Auditing standards require external auditors to consider potential fraud risks by watching out for conditions that provide the opportunity to commit fraud. Unfortunately, conditions during the COVID-19 pandemic may have increased your company’s fraud risks. For example, more employees may be working remotely than ever before. And some workers may be experiencing personal financial distress — due to reduced hours, decreased buying power or the loss of a spouse’s income — that could cause them to engage in dishonest behaviors.
Financial statement auditors must maintain professional skepticism regarding the possibility that a material misstatement due to fraud may be present throughout the audit process. Specifically, Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit, requires auditors to consider potential fraud risks before and during the information-gathering process. Business owners and managers may find it helpful to understand how this process works — even if their financial statements aren’t audited.
Doubling down on fraud risks
During planning procedures, auditors must conduct brainstorming sessions about fraud risks. In a financial reporting context, auditors are primarily concerned with two types of fraud:
1. Asset misappropriation. Employees may steal tangible assets, such as cash or inventory, for personal use. The risk of theft may be heightened if internal controls have been relaxed during the pandemic. For example, some companies have waived the requirement for two signatures on checks, and others have reduced oversight during physical inventory counts.
2. Financial misstatement. Intentional misstatements, including omissions of amounts or disclosures in financial statements, may be used to deceive people who rely on your company’s financial statements. For example, managers who are unable to meet their financial goals may be tempted to book fictitious revenue to preserve their year-end bonuses. Or a CFO may alter fair value estimates to avoid reporting impairment of goodwill and other intangibles and triggering a loan covenant violation.
Identifying risk factors
Auditors must obtain an understanding of the entity and its environment, including internal controls, in order to identify the risks of material misstatement due to fraud. They must presume that, if given the opportunity, companies will improperly recognize revenue and management will attempt to override internal controls.
Examples of fraud risk factors that auditors consider include:
- Large amounts of cash or other valuable inventory items on hand, without adequate security measures in place,
- Employees with conflicts of interest, such as relationships with other employees and financial interests in vendors or customers,
- Unrealistic goals and performance-based compensation that tempt workers to artificially boost revenue and profits, and
- Weak internal controls.
Auditors also watch for questionable journal entries that dishonest employees could use to hide their impropriety. These entries might, for example, be made to intracompany accounts, on the last day of the accounting period or with limited descriptions. Once fraud risks have been assessed, audit procedures must be planned and performed to obtain reasonable assurance that the financial statements are free from misstatement.
Following up
Auditors generally aren’t required to investigate fraud. But they are required to communicate fraud risk findings to the appropriate level of management, who can then take actions to prevent fraud in their organizations. If conditions exist that make it impractical to plan an audit in a way that will adequately address fraud risks, an auditor may even decide to withdraw from the engagement.
© 2021
---
The information contained in the Knowledge Center is intended solely to provide general guidance on matters of interest for the personal use of the reader, who accepts full responsibility for its use. In no event will CST or its partners, employees or agents, be liable to you or anyone else for any decision made or action taken in reliance on the information in this Knowledge Center or for any consequential, special or similar damages, even if advised of the possibility of such damages.