The auditor and fraud 

The audit profession has been under heightened scrutiny in recent years after a string of corporate failings and accounting scandals, notably Patisserie Valerie, Carillion, BHS, and Wirecard.

These have led to three independent reviews of the audit regime commissioned by the UK government, including the role of the regulator (the Kingman review), the level of competition and choice in the FTSE-350 audit market (the CMA study) and a report into audit quality (the Brydon review). 

Sir Donald Brydon’s review on the quality and effectiveness of audit noted a perceived expectation gap related to the auditor’s responsibility for fraud, stating that where material fraud occurs, there can be concerns about whether auditors have done enough to detect it. The FRC responded with an immediate UK revision to ISA (UK) 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements rather than wait for the IAASB revision (as was the case with ISA (UK) 315) and this was effective for accounting periods commencing on or after 15 December 2021. The revision to ISA (UK) 240 was generally seen as evolutionary rather than revolutionary. While the amendments introduced several new requirements, particularly around risk assessment, the revisions mostly served to clarify and formalise existing requirements. For many engagement teams, these revisions have effectively reinforced good practice. 

The key changes 

There are, however, some key changes in four main areas implemented by revised ISA (UK) 240, as follows:- 

The auditor’s responsibilities and professional scepticism 

The revisions clarify the auditor’s objectives, which include obtaining reasonable assurance about whether the financial statements are free from material misstatement due to fraud. They also highlight that the risk of not detecting a misstatement due to fraud may be higher than the risk related to error. Exercising professional scepticism remains pervasive in achieving these objectives. 

Risk assessment procedures 

Supplemental guidance clarifies that when performing risk assessment procedures, an understanding of fraud risk factors is required. The revisions introduce new requirements that include obtaining an understanding of the process that management undertakes to assess, identify, respond, and communicate the risks of fraud and discussing the risks of fraud with those charged with governance. Audit engagement teams are also required to determine whether they need specialised skills or knowledge to perform audit procedures, such as, for example, a fraud specialist. 

Responses to the assessed risks and evaluation of audit evidence 

The revisions include a “stand-back” requirement which is reflected in other standards and focuses on reinforcing existing principles, including a requirement to perform an overall assessment of the sufficiency and appropriateness of audit evidence, including both contradictory and corroborative evidence. 

The auditors’ report and communication with those charged with governance 

The revisions include the requirement for the audit report to explain to what extent the audit was considered capable of detecting irregularities, including fraud, in line with ISA (UK) 700 (Revised November 2019) and a new requirement that written representations obtained from management should explicitly acknowledge that management believes they have fulfilled these responsibilities. 

What more can auditors do to tackle fraud? 

There is a public perception that auditors should be doing much more to detect fraud and prevent the unexpected corporate failures of recent years. When a company fails because of fraud, or a fraud is uncovered not long after an unqualified audit report has been issued, it damages stakeholder trust in financial reporting, auditors and audit quality. 

Audit firms are working to change ingrained cultures, behaviours, and mindsets, assessing the need for greater, risk-assessed specialist and forensic involvement at all stages of the audit, embedding fraud-related learnings across the firm and reinforcing professional scepticism.  

However, there are other parties, not just auditors, who directly or indirectly influence the likelihood that fraud will be prevented or detected, including company directors, investors, government, and audit regulators. 

Using technology to address fraud 

Audit firms have also been investing significantly in technology which assists in the detection of fraud, notably including the use of Artificial Intelligence (AI). Such technology allows the auditor to examine the entire ledger for transactions which exhibit specific traits characteristic of fraud, or which are otherwise unusual in relation to the rest of the population. This use of technology allows the auditor to better focus their efforts on the specific transactions most likely to be associated with fraud.  

As in the case of Wirecard, fraud is often carried out with the use of falsified documents (for example bank statements), and therefore the source of documents used as audit evidence is of heightened interest. This has come into further prominence in the last year with the advent of generative AI tools with the ability to produce plausible, yet fictitious, documents. Tools which allow the auditor to source information directly from third party originators, for example open banking or confirmation tools allowing direct interaction with banks, are therefore a key component of the modern auditor’s toolkit.  

The future of fraud

The approach to audit reform reflected in the Feedback Statement following the proposals in the UK government’s March 2021 White Paper ‘Restoring trust in audit and corporate governance’ did not go as far as some firms had hoped but implemented properly, would have been a step in the right direction. In relation to tackling fraud, the government proposed that directors should report on the steps they had taken to prevent and detect material fraud with additional requirements to be placed on auditors as well in relation to fraud detection and assessment of the effectiveness of relevant controls. 

However, a decision was taken in October 2023 to abandon the proposed new rules for large UK listed and private companies after consultation with businesses raised concerns about imposing additional reporting requirements on these companies. The business department now says it will “pursue options to reduce the burden of red tape” to ensure the UK is one of the best places in the world to do business. Some commentators have reported this to be a major blow to those seeking to drive improved transparency and trust in UK corporate reporting. 

The government says it remains committed to wider audit and corporate governance reform, including establishing a new regulator, the Audit, Reporting and Governance Authority (ARGA) to replace the existing Financial Reporting Council. 

Conclusion 

Fraud is a complex issue and there is often confusion around what constitutes fraud and at what point auditors can be expected to spot it. Asset fraud tends to be more common and easier to spot than financial reporting fraud, but often involves smaller values. 

Kreston Reeves along with many other audit firms are actively embracing changing expectations about what financial statement audits involve in relation to fraud, and what we can and should be expected to achieve. We are also making significant investments in the technologies that have the potential to transform fraud detection, as part of the wider risk assessment process. 

Kreston Reeves has extensive experience and expertise of conducting ISA (UK) 240 compliant audits. If you would like further information or guidance on the changes to ISA (UK) 240 and other auditing standards, contact us today.