Appendices
Examples of Fraud Risk Factors
Appendix 1
(Ref: Para. A26)
The fraud risk factors identified in this Appendix are examples of such factors that may be faced by auditors in a broad range of situations. Separately presented are examples relating to the two types of fraud relevant to the auditor’s consideration—that is, fraudulent financial reporting and misappropriation of assets. For each of these types of fraud, the risk factors are further classified based on the three conditions generally present when material misstatements due to fraud occur: (a) incentives/pressures, (b) opportunities, and (c) attitudes/rationalisations. Although the risk factors cover a broad range of situations, they are only examples and, accordingly, the auditor may identify additional or different risk factors. Not all of these examples are relevant in all circumstances, and some may be of greater or lesser significance in entities of different size or with different ownership characteristics or circumstances. Also, the order of the examples of risk factors provided is not intended to reflect their relative importance or frequency of occurrence.
Risk Factors Relating to Misstatements Arising from Fraudulent Financial Reporting
The following are examples of risk factors relating to misstatements arising from fraudulent financial reporting.
Incentives/Pressures
Financial stability or profitability is threatened by economic, industry, or entity operating conditions, such as (or as indicated by):
- High degree of competition or market saturation, accompanied by declining margins.
- High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates.
- Significant declines in customer demand and increasing business failures in either the industry or overall economy.
- Operating losses making the threat of bankruptcy, foreclosure, or hostile takeover imminent.
- Recurring negative cash flows from operations or an inability to generate cash flows from operations while reporting earnings and earnings growth.
- Rapid growth or unusual profitability especially compared to that of other companies in the same industry.
- New accounting, statutory, or regulatory requirements.
Excessive pressure exists for management to meet the requirements or expectations of third parties due to the following:
- Profitability or trend level expectations of investment analysts, institutional investors, significant creditors, or other external parties (particularly expectations that are unduly aggressive or unrealistic), including expectations created by management in, for example, overly optimistic press releases or annual report messages.
- Need to obtain additional debt or equity financing to stay competitive—including financing of major research and development or capital expenditures.
- Marginal ability to meet exchange listing requirements or debt repayment or other debt covenant requirements.
- Perceived or real adverse effects of reporting poor financial results on significant pending transactions, such as business combinations or contract awards.
Information available indicates that the personal financial situation of management or those charged with governance is threatened by the entity’s financial performance arising from the following:
- Significant financial interests in the entity.
- Significant portions of their compensation (for example, bonuses, share options, and earn‑out arrangements) being contingent upon achieving aggressive targets for share price, operating results, financial position, or cash flow.[28]
- Personal guarantees of debts of the entity.
There is excessive pressure on management or operating personnel to meet financial targets established by those charged with governance, including sales or profitability incentive goals.
Opportunities
The nature of the industry or the entity’s operations provides opportunities to engage in fraudulent financial reporting that can arise from the following:
- Significant related‑party transactions not in the ordinary course of business or with related entities not audited or audited by another firm.
- A strong financial presence or ability to dominate a certain industry sector that allows the entity to dictate terms or conditions to suppliers or customers that may result in inappropriate or non‑arm’s‑length transactions.
- Assets, liabilities, revenues, or expenses based on significant estimates that involve subjective judgements or uncertainties that are difficult to corroborate.
- Significant, unusual, or highly complex transactions, especially those close to period end that pose difficult “substance over form” questions.
- Significant operations located or conducted across international borders in jurisdictions where differing business environments and cultures exist.
- Use of business intermediaries for which there appears to be no clear business justification.
- Significant bank accounts or subsidiary or branch operations in
tax‑haven jurisdictions for which there appears to be no clear business justification.
The monitoring of management is not effective as a result of the following:
- Domination of management by a single person or small group (in a non owner‑managed business) without compensating controls.
- Oversight by those charged with governance over the financial reporting process and internal control is not effective.
There is a complex or unstable organisational structure, as evidenced by the following:
- Difficulty in determining the organisation or individuals that have a controlling interest in the entity.
- Overly complex organisational structure involving unusual legal entities or managerial lines of authority.
- High turnover of senior management, legal counsel, or those charged with governance.
Internal control components are deficient as a result of the following:
- Inadequate monitoring of controls, including automated controls and controls over interim financial reporting (where external reporting is required).
- High turnover rates or employment of staff in accounting, information technology or the internal audit function that are not effective.
- Accounting and information systems that are not effective, including situations involving significant deficiencies in internal control.
Attitudes/Rationalisations
- Communication, implementation, support, or enforcement of the entity’s values or ethical standards by management, or the communication of inappropriate values or ethical standards, that are not effective.
- Non‑financial management’s excessive participation in or preoccupation with the selection of accounting policies or the determination of significant estimates.
- Known history of violations of securities laws or other laws and regulations, or claims against the entity, its senior management, or those charged with governance alleging fraud or violations of laws and regulations.
- Excessive interest by management in maintaining or increasing the entity’s share price or earnings trend.
- The practice by management of committing to analysts, creditors, and other third parties to achieve aggressive or unrealistic forecasts.
- Management failing to remedy known significant deficiencies in internal control on a timely basis.
- An interest by management in employing inappropriate means to minimise reported earnings for tax‑motivated reasons.
- Low morale among senior management.
- The owner‑manager makes no distinction between personal and business transactions.
- Dispute between shareholders in a closely held entity.
- Recurring attempts by management to justify marginal or inappropriate accounting on the basis of materiality.
- The relationship between management and the current or predecessor auditor is strained, as exhibited by the following:
- Frequent disputes with the current or predecessor auditor on accounting, auditing, or reporting matters.
- Unreasonable demands on the auditor, such as unrealistic time constraints regarding the completion of the audit or the issuance of the auditor’s report.
- Restrictions on the auditor that inappropriately limit access to people or information or the ability to communicate effectively with those charged with governance.
- Domineering management behaviour in dealing with the auditor, especially involving attempts to influence the scope of the auditor’s work or the selection or continuance of personnel assigned to or consulted on the audit engagement.
Risk Factors Relating to Misstatements Arising From Misappropriation of Assets
Risk factors that relate to misstatements arising from misappropriation of assets are also classified according to the three conditions generally present when fraud exists: incentives/pressures, opportunities, and attitudes/rationalisation. Some of the risk factors related to misstatements arising from fraudulent financial reporting also may be present when misstatements arising from misappropriation of assets occur. For example, ineffective monitoring of management and other deficiencies in internal control may be present when misstatements due to either fraudulent financial reporting or misappropriation of assets exist. The following are examples of risk factors related to misstatements arising from misappropriation of assets.
Incentives/Pressures
Personal financial obligations may create pressure on management or employees with access to cash or other assets susceptible to theft to misappropriate those assets.
Adverse relationships between the entity and employees with access to cash or other assets susceptible to theft may motivate those employees to misappropriate those assets. For example, adverse relationships may be created by the following:
- Known or anticipated future employee layoffs.
- Recent or anticipated changes to employee compensation or benefit plans.
- Promotions, compensation, or other rewards inconsistent with expectations.
Opportunities
Certain characteristics or circumstances may increase the susceptibility of assets to misappropriation. For example, opportunities to misappropriate assets increase when there are the following:
- Large amounts of cash on hand or processed.
- Inventory items that are small in size, of high value, or in high demand.
- Easily convertible assets, such as bearer bonds, diamonds, or computer chips.
- Fixed assets which are small in size, marketable, or lacking observable identification of ownership.
Inadequate internal control over assets may increase the susceptibility of misappropriation of those assets. For example, misappropriation of assets may occur because there is the following:
- Inadequate segregation of duties or independent checks.
- Inadequate oversight of senior management expenditures, such as travel and other reimbursements.
- Inadequate management oversight of employees responsible for assets, for example, inadequate supervision or monitoring of remote locations.
- Inadequate job applicant screening of employees with access to assets.
- Inadequate record keeping with respect to assets.
- Inadequate system of authorisation and approval of transactions (for example, in purchasing).
- Inadequate physical safeguards over cash, investments, inventory, or fixed assets.
- Lack of complete and timely reconciliations of assets.
- Lack of timely and appropriate documentation of transactions, for example, credits for merchandise returns.
- Lack of mandatory holidays for employees performing key control functions.
- Inadequate management understanding of information technology, which enables information technology employees to perpetrate a misappropriation.
- Inadequate access controls over automated records, including controls over and review of computer systems event logs.
Attitudes/Rationalisations
- Disregard for the need for monitoring or reducing risks related to misappropriations of assets.
- Disregard for internal control over misappropriation of assets by overriding existing controls or by failing to take appropriate remedial action on known deficiencies in internal control.
- Behaviour indicating displeasure or dissatisfaction with the entity or its treatment of the employee.
- Changes in behaviour or lifestyle that may indicate assets have been misappropriated.
- Tolerance of petty theft.
Examples of Possible Audit Procedures to Address the Assessed Risks of Material Misstatement Due to Fraud
Appendix 2
(Ref: Para. A41)
The following are examples of possible audit procedures to address the assessed risks of material misstatement due to fraud resulting from both fraudulent financial reporting and misappropriation of assets. Although these procedures cover a broad range of situations, they are only examples and, accordingly they may not be the most appropriate nor necessary in each circumstance. Also the order of the procedures provided is not intended to reflect their relative importance.
Consideration at the Assertion Level
Specific responses to the auditor’s assessment of the risks of material misstatement due to fraud will vary depending upon the types or combinations of fraud risk factors or conditions identified, and the classes of transactions, account balances, disclosures and assertions they may affect.
The following are specific examples of responses:
- Visiting locations or performing certain tests on a surprise or unannounced basis. For example, observing inventory at locations where auditor attendance has not been previously announced or counting cash at a particular date on a surprise basis.
- Requesting that inventories be counted at the end of the reporting period or on a date closer to period end to minimise the risk of manipulation of balances in the period between the date of completion of the count and the end of the reporting period.
- Altering the audit approach in the current year. For example, contacting major customers and suppliers orally in addition to sending written confirmation, sending confirmation requests to a specific party within an organisation, or seeking more or different information.
- Performing a detailed review of the entity’s month‑end or year‑end adjusting entries and investigating any that appear unusual as to nature or amount.
- For significant and unusual transactions, particularly those occurring at or near year‑end, investigating the possibility of related parties and the sources of financial resources supporting the transactions.
- Performing substantive analytical procedures using disaggregated data. For example, comparing sales and cost of sales by location, line of business or month to expectations developed by the auditor.
- Conducting interviews of personnel involved in areas where a risk of material misstatement due to fraud has been identified, to obtain their insights about the risk and whether, or how, controls address the risk.
- When other independent auditors are auditing the financial report of one or more subsidiaries, divisions or branches, discussing with them the extent of work necessary to be performed to address the assessed risk of material misstatement due to fraud resulting from transactions and activities among these components.
- If the work of an expert becomes particularly significant with respect to a financial statement item for which the assessed risk of misstatement due to fraud is high, performing additional procedures relating to some or all of the expert’s assumptions, methods or findings to determine that the findings are not unreasonable, or engaging another expert for that purpose.
- Performing audit procedures to analyse selected opening balance sheet accounts of the previously audited financial report to assess how certain issues involving accounting estimates and judgements, for example, an allowance for sales returns, were resolved with the benefit of hindsight.
- Performing procedures on account or other reconciliations prepared by the entity, including considering reconciliations performed at interim periods.
- Performing computer‑assisted techniques, such as data mining to test for anomalies in a population.
- Testing the integrity of computer‑produced records and transactions.
- Seeking additional audit evidence from sources outside of the entity being audited.
Specific Responses—Misstatement Resulting from Fraudulent Financial Reporting
Examples of responses to the auditor’s assessment of the risks of material misstatement due to fraudulent financial reporting are as follows:
Revenue Recognition
- Performing substantive analytical procedures relating to revenue using disaggregated data, for example, comparing revenue reported by month and by product line or business segment during the current reporting period with comparable prior periods. Computer‑assisted audit techniques may be useful in identifying unusual or unexpected revenue relationships or transactions.
- Confirming with customers certain relevant contract terms and the absence of side agreements, because the appropriate accounting often is influenced by such terms or agreements and basis for rebates or the period to which they relate are often poorly documented. For example, acceptance criteria, delivery and payment terms, the absence of future or continuing vendor obligations, the right to return the product, guaranteed resale amounts, and cancellation or refund provisions often are relevant in such circumstances.
- Enquiring of the entity’s sales and marketing personnel or in‑house legal counsel regarding sales or shipments near the end of the period and their knowledge of any unusual terms or conditions associated with these transactions.
- Being physically present at one or more locations at period end to observe goods being shipped or being readied for shipment (or returns awaiting processing) and performing other appropriate sales and inventory cut‑off procedures.
- For those situations for which revenue transactions are electronically initiated, processed, and recorded, testing controls to determine whether they provide assurance that recorded revenue transactions occurred and are properly recorded.
Inventory Quantities
- Examining the entity's inventory records to identify locations or items that require specific attention during or after the physical inventory count.
- Observing inventory counts at certain locations on an unannounced basis or conducting inventory counts at all locations on the same date.
- Conducting inventory counts at or near the end of the reporting period to minimise the risk of inappropriate manipulation during the period between the count and the end of the reporting period.
- Performing additional procedures during the observation of the count, for example, more rigorously examining the contents of boxed items, the manner in which the goods are stacked (for example, hollow squares) or labelled, and the quality (that is, purity, grade, or concentration) of liquid substances such as perfumes or specialty chemicals. Using the work of an expert may be helpful in this regard.
- Comparing the quantities for the current period with prior periods by class or category of inventory, location or other criteria, or comparison of quantities counted with perpetual records.
- Using computer‑assisted audit techniques to further test the compilation of the physical inventory counts—for example, sorting by tag number to test tag controls or by item serial number to test the possibility of item omission or duplication.
Management Estimates
- Using an expert to develop an independent estimate for comparison to management’s estimate.
- Extending enquiries to individuals outside of management and the accounting department to corroborate management’s ability and intent to carry out plans that are relevant to developing the estimate.
Specific Responses—Misstatements Due to Misappropriation of Assets
Differing circumstances would necessarily dictate different responses. Ordinarily, the audit response to an assessed risk of material misstatement due to fraud relating to misappropriation of assets will be directed toward certain account balances and classes of transactions. Although some of the audit responses noted in the two categories above may apply in such circumstances, the scope of the work is to be linked to the specific information about the misappropriation risk that has been identified.
Examples of responses to the auditor’s assessment of the risk of material misstatements due to misappropriation of assets are as follows:
- Counting cash or securities at or near year‑end.
- Confirming directly with customers the account activity (including credit memo and sales return activity as well as dates payments were made) for the period under audit.
- Analysing recoveries of written‑off accounts.
- Analysing inventory shortages by location or product type.
- Comparing key inventory ratios to industry norm.
- Reviewing supporting documentation for reductions to the perpetual inventory records.
- Performing a computerised match of the vendor list with a list of employees to identify matches of addresses or phone numbers.
- Performing a computerised search of payroll records to identify duplicate addresses, employee identification or taxing authority numbers or bank accounts.
- Reviewing personnel files for those that contain little or no evidence of activity, for example, lack of performance evaluations.
- Analysing sales discounts and returns for unusual patterns or trends.
- Confirming specific terms of contracts with third parties.
- Obtaining evidence that contracts are being carried out in accordance with their terms.
- Reviewing the propriety of large and unusual expenses.
- Reviewing the authorisation and carrying value of senior management and related party loans.
- Reviewing the level and propriety of expense reports submitted by senior management.
Examples of Circumstances that Indicate the Possibility of Fraud
Appendix 3
(Ref: Para. A50)
The following are examples of circumstances that may indicate the possibility that the financial report may contain a material misstatement resulting from fraud.
Discrepancies in the accounting records, including:
- Transactions that are not recorded in a complete or timely manner or are improperly recorded as to amount, accounting period, classification, or entity policy.
- Unsupported or unauthorised balances or transactions.
- Last‑minute adjustments that significantly affect financial results.
- Evidence of employees’ access to systems and records inconsistent with that necessary to perform their authorised duties.
- Tips or complaints to the auditor about alleged fraud.
Conflicting or missing evidence, including:
- Missing documents.
- Documents that appear to have been altered.
- Unavailability of other than photocopied or electronically transmitted documents when documents in original form are expected to exist.
- Significant unexplained items on reconciliations.
- Unusual balance sheet changes, or changes in trends or important financial statement ratios or relationships – for example receivables growing faster than revenues.
- Inconsistent, vague, or implausible responses from management or employees arising from enquiries or analytical procedures.
- Unusual discrepancies between the entity's records and confirmation replies.
- Large numbers of credit entries and other adjustments made to accounts receivable records.
- Unexplained or inadequately explained differences between the accounts receivable sub‑ledger and the control account, or between the customer statements and the accounts receivable sub‑ledger.
- Missing or non‑existent cancelled cheques in circumstances where cancelled cheques are ordinarily returned to the entity with the bank statement.
- Missing inventory or physical assets of significant magnitude.
- Unavailable or missing electronic evidence, inconsistent with the entity’s record retention practices or policies.
- Fewer responses to confirmations than anticipated or a greater number of responses than anticipated.
- Inability to produce evidence of key systems development and program change testing and implementation activities for current‑year system changes and deployments.
Problematic or unusual relationships between the auditor and management, including:
- Denial of access to records, facilities, certain employees, customers, vendors, or others from whom audit evidence might be sought.
- Undue time pressures imposed by management to resolve complex or contentious issues.
- Complaints by management about the conduct of the audit or management intimidation of engagement team members, particularly in connection with the auditor’s critical assessment of audit evidence or in the resolution of potential disagreements with management.
- Unusual delays by the entity in providing requested information.
- Unwillingness to facilitate auditor access to key electronic files for testing through the use of computer‑assisted audit techniques.
- Denial of access to key IT operations staff and facilities, including security, operations, and systems development personnel.
- An unwillingness to add or revise disclosures in the financial report to make them more complete and understandable.
- An unwillingness to address identified deficiencies in internal control on a timely basis.
Other
- Unwillingness by management to permit the auditor to meet privately with those charged with governance.
- Accounting policies that appear to be at variance with industry norms.
- Frequent changes in accounting estimates that do not appear to result from changed circumstances.
- Tolerance of violations of the entity’s Code of Conduct.
Management incentive plans may be contingent upon achieving targets relating only to certain accounts or selected activities of the entity, even though the related accounts or activities may not be material to the entity as a whole.