The auditor's responsibilities relating to fraud in an audit of financial statements have been further clarified by the updating of the UK auditing standard ISA 240. It is expected that the Irish Auditing and Accounting Supervisory Authority (IAASA) will issue a similar revision in Ireland.
The revised standard makes auditors’ obligations clearer, enhances the risk assessment they carry out, and sets clearer requirements for what the auditor then does. ISA 240 has been described as 'a balancing act between managing, or possibly lowering, expectations whilst seeking to avoid going so far as to affect significantly users’ perceptions as to the value of audit'.
Unfortunately, fraud is frequently perpetrated by directors – the people with the primary responsibility for detecting that fraud
The person with primary responsibility for detecting fraud is the director, and the auditor's role is to provide 'reasonable assurance' about whether the financial statements as a whole are free from material misstatement due to fraud. The new standard requires additional professional scepticism, better risk assessment and a requirement to remain alert to fraud during their work.
Unfortunately, fraud is frequently perpetrated by the directors, the persons with the primary responsibility for detecting that fraud. Auditors will continue to struggle to detect well-thought-out frauds perpetrated by directors such as the one reported recently in the media.
It is difficult for accounting practices to maintain full anti-money laundering (AML) compliance during a period when multiple new laws and regulations have been issued. New guidance is being drafted and will be issued shortly, but to get ahead, the new legislation requires the following additional procedures:
- Implement a whistleblowing procedure where staff may internally report to the AML reporting officer any instances of noncompliance.
- Change engagement letters' reference to The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2010 to 2021.
- Check the Register of Beneficial Ownership (RBO) before starting work on a new corporate client.
- Extend the checks of the RBO to new trust clients once that register becomes live.
- File a report of discrepancies if the RBO is incorrect.
- If you have a politically exposed person as a client, extend your period of supervision beyond the previously required 12 months.
- Amend your standard procedures to require enhanced supervision of clients from high-risk countries.
- Amend your standard procedures to require enhanced supervision of clients with complex businesses or business structures.
- Amend your practice procedures manual to include the new whistleblowing procedure, RBO verification work and other matters above.
ACCA has created a suite of documents to support businesses in implementing a firm-wide risk assessment, a procedures manual, a customer due diligence checklist and an internal AML reporting form, as well as in providing staff training.
Mairead McGuinness, European Commissioner for Financial Stability, Financial Services and the Capital Markets Union, recently shared the plans for the next set of EU initiatives to combat money laundering. The plans are subject to confirmation, and encompass more harmonised rules and a new AML authority at EU level. The full details will be unveiled in July.
Businesses that are hit with a cyber ransomware attack can be tempted to simply pay the ransom demanded or allow their cyber insurance company to do so on their behalf. However, it should be noted that Section 7 of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 states that a person commits an offence if they engage in transferring or handling property when they know or believe that it is the proceeds of criminal conduct.
Paying a ransom is transferring criminal proceeds and is a crime under anti-money laundering legislation. The penalty is a fine and up to 14 years in prison.
Any designated person – such as a bank, insurance company, accountant, cyber wallet provider or solicitor – who becomes aware that a ransom was paid by their client is obliged to make a suspicious transaction report. The client may not be told that the report was made.
A staff member in a designated business is obliged to report directly to that business's AML supervisor (the central bank or professional accounting body) if they become aware that a report was not made, or they become aware that the business itself paid a ransom and did not report themselves.
The Garda National Cybercrime bureau has reported a significant increase in the number of ransomware attacks in 2021, and states its advice will always be not to engage with cybercriminals or pay any ransom.
Learn more about the latest AML developments by attending ACCA Ireland’s Anti-Money Laundering Conference for 2021. The event will take place online on Tuesday 7 July and will be delivered by AML legislation expert Garret Wynne, principal at Garret Wynne & Co. For more details and to register, click here.