Auditors are expected to comply with the requirements in AU-C Section 240, Consideration of Fraud in a Financial Statement Audit, in conducting financial statement audits. As academics who perform fraud research, we were recently asked by the AICPA's Auditing Standards Board (ASB) to synthesize contemporary auditing research related to the auditor's identification, assessment, and response to fraud risks, and to communicate any revealed best practices. We identified 40 fraud-related studies published in highly regarded accounting journals between 2016 and 2022, along with several unpublished studies available on the Social Science Research Network. Below are some best practices based on those studies, organized according to select requirements in AU-C Section 240.
Auditors should maintain an attitude of professional skepticism throughout an audit (paragraph .12 of AU-C Section 240). To support the continuing exercise of professional skepticism, research suggests the following:
- Reward staff for practicing skepticism. Audit seniors and managers should reward appropriate skepticism (e.g., investigation of an evidence inconsistency) with positive feedback even when skepticism does not lead to the discovery of a misstatement. That is, avoid penalizing staff (e.g., through a poor performance review) who respond skeptically to evidence inconsistencies when no misstatement is identified.
- Have leaders set the right tone. Engagement partners should demonstrate their own professional skepticism to other team members by, for example, sharing their own past fraud experiences. This encourages preparation for fraud brainstorming meetings and deeper discussions during those meetings. When engagement partners demonstrate their professional skepticism, brainstorming sessions are longer, have better attendance, and include more extensive discussions.
- Build teams whose members have different levels of skepticism. Even a small number of more skeptical auditors can encourage deeper and more thoughtful fraud-related discussions by others on the audit team who may be less skeptical.
Discussion Among the Engagement Team
Audit teams are required to have a discussion among engagement team members about fraud that emphasizes the importance of professional skepticism. This discussion includes "an exchange of ideas or brainstorming … about how and where the entity's financial statements … might be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated" (AU-C Section 240.15). Research provides the following insights that may enhance the effectiveness of fraud brainstorming discussions:
- Promote more effective brainstorming. Engagement teams will likely identify and discuss more fraud risks during brainstorming sessions if the partner emphasizes brainstorming as a training or professional development opportunity.
- Create a supportive environment. Less experienced audit team members are more apt to share relevant fraud risk factors during brainstorming sessions when an engagement partner establishes a supportive, nonthreatening environment that encourages idea sharing.
- Start with unstructured sharing of ideas. Although organizing ideas generated during brainstorming sessions can be helpful, an overly structured approach may reduce team members' creativity and inhibit idea generation. Consider providing the engagement team time to freely share their ideas before organizing and categorizing them.
Risk Assessment Procedures and Related Activities
Discussions With Management and Others Within the Entity
In order to understand the entity and its environment (AU-C Section 240.16–.21), auditors should have discussions with management and others within the entity when performing fraud risk assessment procedures. The following suggestions may improve the effectiveness of these discussions with management:
- Have two auditors conduct interviews. Interviews conducted by two auditors rather than one can influence deceptive client personnel to talk more freely, making them more likely to reveal fraud-related information.
- Remind clients of whistleblower protections and hold interviews in the afternoon. Client personnel are more likely to report fraudulent activities when auditors remind them of applicable whistleblower protections and during late-in-the-day interviews, when interviewees are tired and prone to "letting their guard down."
- Be aware of relationships between audit committee members and client management. Audit committee members with personal connections to members of management, such as the CEO or CFO, may be less vigilant when assessing fraud risk and management integrity. On the other hand, audit committee members with professional ties to other independent members of the board are likely to be more vigilant.
Unusual or Unexpected Relationships Identified
When performing preliminary analytical procedures as part of risk assessment, auditors should look for unusual or unexpected relationships that indicate an elevated fraud risk (AU-C Section 240.22). Research offers the following methods to increase the effectiveness of analytical procedures when assessing fraud risk:
- Use industry data, nonfinancial measures, and cash flows as benchmarks. When developing expectations for account balances, auditors should use industry data, nonfinancial measures (e.g., number of products sold), and cash flows as benchmarks rather than prior-year balances and relations within the client's financial data. Industry data, nonfinancial measures, and cash flows are less susceptible to management manipulation.
- Don't come up with too many explanations for anomalies. Generating as many potential explanations as possible for unusual account fluctuations can be counterproductive for auditors. It can increase the difficulty of the audit task and may lead auditors to rely on a client's potentially deceptive explanation for the fluctuations.
Identification and Assessment of the Risks of Material Misstatement Due to Fraud
Auditors are required to identify and assess fraud risk at the financial statement level, and at the assertion level for classes of transactions, account balances, and disclosures (AU-C Section 240.25). Research offers observations related to the identification and assessment of fraud risks:
- Be aware that auditors tend to assign different motives to different types of misstatements. Auditors tend to view misstatements from omission (e.g., failing to record an expense) as less intentional than misstatements from commission (e.g., recording false revenue). This finding is important because some client personnel are more likely to commit fraud by omitting transactions than falsifying them.
- Note that employment levels have a role in fraud assessment. Lower-than-expected employment levels and labor costs relative to the prior year are red flags and may indicate heightened fraud risk. Also, auditors should identify when these metrics significantly differ from industry norms or when financial statement information does not reflect corresponding operating activities (e.g., increases in revenue when layoffs are occurring).
- Guidance from the right forensic specialists can be helpful. Forensic specialists who understand a client's business (e.g., by reviewing documentation about the client and its industry and attending engagement planning meetings) can assist auditors with developing better fraud risk assessments.
- Take on a forensic specialist's perspective. Having a forensic perspective (e.g., searching for fraud regardless of its magnitude, bearing in mind that things are not always as they appear, and assuming that fraud is possible even in the presence of strong internal controls) may be helpful in developing fraud risk assessments and designing audit procedures that are responsive to assessed fraud risk. Taking a forensic perspective is helpful, but it shouldn't be viewed as a substitute for professional skepticism.
Responses to the Assessed Risks of Material Misstatement Due to Fraud
Auditors are required to design and perform audit procedures that are responsive to the risks of material misstatement due to fraud at both the financial statement and assertion levels (AU-C Section 240.28–.30). Responding to fraud risks includes a variety of factors, such as a consideration of the knowledge, skill, and ability of individuals working on the engagement and incorporating an element of unpredictability into the nature, timing, and extent of the audit procedures to address fraud risks. The following research findings may be helpful to auditors responding to fraud risks:
- Encourage seeking advice. Auditors may benefit from advising and consulting with others on the engagement team. By talking with other engagement team members about how they can respond to fraud risks, auditors become more creative and think more deliberately, which can help identify audit procedures that are more responsive to assessed fraud risk.
- Support team members when they respond to potential evidence of fraud. Engagement supervisors should support, or empower, engagement team members who perform audit procedures in response to unanticipated evidence indicative of fraud. Such empowerment improves auditors' responses to fraud risks without sacrificing the auditor's efficiency when fraud risk is low.
- Use games. Audit firm communications or fraud training materials that include game-like features, such as fraud-related anagrams, can promote deeper thinking that enhances professional skepticism and fraud detection strategies.
Developing high-quality audit practices
Addressing fraud efficiently and effectively can be challenging. Although auditors should continue relying on their experience and professional judgment to address fraud in financial statement audits, findings from academic research such as those described above highlight behaviors and practices that can assist auditors' work.
The findings in this article represent the work of many academics who continue to examine different aspects of fraud and the auditor's consideration of it. These fraud-related research efforts have the potential to contribute to the development of high-quality audit practices. We encourage you to support this research by participating in academic studies, reading accounting research journals, and engaging with academics in your community.
— Joseph F. Brazel, Ph.D., is the Jenkins Distinguished Professor of Accounting at North Carolina State University in Raleigh. Tina D. Carpenter, CPA, Ph.D., is a professor of accounting and the EY Faculty Fellow at the University of Georgia in Athens. Christine Gimbar, CPA, Ph.D., is an associate professor of accounting at DePaul University in Chicago. J. Gregory Jenkins, CPA, Ph.D., is the Ingwersen Professor of Accounting at Auburn University in Auburn, Ala., and a member of the AICPA's Auditing Standards Board. Keith L. Jones, CPA, Ph.D., is the Deloitte Professor of Accounting at the University of Kansas in Lawrence. To comment on this article or to suggest an idea for another article, contact Courtney Vien at Courtney.Vien@aicpa-cima.com.