In this blog, we set out our views on how the new requirement for Directors to disclose a statement on fraud measures may affect the audit approach and the auditor’s inquiries of Directors and Those Charged with Governance.
The Government’s response in its Restoring trust in audit and corporate governance consultation confirms it is not currently planning to substantially change auditors’ responsibilities in respect of fraud. The consultation response indicates the Government intends to adopt a “wait and see” approach as auditors in the UK implement recent substantial updates to auditing standards, such as ISA 240: The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements, and ISA 250 which considers laws and regulations. There will however be a need for auditors to identify and report material inconsistencies in the new Directors’ statement on fraud measures, the report which requires Directors to describe their actions to detect and prevent material fraud.
The Government’s view is that significant factual errors in the fraud statement should be readily identified by auditors as there are already existing requirements for auditors to understand an entity’s control environment. What the consultation response doesn’t refer to is that 2022 is the first full year of the significantly updated auditing standard on ISA 315 Identifying and Assessing the Risks of Material Misstatement, the standard which requires auditors to develop an understanding of the entity and its environment and entity’s system of internal control. This standard is currently significantly driving up audit fees.
There is no clear indication of what the Director’s fraud statement should include, the consultation indicates it could be fairly wide-ranging and include a narrative on internal controls. Questions also remain about the role of auditors in evaluating the robustness and suitability of the Director’s “steps” taken to prevent and detect fraud – watch this space.
Where to start – what is fraud?
The response does not elaborate on how fraud is defined. The recent change in the concept of “material” fraud for auditors in ISA 240 to include a “fraud or suspected fraud by a key member of management”, may also affect how companies position their own definition and how auditor's challenge whether the definition is appropriate.
Assess fraud risk vulnerabilities, / consider and document the existing fraud risk assessment
This step is the most fundamental and is likely to be the tipping point between what companies do well, and what they don’t – consider and document the existing fraud risk assessment.
The auditor cannot assist management prepare the assessment but under the revised ISA 240 there is a new requirement for the auditor to have a discussion with “those charged with governance about the risks of fraud in the entity, including those specific to the entity's business sector”. Management will therefore need to ensure it provides these senior stakeholders with sufficient information and an understanding of fraud risks and the company’s responses to risks in advance of the discussion with the auditor.
Support the fraud risk assessment with a strong fraud risk management framework
With a strong understanding of relevant fraud risks, Directors can then identify and evaluate the operating effectiveness of the processes or “steps” to prevent and detect fraud. This “gap” analysis to map the existing framework to actions and responsive controls is necessary to identify any weaknesses. In our view, Directors should also look to update their “gap” analysis at least annually to consider whether the company’s fraud responses would identify new fraud mechanisms in the same or a comparable industry.
Auditors will need to challenge Directors as to the robustness of the gap analysis, particularly in light of their own experience of how frauds have been perpetrated by organisations in similar industries. Larger audit firms may also be able to draw on Forensic assistance and international experience with fraud schemes known to member firms to provide a more vigorous level of challenge.
Is your whistleblowing process fit-for-purpose?
Whistleblowing or internal mechanisms for reporting fraud continue to be a substantial mechanism for detecting fraud. As envisaged in the updated ISA 240, Directors should anticipate a greater focus on evaluation by the auditor, supported by Forensic specialists as required, of management’s response to investigating actual and suspect frauds raised through whistleblowing channels.