Fraud can occur within any organization regardless of size or sophistication, even when internal controls seem effective. Despite this harsh reality, many audit clients and auditors are caught off guard when they become aware of alleged fraud. This article addresses how auditors should respond if suspicions or allegations of fraud surface during a financial statement audit.
To begin with, it is important for an auditor to remember the definition of fraud in the context of an audit. AU-C Section 240, Consideration of Fraud in a Financial Statement Audit, defines fraud as "An intentional act by one or more individuals ... involving the use of deception that results in a misstatement in financial statements that are the subject of an audit" (¶ .11). With allegations of fraud, the key consideration for an auditor is whether the fraud might result in material misstatement of the financial statements. While allegations of fraud should always be appropriately considered by the auditor, not all fraudulent acts will necessarily have a material impact on the financial statements. Auditors are mainly concerned with misstatements that result from either fraudulent financial reporting or misappropriation of assets.
Before discussing what to do as an auditor if you become aware of potential fraud, let's highlight first what you should not do: Never draw conclusions of guilt or innocence. As AU-C Section 240 states: "Although the auditor may suspect or, in rare cases, identify the occurrence of fraud, the auditor does not make legal determinations of whether fraud has actually occurred" (¶ .3).
The legal determination of whether fraud has occurred is made by a judge or jury, not by management and not by the auditor. So, when suspicions or allegations surface during an audit, it is important not to make conclusive statements of guilt or innocence either orally or in writing.
Instead, advise your audit client to seek legal counsel regarding what steps to take in response to the allegations. Even though the client's action or inaction in addressing suspected fraud may affect the trajectory of the audit engagement and raise issues such as whether an audit firm can issue an opinion or should withdraw from the engagement, it is not the auditor's role to be legal adviser to the audit client. The auditor instead needs to focus on an appropriate audit response to the situation within the context of generally accepted auditing standards.
WHAT TO DO IF THERE IS SUSPECTED FRAUD
Our discussion to this point has focused mainly on what not to do, so what should you do if you become aware of suspicions or allegations of fraud during an audit? First, be familiar with the requirements of AU-C Section 240. This is essential and informs the practical steps listed below. Be especially aware of Paragraphs .35, .36, and .37, which address what auditors ought to do if they identify a misstatement in a financial statement and have reason to believe that the cause may be fraud.
Below are select requirements contained in AU-C Section 240 as well as additional best practice suggestions.
Notify the right people
Depending upon who is suspected of the fraud, identify the appropriate members of management or those charged with governance to contact. Notify only those client parties who need to know. Follow the communication guidance found in AU-C Section 240, Paragraphs .39 through .41.
In addition, consider whether you are legally required as the auditor to report the suspicion of fraud to a regulatory or enforcement authority outside the organization (see ¶ .42 of AU-C Section 240). Absent a legal or regulatory requirement, remember that it is the auditor's professional duty to maintain client confidentiality on such matters.
Gather essential facts about the suspicions or allegations relevant to the audit. (See the sidebar, "Key Questions," to help with this information-gathering process.)
If the suspected individual has confessed to fraud or if irrefutable evidence has already been obtained regarding the allegations, consider inquiring what disciplinary measures have been taken and if the client has removed the suspect's access to the organization's accounting system and assets. Depending on the specific circumstances (and with guidance from the company's HR department), a client may have already terminated the employment of the suspect and changed passwords and locks, collected keys, and removed check-signing authority and access to bank accounts, accounting systems, etc.
Understand the client's plan to investigate the allegations of fraud. If the fraud is material, the client will likely need to engage legal counsel, who may then engage a forensic investigator or notify applicable law enforcement authorities to lead the investigation.
Document your actions and determine the situation's effect on the audit
Consider the possible outcomes of a client's fraud investigation and its impact on the audit, which could include termination of the employee accused of wrongdoing, a fidelity bond claim, legal action, or a combination of these. How a client responds to such allegations or suspicions of fraud will directly affect how an auditor should respond. If a client does not take such allegations seriously, withdrawal from the engagement may be necessary.
If a forensic investigation is performed, consider requesting a copy of the forensic investigation report from the attorney or fraud examiner to determine the impact of the findings on the current audit and whether reliance can be placed upon the conclusions of the investigation report to support an audit opinion. Note that when using such a specialist auditors must avoid independence issues relating to the audit engagement. If management requests your firm to perform a forensic investigation to follow up on their suspicions, ensure that the firm can comply with professional standards to avoid any breaches of independence.
Ensure audit documentation is sufficient to demonstrate adequate support for significant decisions the auditors made in response to allegations or suspicions of fraud under the relevant provisions of AU-C Section 230, Audit Documentation. If a forensic investigation has been performed and you have relied upon the testing and findings of the forensic investigator to support your conclusions on the audit, you should also document your use of a specialist within the binder and include the report of findings from the forensic specialist. Be sure to note the qualifications of the forensic accountant and the reasons for your reliance upon his or her work as you would with other specialists involved in the audit.
Be sure such documentation is sufficiently detailed, but, again, do not draw conclusions about guilt or innocence unless such legal determinations have already been made by a judge or jury.
Based on the information you have learned, consider your ability to continue and finalize the audit engagement and, relatedly, whether withdrawal from the audit is appropriate given the circumstances and considering applicable laws or regulations.
If the audit can indeed be finalized, consider what improvements can be made to the client's internal controls going forward based on the findings of the investigation and audit. A management letter comment may be necessary.
In summary, when suspicions or allegations of fraud surface during an audit, it is extremely important to demonstrate a sufficient response to the situation to support the auditor's conclusions on the engagement. Following the authoritative guidance of AU-C Section 240 and considering the practical steps and questions in this article will help auditors respond more confidently if such allegations arise.
As you gather information relating to allegations or suspicions of fraud during an audit, consider the following key questions:
- Who will investigate the suspicious activity and follow up on the allegations?
- What are the client's policies, and what outcomes may come from its investigation, such as termination of the employee, a fidelity bond claim, legal action, or a combination of these?
- What financial statement misstatements are suspicious? What transactions are suspicious? What assets are suspected of being missing?
- Who is the suspect? Is there more than one?
- How long has the suspect been employed at the organization? Note: The worst-case scenario is when allegations are toward a very long-tenured employee with limitless access and authorization to the organization's assets and systems throughout his or her tenure.
- What is the period under suspicion?
- What roles/positions did the suspect have throughout his or her employment tenure?
- What access does, or did, the suspect have to assets and systems throughout his or her tenure?
- What are the possible ways the suspect could have committed fraud, considering his or her access and authorization to assets and systems? Has the suspect confessed to committing fraud? If so, what did the suspect confess?
- Are there any controls in place that would mitigate fraud risk and limit the amount of possible fraud committed?
- Can you estimate a "worst-case scenario" amount of how much cash or how many assets were stolen?
- What misstatements to the financials could result from the suspected fraud? Consider the possible impact on beginning net assets if prior years are involved.
- What disciplinary measures have already been taken toward the suspect? Did the client place the suspected employee on leave and limit his or her access to assets and systems?
About the author
Nathan D. Salsbery, CPA, CGMA, CFE, is a partner in the Colorado Springs and Denver offices of CapinCrouse LLP and serves as the firm's executive vice president for the West region.To comment on this article or to suggest an idea for another article, contact Courtney Vien at Courtney.Vien@aicpa-cima.com.
Through narration by an industry subject-matter expert and practical scenario exercises, this two-module CPE course identifies the steps of a financial statement fraud investigation and the internal controls needed in place to deter and prevent fraud.
This guide provides implementation guidance that defines principles and points of focus for fraud risk management and describes how organizations of various sizes and types can establish their own fraud risk management program.
This CPE course discusses detecting and responding to fraud and provides an overview of the various types of fraud schemes auditors may encounter.
This course provides insight into the Business Fraud Risk Framework and focuses on the most relevant fraud schemes affecting organizations.
For more information or to make a purchase, go to aicpa.org/cpe-learning or call the Institute at 888-777-7077.
"Mitigating the New Fraud Realities," CPA Insider, Dec. 6, 2021
"Diving Deeper Into Smaller Frauds Due to COVID-19," JofA, Nov. 19, 2021