As unintentional soundbites go, it could not have had more impact on the future of audit. ‘We are not looking for fraud’ – that’s what David Dunckley, CEO of Grant Thornton, told the UK’s Business, Energy and Industrial Strategy Committee hearing on the Future of Audit in January 2019.
It still resonates. Sir Donald Brydon’s 2019 review of audit quality and effectiveness devoted a chapter to fraud, and now the Financial Reporting Council has proposed revisions to the standard that deals with the auditor’s responsibilities relating to fraud, ISA (UK) 240.
The problem is not that auditors have ever been excused from looking for fraud; it has always stood alongside error as an obvious source of material misstatement of financial performance. It is that the standard has been interpreted as allowing auditors to get their excuses in first: the sophisticated nature of some frauds, collusion of key people and so on can make it difficult to detect.
The proposed revisions not only reduce the scope for hiding behind such sophistry; they set out ways in which an auditor can better identify, assess and gather evidence on the risk of fraudulent misstatements by those running the company.
This includes further reinforcement of the need to look for contradictory as well as corroborative evidence, and to consider whether the numbers are plausible – if it looks too good to be true, it probably is.
One of the questions in the FRC’s consultation is whether there should be a specific requirement to discuss the risks of fraud with board members. The answer is yes
Quality as well as quantity
There is a welcome emphasis on qualitative as well as quantitative factors, notably in the engagement team’s discussions. In what ways are this company’s financial statements ‘susceptible’ to fraud? How might it occur? What are the incentives, or pressures, that might lead management or others to commit or conceal fraud?
One of the questions in the FRC’s consultation is whether there should be a specific requirement to discuss the risks of fraud with board members. The answer is yes.
This chimes with Brydon’s addition of ‘professional suspicion’ to the familiar concept of scepticism. He recommended that auditors should be trained in forensic accounting and fraud awareness.
Another important strand in the debate is the way that ‘earnings management’, starting with small adjustments, can pave the way for fraudulent reporting when management is under pressure. A perennial concern for auditors is the ability of management to override controls.
In short, what’s not to like? One thing that nags me, though, is the term ‘reasonable assurance’. Both regulators and auditors reckon this is a high bar – and it is an important reminder that auditors check the work of others: they are not the potential perpetrators.
But does it pass the expectations test? It would be better if the objective said that the auditor should obtain a high level of assurance that the financial statements are free from material misstatements.
The UK is taking a welcome lead in revising this 16-year-old standard. The International Auditing and Assurance Standards Board should follow.