- feature
- AUDITING
How auditors can apply a forensic-like approach to fraud
Professionals with forensic and fraud expertise share techniques auditors can use when completing AU-C Section 240 requirements.

Related
New: Digital assets practice aid addresses auditing of lending, borrowing
PCAOB postpones effective date for new quality control system
A&A Focus recap: M&A trends, non-GAAP frameworks, and how quality management and peer review intersect
From identifying and assessing the risk of material misstatement due to fraud to designing and performing audit procedures responsive to those risks, addressing the risk of fraud is challenging. Recent outreach by the AICPA Auditing Standards Board (ASB) aims to help auditors enhance their approach to addressing fraud risks.
The ASB interviewed more than two dozen professionals with forensic and fraud expertise about techniques auditors might want to consider when performing a financial statement audit in accordance with GAAS. Although most interviewees report some auditing experience, they are not primarily audit professionals. Almost all of them are currently working as professionals who provide forensic services or support audit teams in fraud-related matters.
Each interview typically lasted one hour and covered significant content. This article discusses some of the key takeaways from these interviews. Note that the suggestions in this article are not intended to expand the fraud-related requirements included in the professional standards.
The ASB conducted the interviews as part of its current project related to potential revisions to AU-C Section 240, Consideration of Fraud in a Financial Statement Audit, and the outreach reflects the ASB’s continuing focus on data-driven insights.
CURRENT GUIDANCE ON FRAUD
AU-C Section 240 describes requirements concerning fraud for auditors performing financial statement audits. Among these requirements are: (1) to maintain professional skepticism throughout the audit; (2) to discuss with key members of the engagement team matters such as how and where an entity’s financial statements might be susceptible to material misstatement due to fraud and how the auditor might respond to the susceptibility to fraud; and (3) to inquire of management regarding matters such as management’s assessment of the risk that the financial statements may be materially misstated due to fraud and their process for identifying, responding to, and monitoring the risks of fraud in the entity.
The forensic professionals interviewed during the ASB’s outreach offered suggestions related to these and other requirements in AU-C Section 240.
PROFESSIONAL SKEPTICISM
Professional skepticism, as defined in AU-C Section 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards, is “an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence.” Although auditors are required to maintain their professional skepticism throughout an audit, a forensic-like perspective may be beneficial in helping auditors think differently.
Some auditors may find taking on a forensic-like perspective somewhat natural, though others may want to take continuing education courses to learn more about forensic skills. Forensic professionals suggest that auditors interested in developing this perspective seek out courses from providers such as the AICPA and the auditorsf state societies. Auditors should look for courses on fraud prevention, detection, and response, including behavioral red flags, effective interviewing, reading body language, and common fraud schemes.
Based on the ASBfs outreach, key tenets of a forensic-like perspective when considering the potential for fraud include:
- Accept that anyone can commit fraud. Anyone, including auditors, may be deceived by another person. Forensic professionals emphasize that fraud may be perpetrated by anyone regardless of their position, background, or personality traits.
- Avoid overreliance on past practices (often referred to as the same-as-last-year approach) and checklists. Undertaking audits with the same mindset used in every previous audit or seeking answers only to check off predetermined criteria increases the likelihood that an auditor relies on what is readily available (i.e., availability bias) or information from familiar sources (i.e., familiarity bias). Forensic professionals eschew the easily available explanations, keep an open mind focused on digging deeper until a clear outcome is determined, and avoid a checklist-driven approach to their work.
- Be curious. Although auditors provide information to clients who correct misstatements in the financial statements, auditors must be inquisitive and understand why a misstatement occurred. A misstatement may reveal deficiencies within a client’s internal controls or be indicative of more pervasive problems in the financial statements.
- Follow a “show me” strategy. Though auditors routinely gather information through inquiry of management and others, forensic professionals highlight the importance of remaining professionally skeptical and obtaining supporting documentation that can corroborate or contradict a client’s explanations. The key to the “show me” strategy is following the audit trail and building documentation-based support behind a client’s explanation rather than auditing by inquiry alone.
DISCUSSION AMONG ENGAGEMENT TEAM
An important element of an auditor’s risk assessment procedures included in AU-C Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, is the required discussion among the engagement partner and other key engagement team members about the susceptibility of an entity’s financial statements to material misstatement. AU-C Section 240 contains additional fraud-specific matters that should be addressed during an engagement team’s discussion, or fraud brainstorming as it is sometimes called. These additional matters include how management could perpetrate and conceal fraudulent financial reporting, how assets could be misappropriated, external and internal factors that may create an incentive or pressure for management or others to commit fraud, and the risk of management override of controls.
Forensic professionals offered several suggestions related to the required fraud brainstorming, including:
- Encourage all team members to attend. AU-C Section 240 requires key engagement team members to attend the team’s fraud brainstorming session. Encouraging other team members to attend offers a professional development opportunity and allows less experienced auditors to learn from the discussion about fraud among more experienced auditors and any specialists who attend the session. In addition, including professionals with special information technology skills and firm specialists (e.g., forensic and valuation specialists and engagement quality reviewers) may bring new perspectives to the brainstorming session.
- Emphasize unpredictability. AU-C Section 240 also requires the auditor to incorporate an element of unpredictability in the selection of the nature, timing, and extent of audit procedures as part of the overall response to the assessed risks of material misstatement due to fraud. It is important that the auditor’s approach is unpredictable because client personnel can more easily conceal fraudulent behaviors when they are accustomed to the auditor’s procedures.
- Leverage findings from data analytics. Contemporary data analytics tools can reveal deep insights about audit clients. Leveraging client-specific insights such as those based on nonfinancial data in a brainstorming session provides auditors with another perspective on a client’s financial statements.
- Brainstorm on an ongoing basis. Engagement teams may benefit from continuing to brainstorm about fraud throughout the audit and holding a “bookend brainstorming session” near the end of the audit. Remember that brainstorming can be effective without being highly structured. The key is for auditors to continue thinking about fraud and communicate any fraud-related issues or observations to others on the engagement team. In essence, engagement teams may benefit from an iterative approach such that the team brainstorms at the beginning of the audit, uses the resulting insights and information in developing the audit plan, executes the planned approach, learns more about the entity, holds another brainstorming session, uses the new insights to perform any additional audit procedures deemed necessary, and so on.
INQUIRIES OF MANAGEMENT AND OTHERS
Auditors often make inquiries of client personnel related to various issues including fraud. Decisions about which engagement team member(s) should make these inquiries, when they should be made, whom the auditor should inquire of, and how frequently inquiries should occur involve professional judgment.
Forensic professionals offered several suggestions that auditors may want to consider and that may enhance the effectiveness of auditors’ fraud-related inquiries:
- Recharacterize fraud inquiries as fraud discussions. Auditors should take care to perform the required inquiries included in AU-C Section 240. Still, it may be helpful to think about the required fraud-related inquiries as part of a bigger discussion about fraud with management, those charged with governance, and other client personnel. Inquiries may lend themselves to “yes” or “no” responses; however, engaging client personnel in a conversation about fraud can provide auditors with greater insights about fraud risks. For example, this could be achieved by asking open-ended questions that require more than a “yes” or “no” response. The key is to be inquisitive and to ask probing questions that enable a conversation around fraud such as how the client identifies, responds to, and monitors the risks of fraud.
- Consider the frequency of fraud inquiries. Auditors use professional judgment in determining how frequently to make the required fraud inquiries contained in AU-C Section 240. As part of recharacterizing fraud inquiries as fraud discussions, forensic professionals suggest inquiring about fraud-related matters more frequently throughout the audit period.
- Engage face to face. Forensic professionals suggest that auditors increase face-to-face interactions with client personnel and perform fraud-related inquiries face to face if possible because doing so allows the auditor to react in real time to a client’s response and potentially limits a client’s ability to take extra time formulating an explanation they believe an auditor will accept.
- Consider the experience level of the auditors who conduct fraud inquiries. Carefully consider the experience level of the engagement team members who conduct the fraud inquiries. Invite less experienced auditors to shadow their more experienced colleagues during fraud inquiries so they can observe how to effectively perform fraud inquiries and help document the discussion.
- Challenge client explanations with supporting evidence. Obtaining audit evidence that either corroborates or contradicts client explanations is a common occurrence for auditors. Nonetheless, forensic professionals remind auditors to not accept client explanations at first glance. Instead, auditors need to respectfully challenge the sufficiency and reasonableness of client explanations by asking follow-up questions and obtaining supporting documentation.
- Conduct a pressure test. AU-C Section 240 requires the auditor to make inquiries of management, and others within the entity as appropriate, regarding their knowledge of actual, alleged, or suspected fraud. Some of the forensic professionals interviewed by the ASB suggested auditors also consider asking client personnel if they have been told by a supervisor or member of management to do something (record a journal entry, generate invoices or other documents, etc.) that made them uncomfortable. The forensic professionals also suggest following up with questions such as “If so, what did you do?”, “Did you know who at the organization to talk to about the request?”, and “If not, what would you do?”
- Inquire of personnel throughout the entity. Although auditors commonly speak with their client’s accounting personnel, speaking with nonaccounting personnel can contribute to the auditor’s knowledge of the entity’s operating realities and reveal insights about the entity’s financial position or performance. Relatedly, forensic professionals also suggest auditors consider the usefulness of extending fraud inquiries beyond the client to external parties (e.g., customers and vendors) to potentially obtain information that can be used to corroborate or contradict client-provided information.
OTHER SUGGESTIONS
Although most of the forensic professionals’ suggestions related to the previously discussed issues, the professionals provided other suggestions that may be helpful. For example, several forensic professionals noted the usefulness of searching payroll registers for employees with salaries or deductions that may appear unreasonable and examining statements for company credit cards for personal expenses. The latter suggestion was mentioned as being particularly relevant for audits of not-for-profit entities.
Two suggestions were specific to internal controls and the risks of material misstatement. Although auditors are required to obtain an understanding of their client’s internal controls, the forensic professionals suggested that auditors also consider what controls should be in place but are not. Doing so can reveal areas with increased risks of misstatement that may affect the auditor’s risk assessment and/or response. For example, although a client may prepare a monthly report to identify unexpected variances for expenses, it may not be reviewed by someone with a sufficient level of authority or expertise. Their second suggestion, one that is likely to be relevant to many audits of smaller, less complex entities, is for auditors to perform robust testing in areas with inadequate segregation of duties. Although an active owner-manager is often considered an effective counter to inadequate segregation of duties, longer-term relationships between the owner-manager and other employees may diminish the effectiveness of the owner-manager’s oversight.
The forensic professionals’ final suggestion was to understand the client’s whistleblower hotline. Specifically, they suggested understanding the nature and pattern of complaints received, the process used to investigate and resolve complaints, and the resolutions of the different types of complaints.
As found in the ASB interviews, professionals with forensic and fraud expertise can inform auditors’ practices under AU-C Section 240. Whether auditors develop a forensic-like mindset, incorporate more brainstorming sessions into their audit engagements, or change the frequency of fraud-related inquiries, applying any or all of the key takeaways presented may improve auditors’ approach to fraud. Auditors who deploy the suggested techniques may find that their approach to fraud is enhanced.
About the author
J. Gregory Jenkins, CPA, Ph.D., is the Ingwersen Professor in the School of Accountancy in the Harbert College of Business at Auburn University and is a member of the AICPA Auditing Standards Board. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpacima.com.
LEARNING RESOURCES
AICPA & CIMA Forensic & Valuation Services Conference
Whether you’re an experienced valuation pro or a newcomer to the field, join us Oct. 28–Oct. 30, 2024, to gain the latest insights and updates, hear from top thought leaders in the profession, explore cutting-edge technology, and forge powerful connections with your professional community. Conference attendance is available live both online and at Hyatt Regency Dallas and offers 11–20 CPE credits.
CONFERENCE
Fraud Prevention, Detection, and Response
This course describes the techniques typically employed to prevent, detect, and investigate fraud within an organization. Topics include the impact of fraud on business and society, common profiles of fraud perpetrators, types of fraud schemes, fraud triangle, risk issues, corporate governance, and fraud risk assessment and process controls.
CPE SELF-STUDY
Fundamentals of Forensic Accounting Certificate Program
The Fundamentals of Forensic Accounting Certificate Program covers those areas representative of the AICPA’s Body of Knowledge in the financial forensics area. This certificate program is tailored to provide an introduction to financial forensics and help you become familiar with the forensic accountant’s professional responsibility.
CPE SELF-STUDY
Oversight of Corporate Culture: A Core Asset in Driving Performance
Sound corporate culture is a cornerstone of fraud deterrence and detection. This Anti-Fraud Collaboration program will highlight leading practices on assessing and strengthening a company’s corporate culture.
CPE SELF-STUDY
For more information or to make a purchase, go to aicpa-cima.com/cpe-learning or call 888-777-7077.
AICPA & CIMA RESOURCES
Articles
“A Refresher on Fraud and the Responsibility for Its Detection,” JofA, Feb. 1, 2024
“Auditing Best Practices: What Academic Fraud Research Reveals,” AICPA & CIMA, Jan. 19, 2023
Website