The review identified as a common failing an inadequate consideration of fraud risk factors, defined as events or conditions that indicate an incentive to commit fraud or the opportunity to do so. The FRC also found little evidence that the design and implementation of controls intended to mitigate fraud risks are being evaluated by auditors.
Auditors, it is said, continue to demonstrate a lack of appropriate professional scepticism, assuming instead that fraud is unlikely to occur at the entity they are auditing.
Firms tend, according to the FRC, to apply fraud risk assessment procedures uniformly across audits, rather than tailoring them to the individual entity being audited, as they should.
The review complains of insufficient discussion of fraud risk factors with Audit Committees and with management, including those outside the finance function. The FRC reminds auditors, however, that discussion with management is not sufficient to address the risk of fraud unless corroborating evidence is also obtained.
With regard to legal compliance, the FRC found that not all laws and regulations relevant to the audited entity are being identified by auditors.
The FRC considers that analysis of fraud risk factors is particularly deficient in failing to assess properly the level of risk associated with management override of controls. Special attention should be paid to potential motivating factors that may persuade management to manipulate figures.
The FRC states that it is not enough to compare like items in the income statement and balance sheet with previous year figures. It calls for auditors to pay more attention to other measures, including cash flow and other ratio analysis, as well as key performance indicators on which management remuneration may be based. Additional measures, such as comparison with other firms in the same industry, may be particularly appropriate in audits of listed companies.
Extensive weaknesses were identified in journal controls undertaken as part of many of the reviewed audits. The FRC encourages increased use of computer assisted audit techniques (CAATs) as part of journal control.
The FRC found that auditors tended to consider ‘aggressive earnings management’ to be a positive factor, but states that such aggressive earnings management should itself be considered a fraud risk indicator.
Attention is drawn to the need for auditors to improve their identification and assessment of laws and regulations affecting the audited entity, including, in particular, consideration of the UK Bribery Act 2010. Few of the reviewed audits covered this adequately, and the FRC believes that better training of audit staff in respect of the potential consequences of the Bribery Act 2010 is required.
Auditing firms need to ensure that practice in the field reflects written policies and that these are applied consistently. The engagement partner must take an active, leading role in assessing risk factors relating to fraud and regulatory non-compliance. Co-ordinated discussion of fraud risk factors amongst the whole audit team is required, supported by forensic specialists where appropriate. These discussions should be documented.
Routine compliance by auditors with ISA 240 procedures alone is not necessarily sufficient. Auditors must ensure that planned audit procedures are responsive to risks identified for the particular entity being audited, especially in the case of potential management override. Journal review is an area requiring particular attention.
Auditors need to discuss fraud risk factors and regulatory compliance with management and Audit Committees more fully than has been the norm to date. Auditors must also pay greater attention to the design of controls in place to inhibit fraud and their adequacy.
Audit firms must be mindful of the need to ensure that staff receive regular training to reflect the latest developments in fraudulent behaviour and regulatory requirements. Auditors should make use of their in-house legal teams to keep abreast of the latest regulatory and legal developments.