Occurrence of many accounting scandals makes investors and financial information users to ask a question on how auditor held responsibilities to those scandals? In most generally accepted auditing standards, auditor’s responsibilities are limited to financial statements only.

ISA 240 – The auditor’s responsibilities relating to fraud in an audit of financial statements, issued by IAASB (International Auditing and Assurance Standard Board) gives detail guidances on this matter. While the guidances are detailed, but most of them focus on technical matters to guide auditor how to plan, design and respond to risks in order to obtain reasonable assurance on financial statements as a whole, it does not clearly state the extent of auditor’s responsibilities on fraud detection and potential impact. Because when a scandal occurred and caused severe financial impacts to investors, responsibility of each involving party (including auditor) is treated as a legitimate matter under local jurisdiction.

Responsibilities of auditor to fraud?

ISA 240 said that:

It means the primary responsibilities to prevent and detect fraud are stayed with Management and Those who charges with governance of the Company. Management is responsible to design, implement and maintain internal control to prevent and detect fraud. It is not the auditor’s one.

So what is the auditor’s role in respect of fraudulent activities?

ISA 240, paragraph 5 states that:

In an audit of financial statements, auditor’s responsibilities are limited to financial statements only. In precise words, auditor’s responsibility is to plan and conduct the audit to obtain reasonable assurance (not absolute assurance) that financial statements are free from material statements, whether due to error or fraud. The auditor has no responsibility to plan and perform the audit to obtain reasonable assurance that misstatements, whether caused by errors or fraud, that are not material to the financial statements.

However, due to limitation of an audit and potential audit risks (inherent risk, control risk and detection risks), material misstatement might still exist even when the audit is planned and conducted in accordance with ISAs.

Which procedures auditor are required to do to respond to material misstatements due to fraud under ISA 240?

ISA 240 requires the auditor to perform following procedures to respond properly to risk of material misstatement due to fraud:

- Always maintain professional skepticism throughout the audit, investigate all inconsistences and irregularities. However, unless the auditor has reason to believe the contrary, the auditor may accept records and documents as genuine.

- Discussion among the engagement team to focus team’s attention on possibilities and extent of potential misstatement due to fraud.

- Risk assessment by obtaining understanding of the company and its environment. For example, obtain info on understanding, implementation and detection of management on fraud prevention and detection; understanding and oversight of those who charged with governance; identify unusual or skeptical relationship.

- After assessing risk of potential fraudulent activities, auditor shall identify and assess risk of material misstatements due to fraud at financial statement level and assertion level for classes of transactions, account balances and disclosures.

- Respond to assessed risks by designing and performing audit procedures to address the assessed risks. In which risks related to management override of control often give rise to material statements in financial statements.

- Evaluate quality of audit evidences whether it is sufficient and strong enough to address the assessed risks.

- Obtain written representation from management for acknowledgement of their responsibilities to design, implement and maintain internal control to prevent and detect fraud; on their awareness and disclosure to auditor of any suspected or identified frauds.

- Communicate to relevant level of management and those who charged with governance in respect of identified frauds.

- Communicate to regulatory authorities (if eligible to do so).

- Documentation (which is compulsory in any audit): auditor must obtain and file documentation on understandings of the entity and its environment in respect of fraud assessment, discussion within team on potential frauds, risk assessment and audit procedures to respond to risks, communication with management on fraud. Those are called audit evidences.

References

ISA 240 - The auditor’s responsibilities relating to fraud in an audit of financial statements