Fraud: Essential Audit Tools and Techniques HO1/media/event materials/march_2017... · Mini Case 3.2: On the Hook Towing. ... audit. • •. . controls • –, – Test the appropriateness

Copyri

ght 2

016-1

7

Fraud: Essential Audit Tools and Techniques HO1

Thomas E. Noce, CPA, CFE

Learning today. Leading tomorrow.

Copyri

ght 2

016-1

7

Fraud: Essential Audit Tools & Techniques

Thomas Noce, CPA, CFECalCPA Education Foundation

1

A Few Reminders…..

• Turn off or silence your cell phones• Today’s class will be 200 minutes

long & count for 4 hours of CPE• If you need to leave early, you must

sign the sheet located at the registration table

• Electronic evaluation will be sent within 24 hours

2

2

©2016. These materials are copyrighted and may not be reproduced or distributed in whole or in part without permission of the author/CalCPA Education Foundation.

Copyri

ght 2

016-1

7

Learning Objectives• Gain knowledge needed to comply

with professional standards relating to fraud

• Provide an overview of professional standards requirements relating to audit planning

• Provide practical implementation guidance for AU-C Sec 240

• Examine common methods of asset misappropriation & fraudulent financial reporting schemes

3

ScheduleAM SessionFrom To8:30 8:45 Section 1: Introduction & References

8:45 10:15 Section 2: Overview of Risk Assessment Standards

10:15 10:25 Break

10:25 12:00 Section 3: Considering Fraud – Thinking Like a Crook

PM SessionFrom To1:00 1:15 Section 1: Introduction & References

1:15 2:45 Section 2: Overview of Risk Assessment Standards

2:45 2:55 Break

2:55 4:30 Section 3: Considering Fraud – Thinking Like a Crook

4

3


Copyri

ght 2

016-1

7

Introduction & References

• Audit Risk Alert Summary (p.5)

• Pronouncement Summary (p. 9)

• Other Stuff (p.11)

5

Mini Case 3.2:On the Hook TowingSee case facts in handout & consider:1. What elements of the fraud triangle

are present here?2. Put yourself in Lottie’s position. How

would you steal from On the Hook Towing?

3. Are there internal control weaknesses present that management should be made aware of?

6

4


Copyri

ght 2

016-1

7

Section 2: Overview of the Risk Assessment Standards

7

Section 2Objectives1. To provide a background as to the

evolution of the “risk assessment” suite of standards

2. Gain an understanding of fundamental concepts necessary to implement risk assessment procedures

3. To compare & contrast requirements of current standards with those recently issued as clarity standards

4. To gain an understanding of the audit risk model

8

5


Copyri

ght 2

016-1

7

Changing Audit Model

9

Control SystemTransactions

Financial Statements

“Maximum Risk”

What Prompted Change?

• Perception of current methodologies– Checklist/”connect the dots”

approach to auditing– Using “default to maximum risk”

effectively took the thought process out of auditing

• Not gaining a thorough understanding of client’s internal controls

10

6


Copyri

ght 2

016-1

7

Risk Continuum

11

Risk of Material Misstatement for Any Audit Area

0% Error 100% Error

Medium HighLow

MAXIMUM RISK DEFAULT

Fundamental Concepts

• Materiality & tolerable misstatement

• Audit risk & the risk of material misstatement

• Financial statement assertions

12

7


Copyri

ght 2

016-1

7

Materiality

• Section is updated for the Clarity Standards

• Overall concept is unchanged• Some new terms & requirements

13

More than Numbers

• Materiality is determined based on the auditor’s understanding of the user needs & expectations

• User expectations may differ based on the degree of inherent uncertainty associated with the measurement of particular items in the financial statements

14

8


Copyri

ght 2

016-1

7

Preliminary Judgment of Materiality

Commercially published benchmarks

vs.

Professional judgment

Commercially published benchmarks

vs.

Professional judgment

15

Materiality: Definitions

Performance materiality –– The amount or amounts set by the auditor at less

than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected & undeleted misstatements exceeds materiality for the financial statements as a whole.

– If applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances, or disclosures.

– Performance materiality is to be distinguished from tolerable misstatement (now appears to be reserved for audit sampling.)

16

9


Copyri

ght 2

016-1

7

Materiality: Requirements

• Establish materiality for financial statements as a whole– If appropriate, establish lower

materiality for particular areas

• Determine performance materiality• Revise all materiality levels as

appropriate based on new facts & circumstances

17

Materiality: Documentation

• Materiality for the financial statements as a whole

• If applicable, the materiality level or levels for particular classes of transactions, account balances, or disclosures

• Performance materiality • Any revision of (a) - (c) as the audit

progressed

18

10


Copyri

ght 2

016-1

7





19

Misstatements

• Errors• Fraud

– Fraudulent financial reporting– Misappropriation of assets

20

11


Copyri

ght 2

016-1

7

Audit RiskDefinition

“The risk that the auditor expresses an inappropriate audit

opinion when the financial statements are materially

misstated. Audit risk is a function of the risks of material

misstatement & detection risk”

21

Components of Audit Risk

• Financial statement level• Account balance or class of

transaction level

22

12


Copyri

ght 2

016-1

7

Components of Audit Risk:Account Balance Level• The risk (inherent & control risk)

that the relevant assertions contain misstatements that could be material to the financial statements when aggregated with misstatements

• The risk (detection risk) that the auditor will not detect such misstatements.

23

Audit Risk Model

AR RMM DR

24

This model is not intended to be a mathematical formula.

13


Copyri

ght 2

016-1

7

Auidit Risk Model

• Inherent risk & control risk are the entity’s risks to manage

• The risk of material misstatement (RMM) is the auditor’s combined assessment of inherent risk & control risk

25

RMM IR CR

Inherent Risk (IR)

“The susceptibility of an assertion to a misstatement that could be material, either individually or

when aggregated with other misstatements, assuming there are

no related controls.”

26

14


Copyri

ght 2

016-1

7

Inherent Risk Factors

• Client bias• Volume• Complexity• Susceptibility of asset to theft• Estimates• Industry circumstances• Other external factors

27

Understanding Client Bias

So, what is client bias?

28

15


Copyri

ght 2

016-1

7

Client Bias Considerations

• What is the intended use of the financial statements likely to be?

• Management’s business or financing plans

• Your prior experience with the client

• Could be indicator of primary direction of the risk– Understated– Overstated

29

Control Risk (CR)

“The risk that a misstatement could occur in a relevant assertion

that could either be material, individually or when aggregated

with other misstatements, & would not be prevented or detected on a timely basis by the entity's internal

control.”

30

16


Copyri

ght 2

016-1

7

Detection Risk (DR)

• Risk that the auditor will not detect a material misstatement that , either individually or when aggregated – Is a function of the effectiveness of

an audit procedures & of its application by the auditor

– Cannot be reduced to zero

31

To Summarize…

• AR = RMM x DR• RMM = IR + CR

Relevant Assertion E C VRMM L M H

DR(Audit tests)

AR L L L

32

17


Copyri

ght 2

016-1

7

To Test or Not to Test?

• AR = RMM x DRRMM = IR + CR

L = H + LRelevant Assertion E C VRMM L M H

DR(Audit tests)

AR L L L

33





34

18


Copyri

ght 2

016-1

7

Using Assertions

An assertion is a declaration or positive statement (implicit or explicit) made by management about the financial statement

information presented

35

Assertions Relevant to Account Balances• Existence - Assets, liabilities, & equity

interests exist.

• Completeness - All assets, liabilities, & equity interests that should have been recorded have been recorded.

• Rights & obligations - The entity holds or controls the rights to assets, & liabilities are the obligations of the entity.

• Valuation & allocation - Included in the financial statements at appropriate amounts & any resulting valuation or allocation adjustments are appropriately recorded.

36

19


Copyri

ght 2

016-1

7

Assertions Relevant toClass of Transactions• Occurrence - Transactions & events that

have been recorded have occurred & pertain to the entity.

• Completeness - All transactions & events that should have been recorded have been recorded.

• Accuracy - Amounts & other data relating to recorded transactions & events have been recorded appropriately.

• Cutoff - Transactions & events have been recorded in the correct accounting period.

• Classification - Transactions & events have been recorded in the proper accounts.

37

Assertions Relevant toPresentation & Disclosure• Occurrence & rights & obligations -

Disclosed events & transactions have occurred & pertain to the entity.

• Completeness - All disclosures that should have been included in the financial statements have been included.

• Classification & understandability -Financial information is appropriately presented & described & disclosures are clearly expressed.

• Accuracy & valuation - Financial & other information are disclosed fairly & at appropriate amounts.

38

20


Copyri

ght 2

016-1

7

Relevant Assertions

“For each significant class of transactions, account balance, & presentation & disclosure, the auditor should determine the

relevance of each of the financial statement assertions.”

39

Applying the Audit Risk Model

40

21


Copyri

ght 2

016-1

7

Applying the Audit Risk Model• Gather information about the entity &

its environment, including internal control

• Gain an understanding about the entity & its environment, including internal control

• Assess the risk of material misstatement (including fraud risk!)

• Design & perform overall responses & further audit procedures

• Evaluate audit findings

41

Step 1:Risk Assessment ProceduresPerformed to obtain an understanding of the entity & its environment, including its internal control, ultimately to assess the risks of material misstatement at the financial statement & relevant assertion levels include:

– Inquiries of management & others within the entity

– Analytical procedures– Observation & inspection– Discussion among the audit team

42

22


Copyri

ght 2

016-1

7

Step 2: Understanding the Entity & Its Environment

Obtain & Support an

Understanding of the Entity & Its Environment

Nature of the Entity

Business Processes

Measurement & Performance

Objectives & Strategies

Governance

Management

Industry, Regulatory, & Other External

Factors

43

Step 3: Assess Risk of Material Misstatement

Identify significant business risks that may result in material misstatements

Identify other risks that may result in material misstatements

Evaluate the entity’s responses to address the risks identified

.

44

23


Copyri

ght 2

016-1

7

Step 4: Design & Perform Responses

45

Assess the risk of material misstatement at the assertion level & determine the audit procedures

Lower Risk Assertions

Design & Perform ProceduresDesign & Perform Focused Procedures

Higher Risk Assertions

Evaluate if the assessments of risk were appropriate & whether sufficient audit evidence was obtained.

Report

Step 4: Design & Perform Responses to Risk Assessment

• Overall responses– Address risks of material

misstatements at the financial statement level

• Further audit procedures– Address risks of material

misstatement at the assertion level

46

24


Copyri

ght 2

016-1

7

Step 5:Evaluate Audit Findings

Has sufficient appropriate audit evidence been accumulated?

Both determined

using professional judgment

Has audit risk related to all relevant assertions been reduced to “low” as a result of further audit procedures?

47

Documentation Templates

See Appendix E (p. 125)

for theRisk Assessment Toolkit

available at www.nocecpa.com

48

25


Copyri

ght 2

016-1

7

Mini Case 3.3Gotbucks Springs Club HOASee case facts in handout & consider:1. What elements of the fraud triangle

are present here?2. Put yourself in Steely’s position. How

would you steal from GotbucksSprings Club HOA?

3. Are there internal control weaknesses present that management should be made aware of?

Text page 101

49

Section 3: Considering Fraud –Thinking Like a Crook

Objectives:1. Provide a brief background as to how

current standard evolved2. Discuss standards provisions & their

implication on current practice3. Provide implementation guidance for

application in audits applying GAAS4. To become familiar with changes

resulting from the Clarity Project

50

26


Copyri

ght 2

016-1

7

Responsibilities of the Auditor

“An auditor conducting an audit in accordance with GAAS is responsible for obtaining

reasonable assurance that the financial statements as a whole are

free of material misstatement, whether caused by fraud or error.”

51

Responsibilities …Cont’d

“When considering the auditor’s responsibility to obtain reasonable

assurance that the financial statements are free from material

misstatement, there is no important distinction between

error & fraud.”

52

27


Copyri

ght 2

016-1

7

AICPA on Fraud…

“The auditor’s responsibility to detect fraud is very clear. The

auditor is responsible for providing reasonable assurance that the

financial statements are free of material fraud.”

53

Components ofClarified Standard

• Discussion of characteristics of fraud– Fraud triangle

• Responsibility for the prevention & detection of fraud

• Responsibility of the auditor

54

28


Copyri

ght 2

016-1

7

Objectives of Auditor• Identify & assess the risks of material

misstatement of the financial statements due to fraud;

• Obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing & implementing appropriate responses; &

• Respond appropriately to fraud or suspected fraud identified during the audit.

55

Definitions

• Fraud - An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception that results in a misstatement in financial statements that are the subject of an audit.

• Fraud risk factors - Events or conditions that indicate an incentive or pressure to perpetrate fraud, provide an opportunity to commit fraud, or indicate attitudes or rationalizations to justify a fraudulent action.

56

29


Copyri

ght 2

016-1

7

RequirementsProfessional Skepticism

In accordance with clarified SAS:auditor should maintain professional

skepticism throughout the audit, recognizing the possibility that a

material misstatement due to fraud could exist,

notwithstanding the auditor’s past experience of the honesty & integrity of the entity’s management & those charged with governance

57

RequirementsProfessional Skepticism• Unless the auditor has reason to

believe the contrary, the auditor may accept records & documents as genuine.

• If conditions identified during the audit cause the auditor to believe that a document may not be authentic or that terms in a document have been modified but not disclosed to the auditor, the auditor should investigate further.

58

30


Copyri

ght 2

016-1

7

RequirementsProfessional Skepticism• When responses to inquiries of

management, those charged with governance, or others are inconsistent or otherwise unsatisfactory (for example, vague or implausible), the auditor should further investigate the inconsistencies or unsatisfactory responses.

59

RequirementsDiscussion Among Engagement Personnel

Consider fraud triangle Motive, opportunity, & rationalization

Risk of management override of controls

Consider circumstances that may be indicative of earnings management

Reinforce professional skepticism concepts

How might auditor respond to susceptibility of RMM due to fraud

60

31


Copyri

ght 2

016-1

7

RequirementsDiscussion Among Engagement Personnel

• Brainstorming session• Consider internal controls• “What if?” scenarios

61

RequirementsRisk Assessment

• Fraud risk assessment is part of overall risk assessment

• AR = RMM x DR• RMM

– Error– Misappropriation of assets– Fraudulent financial reporting

• This includes an evaluation of related controls

62

32


Copyri

ght 2

016-1

7

RequirementsRisk Assessment

• No significant changes from extant standards

• Subtle change in documentation “fraud risks” are now considered “significant risks”

• However, this subtle change has far reaching implications!

63

RequirementsDiscussions with Management & Others Within Entity

Management’s assessment of the risk that the financial statements may be misstated due to fraud

Management’s process for identifying, responding to, & monitoring risks of fraud

Management’s communications to those charged with governance

Management’s communications, if any, to employees regarding views on business practices & ethical behavior

Actual or suspected fraud

64

33


Copyri

ght 2

016-1

7

RequirementsDiscussions with Management & Others Within Entity

Internal audit staffThose charged with governance

(unless they are same as management)

65

Inquiries of Management & Others About Fraud Risks

Others Employees with varying levels of

authority Lower level accounting staff Individuals not part of financial

reporting process

66

34


Copyri

ght 2

016-1

7

Implementation GuidanceDiscussions with Management & Others Within Entity

In some entities, particularly smaller entities, the focus of management’s assessment may be on the risks of employee fraud or misappropriation of assets.

Inquiries of management & others within the entity are generally most effective when they involve an in-person discussion.

If questionnaires are used, they should be followed up with discussion

67

RequirementsUnusual or Unexpected Relationships

• Based on analytical procedures performed as part of risk assessment procedures, the auditor should evaluate whether unusual or unexpected relationships that have been identified indicate risks of material misstatement due to fraud.

• To the extent not already included, the analytical procedures, & evaluation thereof, should include procedures relating to revenue accounts.

68

35


Copyri

ght 2

016-1

7

RequirementsOther Information

• The auditor should consider whether other information obtained by the auditor indicates risks of material misstatement due to fraud.

69

RequirementsEvaluation of Fraud Risk Factors

• The auditor should evaluate whether the information obtained from the risk assessment procedures & related activities performed indicates that one or more fraud risk factors are present.

• Although fraud risk factors may not necessarily indicate the existence of fraud, they have often been present in circumstances in which frauds have occurred &, therefore, may indicate risks of material misstatement due to fraud.

70

36


Copyri

ght 2

016-1

7

RequirementsIdentification & Assessment of Fraud Risk Factors

• The auditor should identify & assess the risks of material misstatement due to fraud at the:– financial statement level, – assertion level

• Presumption that revenue recognition is a fraud is continued

• The auditor should treat those assessed risks of material misstatement due to fraud as significant risks– the auditor should obtain an understanding

of the entity’s related controls– evaluate whether controls have been

suitably designed & implemented to mitigate such fraud risks.

71

Evaluating Fraud Risks

Objective: Identifying risks that may result in a material misstatement due to fraud

• TYPE of risk• SIGNIFICANCE of risk• LIKELIHOOD of risk resulting in material

misstatement• PERVASIVENESS of risk

72

37


Copyri

ght 2

016-1

7

Evaluating Fraud Risks

Assessing identified risks after taking evaluation of programs &

controls into account

73

RequirementsResponse to Assessed RMM Due to Fraud

Referenced to general risk assessment responses

Overall responses• Assignment & supervision of staff• Evaluation of selection & application of

accounting policies• Incorporate a level of unpredictability

Specific responses• Assertion level

74

38


Copyri

ght 2

016-1

7

RequirementsAudit Procedures Responsive to Risk of Management Override of Controls

Test the appropriateness of journal entries obtain an understanding of the entity’s financial

reporting process & controls over journal entries & other adjustments, & the suitability of design & implementation of such controls;

make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries & other adjustments;

consider fraud risk indicators, the nature & complexity of accounts, & entries processed outside the normal course of business;

select journal entries & other adjustments made at the end of a reporting period; &

consider the need to test journal entries & other adjustments throughout the period.

75

RequirementsAudit Procedures Responsive to Risk of Management Override of Controls

Review accounting estimates for biases & evaluate whether the circumstances producing the bias, if any, represent a risk of material misstatement due to fraud. In performing this review,

the auditor should evaluate whether the judgments & decisions made by management in making the accounting estimates included in the financial statements to indicate a possible bias

perform a retrospective review of management judgments & assumptions related to significant accounting estimates reflected in the financial statements of the prior year.

76

39


Copyri

ght 2

016-1

7

RequirementsCommunication

Matter should be brought to attention of appropriate management level

Fraud involving senior management & fraud causing material misstatements should be reported directly to those charged with governance

Consider need to report to regulatory & enforcement authorities

Consider whether they represent conditions that represent internal control deficiencies that should be communicated

77

Communicating About Possible Fraud

In some cases, auditor may have a duty to expose possible fraud to outside parties: To comply with certain legal & regulatory

requirements To a successor auditor In response to a subpoena To a funding agency or other specified

agency in accordance with requirement for the audits of entities that receive governmental financial assistance

78

40


Copyri

ght 2

016-1

7

RequirementsDocumentation

Generally same as overall requirements for risk assessment Engagement team meeting Risks identified at financial statement &

assertion levelOverall & specific responses

Communications If revenue recognition not identified as a

fraud risk, how that presumption was overcome

79

Case Study 3.1 Clearview ManufacturingPlease familiarize yourself with the case

study facts in handoutDiscuss with othersReview fraud risk factors list Appendix AConsider fraud risks present at ClearviewRisks should identify the following

• TYPE of risk• SIGNIFICANCE of risk (material?)• LIKELIHOOD of risk resulting in material

misstatement• PERVASIVENESS of risk

80

41


Copyri

ght 2

016-1

7

Mini Case 3.4ADL IncorporatedSee case facts in handout & consider:1. What elements of the fraud triangle

are present here?2. Put yourself in Buddy’s position. How

would you steal from ADL?3. Are there internal control weaknesses

present that management should be made aware of?

81

42


Documents

Fraud: Essential Audit Tools and Techniques HO1/media/event materials/march_2017... · Mini Case 3.2: On the Hook Towing. ... audit. • •. . controls • –, – Test the appropriateness