Auditing fraud risk during a pandemic

By Deana Thorps, CPA, and Tracy Harding, CPA

The coronavirus pandemic has taught us all to be on high alert during a time of uncertainty. The key to managing this uncertainty is adaptability. All entities have been affected by the pandemic in some way, whether it’s changes in internal control caused by remote-working conditions or a decline in operations at the peak of the outbreak. As many businesses shifted to remote operations, the risk of fraud may have increased.

For purposes of a financial statement audit, fraud is an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception that results in a misstatement in the financial statements.

Considering the fraud risk triangle, the current environment provides individuals the incentive or pressure to perpetrate a fraud, opportunity to commit fraud, and rationalization to justify a fraudulent action. With all of these factors present, the risk of fraud is substantially heightened.

While adaptability is necessary for all in the current environment, auditors remain responsible for obtaining reasonable assurance that their client’s financial statements are free of material misstatement due to error or fraud under paragraph .05 of AU-C Section 240, Consideration of Fraud in a Financial Statement Audit.

Paragraph .08 also states that auditors are responsible for maintaining professional skepticism throughout the engagement and recognizing that audit procedures effective for detecting errors may not be effective in detecting fraud. Auditors should conduct engagements with a mindset that acknowledges the possibility that a material misstatement due to fraud could be present. The two types of fraud that auditors are primarily concerned with are fraudulent financial reporting and misappropriation of assets.

Fraudulent financial reporting is fraud that involves intentional misstatements, including omissions of amounts or disclosures in financial statements to deceive users of those statements. Examples of risks of fraudulent financial reporting misstatements that may be heightened in the current environment include:

  • Fictitious revenue. The economic impact of COVID-19 may have created incentives and opportunities to record fictitious revenue. For example, sales personnel at a given client may have struggled to meet their targets. If their compensation was tied to meeting those targets, they may have had an incentive to inflate their sales figures. Changes to internal control may have presented opportunitites, as some companies may have overriden controls to fast-track customer approval.
  • Fraudulent management estimates. Management estimates, such as goodwill valuation, are at risk of misstatement. For example, many entities enter into loan covenants based on debt/EBITDA. Clients at risk of violating those covenants may seek to manipulate accounting estimates to strengthen their bottom line.
  • Improper timing of revenue. Improper timing of revenue recognition happens when an entity inappropriately records revenue in one period that should be recorded in another. This might be done to accelerate revenue recognition to meet earnings projections. Entities could also delay recognition if they’ve already met their projections for the period.
  • Fraudulent federal relief program applications. Clients that received a Paycheck Protection Program (PPP) loan may have felt increased pressures on management to fraudulently apply for these funds, including their forgiveness, due to the economic downturn.

Misappropriation of assets is fraud that involves the theft of an entity’s assets and is often perpetrated by employees in a relatively immaterial amount. With more employees working from home, oversight of employee behavior can be more challenging. Some employees could face financial struggles, providing an incentive to misappropriate business assets for personal benefit. These employees could also rationalize that they deserve to use these assets for personal gain for various reasons.

Auditors should recall the objectives of AU-C Section 240, paragraph .10, which are to:

  • Identify and assess the risks of material misstatement of the financial statements due to fraud;
  • Obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud through designing and implementing appropriate responses; and
  • Respond appropriately to fraud or suspected fraud identified during the audit.

The AICPA Peer Review Program data indicates common fraud-related missteps relative to risk assessment procedures and documentation that auditors should keep in mind when performing audit engagements, especially in today’s climate.

Fraud brainstorming

Peer Review data suggests that some auditors are not documenting their brainstorming sessions about the client’s fraud risks. AU-C Section 240, paragraph .15, requires discussion with engagement teams regarding the susceptibility of the entity’s financial statements to material misstatements due to fraud.

This is true regardless of the engagement team’s size. If you are a sole practitioner, you are still required by paragraph .43 to document this brainstorming session and the significant decisions reached. Peer Review data indicates that some auditors are not always documenting their client’s specific fraud risks that lead to a reasonable possibility of material misstatements in the financial statements. Auditors should recall paragraph .43, which requires documentation on the identified and assessed risks of material misstatements due to fraud at the financial statement and assertion level.

Fraud inquiries

AU-C Section 240, paragraph .16, requires auditors to obtain an understanding of the entity and its environment, including internal control, in order to identify the risks of material misstatement due to fraud. Obtaining this understanding is achieved in part through discussions with management, others within the entity, and those charged with governance. Peer Review data indicates some auditors are not performing adequate inquiries of those within the entity. Auditors should inquire about management’s procedures to assess their risk of fraud, whether there have been any unusual transactions that raise any flags relative to fraud, and whether there are any known instances of fraud. Additionally, they should obtain an understanding of what controls are designed and implemented to mitigate fraud risks that are relevant to the audit. These discussions help auditors identify and assess the risk of material misstatement due to fraud at the financial statement and assertion level.

Revenue recognition as a fraud risk

Peer Review data also suggests that some auditors fail to identify revenue recognition as a fraud risk. Paragraph .26 states that auditors should, based on a presumption that risks of fraud exist in revenue recognition, evaluate which types of revenue, revenue transactions, or assertions give rise to such risks. Auditors should treat those assessed risks of material misstatement due to fraud as significant risks. The potential of fraudulent financial reporting relative to fictitious revenue and improper revenue recognition schemes should remain on the auditor’s radar while performing risk assessment procedures in the current environment.

Another misconception is around documenting the conclusion that improper revenue recognition is not a risk of material misstatement due to fraud. This is important, as the susceptibility to management override of controls is heightened in light of the current environment. AU-C Section 240, paragraph .46, requires auditors who have concluded the presumption that there is a risk of material misstatement due to fraud related to revenue recognition is overcome in the circumstances of the engagement to include their reason for this conclusion in their audit documentation.

Linkage of risk assessment and response

Some auditors are not linking their identified fraud risks to their audit responses, according to Peer Review data. AU-C Section 240 requires auditors to perform further audit procedures that are responsive to the identified risks of material misstatement due to fraud at the financial statement and assertion level.

When performing audit procedures in response to identified risks related to fraud, auditors should incorporate an element of unpredictability. Performing some level of forensic procedures might also be appropriate in some circumstances. For instance, auditors could perform substantive procedures on selected account balances and assertions not otherwise tested due to their materiality or risk. Auditors could also adjust the timing of audit procedures from that otherwise expected. Another option could be to use different sampling methods or test an entire population, which could help provide sufficient appropriate audit evidence to support the opinion.

Potential audit procedures to address the risk of misappropriation of assets include expanded observation of inventories or counting cash on a surprise or unannounced basis. If this observation is not possible due to office closures or travel restrictions, auditors may be able to use remote observation tools (for example, through a video transmission) to perform these observations.

Addressing fraud when detected

If fraud is identified during the audit engagement, professional standards require auditors to consider whether they are able to continue the engagement. They should determine their applicable professional and legal responsibilities given the circumstances, including whether a requirement exists to report those involved to regulatory authorities. When the auditor determines they are unable to continue performing the audit, they are required by paragraph .38 to discuss with the appropriate level of management and those charged with governance their withdrawal from the engagement and their reasons for withdrawing.

AU-C Section 240, paragraph .39, further requires auditors to communicate matters of fraud, either identified or indicated from information obtained, on a timely basis to the appropriate level of management in order to inform those with the primary responsibility for the prevention and detection of fraud.

Paragraph .42 also states that the auditor should determine whether they have a responsibility to report the occurrence or suspicion of fraud to a party outside the entity — for example, a regulator. Auditors are required by paragraph .45 to include in the audit documentation communication about fraud to management, those charged with governance, regulators, and others.

As auditors conduct their engagements for clients impacted by the pandemic, remaining vigilant and skeptical will help ensure the objectives of AU-C Section 240 are met. For more help, visit the following webpages for free tools and resources:

Deana Thorps, CPA, is a manager with the Association of International Certified Professional Accountants. Tracy Harding, CPA, is the director of quality assurance with BerryDunn and chair of the AICPA Auditing Standards Board. To comment on this article or to suggest an idea for another article, contact Ken Tysiac, the JofA’s editorial director, at


Scorecard preparation templates and tips

With Workiva, we've created a PowerPoint deck that helps you create your own scorecards -- quick reference reports used across organizations to update stakeholders on the performance of defined deliverables.


Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.