulnerability to rapid changes, such as changes in technol-

ogy, product obsolescence, or interest rates

•

Signicant declines in customer demand and increasing business

failures in either the industry or overall economy

•

Operating losses making the threat of bankruptcy, foreclosure, or

hostile takeover imminent

•

Recurring negative cash ows from operations or an inability to

generate cash ows from operations while reporting earnings and

earnings growth

•

Rapid growth or unusual protability especially compared to that

of other companies in the same industry

•

New accounting, statutory, or regulatory requirements

Excessive pressure exists for management to meet the requirements or expec-

tations of third parties due to the following:

•

Protability or trend level expectations of investment analysts,

institutional investors, signicant creditors, or other external par-

ties (particularly expectations that are unduly aggressive or un-

realistic), including expectations created by management in, for

194 General Principles and Responsibilities

example, overly optimistic press releases or annual report mes-

sages

•

Need to obtain additional debt or equity nancing to stay compet-

itive — including nancing of major research and development or

capital expenditures

•

Marginal ability to meet exchange listing requirements or debt

repayment or other debt covenant requirements

•

Perceived or real adverse effects of reporting poor nancial re-

sults on signicant pending transactions, such as business com-

binations or contract awards

•

A need to achieve nancial targets required in bond covenants

•

Pressure for management to meet the expectations of legislative

or oversight bodies or to achieve political outcomes, or both

Information available indicates that the personal nancial situation of manage-

ment or those charged with governance is threatened by the entity's nancial

performance arising from the following:

•

Signicant nancial interests in the entity

•

Signicant portions of their compensation (for example, bonuses,

stock options, and earn-out arrangements) being contingent upon

achieving aggressive targets for stock price, operating results, -

nancial position, or cash ow

•

Personal guarantees of debts of the entity

Management or operating personnel are under excessive pressure to meet -

nancial targets established by those charged with governance, including sales

or protability incentive goals.

Opportunities

The nature of the industry or the entity's operations provides opportunities to

engage in fraudulent nancial reporting that can arise from the following:

•

Related party transactions that are also signicant unusual trans-

actions

•

Signicant transactions with related parties whose nancial

statements are not audited or are audited by another rm

•

A strong nancial presence or ability to dominate a certain indus-

try sector that allows the entity to dictate terms or conditions to

suppliers or customers that may result in inappropriate or non-

arm's-length transactions

•

Assets, liabilities, revenues, or expenses based on signicant esti-

mates that involve subjective judgments or uncertainties that are

difcult to corroborate

•

Signicant or highly complex transactions or signicant unusual

transactions, especially those close to period end that pose difcult

"substance over form" questions

Management incentive plans may be contingent upon achieving targets relating only to certain

accounts or selected activities of the entity, even though the related accounts or activities may not be

material to the entity as a whole.

Consideration of Fraud in a Financial Statement Audit 195

•

Signicant operations located or conducted across jurisdictional

borders where differing business environments and regulations

exist

•

Use of business intermediaries for which there appears to be no

clear business justication

•

Signicant bank accounts or subsidiary or branch operations in

tax-haven jurisdictions for which there appears to be no clear busi-

ness justication

•

Contractual arrangements lacking a business purpose

The monitoring of management is not effective as a result of the following:

•

Domination of management by a single person or small group (in

a nonowner-managed business) without compensating controls.

•

Oversight by those charged with governance over the nancial re-

porting process and internal control is not effective.

•

The exertion of dominant inuence by or over a related party.

The organizational structure is complex or unstable, as evidenced by the fol-

lowing:

•

Difculty in determining the organization or individuals that

have controlling interest in the entity

•

Overly complex organizational structure involving unusual legal

entities or managerial lines of authority

•

High turnover of senior management, legal counsel, or those

charged with governance

Internal control components are decient as a result of the following:

•

Inadequate monitoring of controls, including automated controls

and controls over interim nancial reporting (when external re-

porting is required)

•

High turnover rates or employment of staff in accounting, IT, or

the internal audit function who are not effective

•

Accounting and information systems that are not effective, includ-

ing situations involving signicant deciencies or material weak-

nesses in internal control

•

Weak controls over budget preparation and development and com-

pliance with law or regulation.

Attitudes and Rationalizations

•

Communication, implementation, support, or enforcement of the

entity's values or ethical standards by management, or the com-

munication of inappropriate values or ethical standards that are

not effective.

•

Nonnancial management's excessive participation in or preoccu-

pation with the selection of accounting policies or the determina-

tion of signicant estimates.

•

Known history of violations of securities law or other law or reg-

ulation, or claims against the entity, its senior management, or

those charged with governance alleging fraud or violations of law

or regulation.

196 General Principles and Responsibilities

•

Excessive interest by management in maintaining or increasing

the entity's stock price or earnings trend.

•

The practice by management of committing to analysts, creditors,

and other third parties to achieve aggressive or unrealistic fore-

casts.

•

Management failing to remedy known signicant deciencies or

material weaknesses in internal control on a timely basis.

•

An interest by management in employing inappropriate means to

minimize reported earnings for tax-motivated reasons.

•

Low morale among senior management.

•

The owner-manager makes no distinction between personal and

business transactions.

•

Dispute between shareholders in a closely held entity.

•

Recurring attempts by management to justify marginal or inap-

propriate accounting on the basis of materiality.

•

A strained relationship between management and the current or

predecessor auditor, as exhibited by the following:

— Frequent disputes with the current or predecessor auditor

on accounting, auditing, or reporting matters

— Unreasonable demands on the auditor, such as unrealistic

time constraints regarding the completion of the audit or

the issuance of the auditor's report

— Restrictions on the auditor that inappropriately limit ac-

cess to people or information or the ability to communicate

effectively with those charged with governance

— Domineering management behavior in dealing with the

auditor, especially involving attempts to inuence the

scope of the auditor's work or the selection or continuance

of personnel assigned to or consulted on the audit engage-

ment

Risk Factors Arising From Misstatements Arising

From Misappropriation of Assets

Risk factors that relate to misstatements arising from misappropriation of as-

sets are also classied according to the three conditions generally present when

fraud exists: incentives and pressures, opportunities, and attitudes and ratio-

nalization. Some of the risk factors related to misstatements arising from fraud-

ulent nancial reporting also may be present when misstatements arising from

misappropriation of assets occur. For example, ineffective monitoring of man-

agement and other deciencies in internal control that are not effective may

be present when misstatements due to either fraudulent nancial reporting

or misappropriation of assets exist. The following are examples of risk factors

related to misstatements arising from misappropriation of assets.

Incentives and Pressures

Personal nancial obligations may create pressure on management or employ-

ees with access to cash or other assets susceptible to theft to misappropriate

those assets.

Consideration of Fraud in a Financial Statement Audit 197

Adverse relationships between the entity and employees with access to cash or

other assets susceptible to theft may motivate those employees to misappro-

priate those assets. For example, adverse relationships may be created by the

following:

•

Known or anticipated future employee layoffs

•

Recent or anticipated changes to employee compensation or ben-

et plans

•

Promotions, compensation, or other rewards inconsistent with ex-

pectations

Opportunities

Certain characteristics or circumstances may increase the susceptibility of as-

sets to misappropriation. For example, opportunities to misappropriate assets

increase when the following exist:

•

Large amounts of cash on hand or processed

•

Inventory items that are small in size, of high value, or in high

demand

•

Easily convertible assets, such as bearer bonds, diamonds, or com-

puter chips

•

Fixed assets that are small in size, marketable, or lack observable

identication of ownership

Inadequate internal control over assets may increase the susceptibility of mis-

appropriation of those assets. For example, misappropriation of assets may oc-

cur because the following exist:

•

Inadequate segregation of duties or independent checks

•

Inadequate oversight of senior management expenditures, such

as travel and other reimbursements

•

Inadequate management oversight of employees responsible for

assets (for example, inadequate supervision or monitoring of re-

mote locations)

•

Inadequate job applicant screening of employees with access to

assets

•

Inadequate record keeping with respect to assets

•

Inadequate system of authorization and approval of transactions

(for example, in purchasing)

•

Inadequate physical safeguards over cash, investments, inventory,

or xed assets

•

Lack of complete and timely reconciliations of assets

•

Lack of timely and appropriate documentation of transactions (for

example, credits for merchandise returns)

•

Lack of mandatory vacations for employees performing key con-

trol functions

•

Inadequate management understanding of IT, which enables IT

employees to perpetrate a misappropriation

•

Inadequate access controls over automated records, including con-

trols over and review of computer systems event logs

198 General Principles and Responsibilities

Attitudes and Rationalizations

•

Disregard for the need for monitoring or reducing risks related to

misappropriations of assets

•

Disregard for internal control over misappropriation of assets by

overriding existing controls or by failing to take appropriate re-

medial action on known deciencies in internal control

•

Behavior indicating displeasure or dissatisfaction with the entity

or its treatment of the employee

•

Changes in behavior or lifestyle that may indicate assets have

been misappropriated

•

The belief by some government or other ofcials that their level

of authority justies a certain level of compensation and personal

privileges

•

Tolerance of petty theft

[As amended, effective for audits of nancial statements for periods ending

on or after December 15, 2014, by SAS No. 128. Paragraph renumbered and

amended, effective for audits of nancial statements for periods ending on or

after December 15, 2021, by SAS No. 135.]

Consideration of Fraud in a Financial Statement Audit 199

.A77

Appendix B—Examples of Possible Audit Procedures to

Address the Assessed Risks of Material Misstatement

Due to Fraud (Ref: par. .22 and .A46)

The following are examples of possible audit procedures to address the assessed

risks of material misstatement due to fraud resulting from both fraudulent -

nancial reporting and misappropriation of assets. Although these procedures

cover a broad range of situations, they are only examples and, accordingly, they

may not be the most appropriate nor necessary in each circumstance. Also

the order of the procedures provided is not intended to reect their relative

importance.

Consideration at the Assertion Level

Specic responses to the auditor's assessment of the risks of material misstate-

ment due to fraud will vary depending upon the types or combinations of fraud

risk factors or conditions identied, and the classes of transactions, account

balances, disclosures, and assertions they may affect.

The following are specic examples of responses:

•

Visiting locations or performing certain tests on a surprise or

unannounced basis (for example, observing inventory at locations

where auditor attendance has not been previously announced or

counting cash at a particular date on a surprise basis)

•

Requesting that inventories be counted at the end of the report-

ing period or on a date closer to period end to minimize the risk of

manipulation of balances in the period between the date of com-

pletion of the count and the end of the reporting period

•

Altering the audit approach in the current year (for example, con-

tacting major customers and suppliers orally in addition to send-

ing written conrmation, sending conrmation requests to a spe-

cic party within an organization, or seeking more or different

information)

•

Performing a detailed review of the entity's quarter-end or year-

end adjusting entries and investigating any that appear to have

an unusual nature or amount

•

For signicant and unusual transactions, particularly those oc-

curring at or near year end, investigating the possibility of re-

lated parties and the sources of nancial resources supporting the

transactions

•

Performing substantive analytical procedures using disaggre-

gated data (for example, comparing sales and cost of sales by lo-

cation, line of business, or month to expectations developed by the

auditor)

•

Conducting interviews of personnel involved in areas in which a

risk of material misstatement due to fraud has been identied, to

obtain their insights about the risk, and whether, or how, controls

address the risk

•

When other independent auditors are auditing the nancial

statements of one or more subsidiaries, divisions, or branches,

200 General Principles and Responsibilities

discussing with them the extent of work necessary to be per-

formed to address the assessed risk of material misstatement due

to fraud resulting from transactions and activities among these

components

•

If the work of an expert becomes particularly signicant with re-

spect to a nancial statement item for which the assessed risk of

misstatement due to fraud is high, performing additional proce-

dures relating to some or all of the expert's assumptions, methods,

or ndings to determine that the ndings are not unreasonable,

or engaging another expert for that purpose

•

Performing audit procedures to analyze selected opening balance

sheet accounts of previously audited nancial statements to as-

sess how certain issues involving accounting estimates and judg-

ments, for example, an allowance for sales returns, were resolved

with the benet of hindsight

•

Performing procedures on account or other reconciliations pre-

pared by the entity, including considering reconciliations per-

formed at interim periods

•

Performing computer-assisted techniques, such as data mining to

test for anomalies in a population

•

Testing the integrity of computer-produced records and transac-

tions

•

Seeking additional audit evidence from sources outside of the en-

tity being audited

Speciﬁc Responses— Misstatement Resulting From

Fraudulent Financial Reporting

Examples of responses to the auditor's assessment of the risks of material mis-

statement due to fraudulent nancial reporting are as follows:

Revenue Recognition

•

Performing substantive analytical procedures relating to revenue

using disaggregated data; for example, comparing revenue re-

ported by month and by product line or business segment dur-

ing the current reporting period with comparable prior periods or

with revenue related to cash collections (computer-assisted audit

techniques may be useful in identifying unusual or unexpected

revenue relationships or transactions)

•

Conrming with customers certain relevant contract terms and

the absence of side agreements because the appropriate account-

ing often is inuenced by such terms or agreements and basis for

rebates or the period to which they relate are often poorly docu-

mented (for example, acceptance criteria, delivery and payment

terms, the absence of future or continuing vendor obligations, the

right to return the product, guaranteed resale amounts, and can-

cellation or refund provisions often are relevant in such circum-

stances)

•

Inquiring of the entity's sales and marketing personnel or in-

house legal counsel regarding sales or shipments near the end of

the period and their knowledge of any unusual terms or conditions

associated with these transactions

Consideration of Fraud in a Financial Statement Audit 201

•

Being physically present at one or more locations at period end

to observe goods being shipped or being readied for shipment (or

returns awaiting processing) and performing other appropriate

sales and inventory cutoff procedures

•

For those situations for which revenue transactions are electron-

ically initiated, processed, and recorded, testing controls to de-

termine whether they provide assurance that recorded revenue

transactions occurred and are properly recorded

Inventory Quantities

•

Examining the entity's inventory records to identify locations or

items that require specic attention during or after the physical

inventory count

•

Observing inventory counts at certain locations on an unan-

nounced basis or conducting inventory counts at all locations on

the same date

•

Conducting inventory counts at or near the end of the reporting

period to minimize the risk of inappropriate manipulation during

the period between the count and the end of the reporting period

•

Performing additional procedures during the observation of the

count; for example, more rigorously examining the contents of

boxed items, the manner in which the goods are stacked (for ex-

ample, hollow squares) or labeled, and the quality (that is, purity,

grade, or concentration) of liquid substances such as perfumes or

specialty chemicals (using the work of an expert may be helpful

in this regard)

•

Comparing the quantities for the current period with prior peri-

ods by class or category of inventory, location or other criteria, or

comparison of quantities counted with perpetual records

•

Using computer-assisted audit techniques to further test the com-

pilation of the physical inventory counts (for example, sorting by

tag number to test tag controls or by item serial number to test

the possibility of item omission or duplication)

Management Estimates

•

Using an expert to develop an independent estimate for compari-

son to management's estimate

•

Extending inquiries to individuals outside of management and

the accounting department to corroborate management's ability

and intent to carry out plans that are relevant to developing the

estimate

Speciﬁc Responses — Misstatements Due to Misappropriation

of Assets

Differing circumstances would necessarily dictate different responses. Ordinar-

ily, the audit response to an assessed risk of material misstatement due to fraud

relating to misappropriation of assets will be directed toward certain account

balances and classes of transactions. Although some of the audit responses

noted in the preceding two categories may apply in such circumstances, the

scope of the work is to be linked to the specic information about the misappro-

priation risk that has been identied.

202 General Principles and Responsibilities

Examples of responses to the auditor's assessment of the risk of material mis-

statements due to misappropriation of assets are as follows:

•

Counting cash or securities at or near year end

•

Conrming directly with customers the account activity (includ-

ing credit memo and sales return activity as well as dates pay-

ments were made) for the period under audit

•

Analyzing recoveries of written-off accounts

•

Analyzing inventory shortages by location or product type

•

Comparing key inventory ratios to industry norm

•

Reviewing supporting documentation for reductions to the perpet-

ual inventory records

•

Performing a computerized match of the vendor list with a list of

employees to identify matches of addresses or phone numbers

•

Performing a computerized search of payroll records to identify

duplicate addresses, employee identication or taxing authority

numbers, or bank accounts

•

Reviewing personnel les for those that contain little or no evi-

dence of activity; for example, lack of performance evaluations

•

Analyzing sales discounts and returns for unusual patterns or

trends

•

Conrming specic terms of contracts with third parties

•

Obtaining evidence that contracts are being carried out in accor-

dance with their terms

•

Reviewing the propriety of large and unusual expenses

•

Reviewing the authorization and carrying value of senior manage-

ment and related party loans

•

Reviewing the level and propriety of expense reports submitted

by senior management

[Paragraph renumbered by the issuance of SAS No. 135, May 2019.]

Consideration of Fraud in a Financial Statement Audit 203

.A78

Appendix C—Examples of Circumstances That Indicate

the Possibility of Fraud (Ref: par. .11, .A11, and .A57)

The following are examples of circumstances that may indicate the possibility

that the nancial statements may contain a material misstatement resulting

from fraud.

Discrepancies in the accounting records, including the following:

•

Transactions that are not recorded in a complete or timely manner

or are improperly recorded by amount, accounting period, classi-

cation, or entity policy

•

Unsupported or unauthorized balances or transactions

•

Last minute adjustments that signicantly affect nancial results

•

Evidence of employees' access to systems and records inconsistent

with that necessary to perform their authorized duties

•

Tips or complaints to the auditor about alleged fraud

Conicting or missing evidence, including the following:

•

Missing documents

•

Documents that appear to have been altered

•

Unavailability of other than photocopied or electronically trans-

mitted documents when documents in original form are expected

to exist

•

Signicant unexplained items on reconciliations

•

Unusual balance sheet changes, or changes in trends or impor-

tant nancial statement ratios or relationships; for example, re-

ceivables growing faster than revenues

•

Inconsistent, vague, or implausible responses from management

or employees arising from inquiries or analytical procedures

•

Unusual discrepancies between the entity's records and conrma-

tion replies

•

Large numbers of credit entries and other adjustments made to

accounts receivable records

•

Unexplained or inadequately explained differences between the

accounts receivable subledger and the control account, or between

the customer statements and the accounts receivable subledger

•

Missing or nonexistent cancelled checks in circumstances in which

cancelled checks are ordinarily returned to the entity with the

bank statement

•

Missing inventory or physical assets of signicant magnitude

•

Unavailable or missing electronic evidence, inconsistent with the

entity's record retention practices or policies

•

Fewer responses to conrmations than anticipated or a greater

number of responses than anticipated

204 General Principles and Responsibilities

•

Inability to produce evidence of key systems development and pro-

gram change testing and implementation activities for current-

year system changes and deployments

Conditions relating to governmental entities or not-for-prot organizations:

•

Signicant transfers or transactions between funds or programs,

or both, lacking supporting documents

•

Abnormal budget conditions, such as

— signicant budget adjustments

— requests for additional funding

— budget adjustments made without approval

— large amounts of over-or-under spending

— programs with an emphasis on spending money quickly

•

Procurement conditions, such as

— lack of procurement legislation

— recent changes to procurement legislation

— complex or unclear legislation

— involvement of signicant monetary amounts (such as in

the defense area)

— investigation by regulatory authorities

— complaints received from potential suppliers about ques-

tionable practices related to awarding of contracts

— former governmental ofcials functioning as executives of

companies to which contracts have been awarded

•

Program conditions, such as

— newly implemented programs without existing manage-

ment and accountability structures

— programs established for political purposes

— programs established to deal with an immediate emer-

gency or crisis

— programs experiencing unusual growth due to conditions

beyond the control of management

•

Grant and donor funding conditions, such as

— noncompliance with grant requirements

— unclear grant requirements

— grants not reaching the intended recipient

— complaints from intended recipients or interest groups,

and lack of monitoring of grantee compliance with appli-

cable law or regulation

Problematic or unusual relationships between the auditor and management,

including the following:

•

Denial of access to records, facilities, certain employees, cus-

tomers, vendors, or others from whom audit evidence might be

sought

Consideration of Fraud in a Financial Statement Audit 205

•

Undue time pressures imposed by management to resolve com-

plex or contentious issues

•

Complaints by management about the conduct of the audit or

management intimidation of engagement team members, partic-

ularly in connection with the auditor's critical assessment of au-

dit evidence or in the resolution of potential disagreements with

management

•

Unusual delays by the entity in providing requested information

•

Unwillingness to facilitate auditor access to key electronic les for

testing through the use of computer-assisted audit techniques

•

Denial of access to key IT operations staff and facilities, including

security, operations, and systems development personnel

•

An unwillingness to add or revise disclosures in the nancial

statements to make them more complete and understandable

•

An unwillingness to address identied deciencies in internal con-

trol on a timely basis

Other circumstances, including the following:

•

Unwillingness by management to permit the auditor to meet pri-

vately with those charged with governance

•

Accounting policies that appear to be at variance with industry

norms

•

Frequent changes in accounting estimates that do not appear to

result from changed circumstances

•

Tolerance of violations of the entity's code of conduct

[Paragraph renumbered by the issuance of SAS No. 135, May 2019.]