Chartered Accountants of Canada Comptables agréés du Canada The Canadian Institute of Chartered Accountants 277 Wellington Street West Toronto, Ontario Canada M5V 3H2 Tel: (416) 977-3222 Fax: (416) 977-8585 http://www.cica.ca Mr. J.M. Sylph, FCA Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14 th Floor New York, New York 10017 USA L Institut Canadien des Comptables Agréés 277, rue Wellington ouest Toronto, Ontario Canada M5V 3H2 Tél: (416) 977-3222 Fax: (416) 977-8585 http://www.cica.ca Dear Mr. Sylph: Re: Exposure Draft The Auditor s Responsibility to Consider Fraud in an Audit of Financial Statements The Auditing and Assurance Standards Board (AASB) is pleased to respond to the above Exposure Draft and strongly supports the proposed standard, subject to the undernoted comments and recommended changes. We believe that these comments and changes are consistent with the substance of the proposed standard and would result in important improvements that merit your consideration. The comments and recommendations result from the deliberations of the AASB during the course of the parallel Canadian project, and from comments by respondents to the equivalent Canadian Exposure Draft. We also include as an appendix a number of editorial comments for your consideration. Significant overall comments 1. Need for additional implementation guidance There is a need for significant additional guidance on implementation of the proposed ISA. The AICPA has published very extensive additional guidance for SAS99, for example by issuing Fraud Detection in a GAAS Audit: SAS No. 99 Implementation Guide and by including extensive guidance on fraud risk assessment and related techniques, and case studies, on its fraud web site. Although the ED does not change the auditor s responsibility to detect fraud, because of the importance of this new standard, and the degree of change required in auditor mindset and performance, we strongly urge the IAASB to issue background guidance concurrently with the ISA, or shortly thereafter. IAASB could use the AICPA guidance as a starting point. Such guidance, we believe, is particularly important for auditors of small owner-managed enterprises. Other matters on which guidance would be useful include evaluation of corporate culture and tone at the top. 2. Applicability to audits of small entities Notwithstanding the reference in several paragraphs to audits of small entities, we believe the particular issues relating to such audits are insufficiently addressed. For example, more
Page 2 guidance would be desirable in or after paragraph 28 and in paragraphs 59 through 70 concerning the limited opportunity in such entities for segregation of duties, the compensating controls exercised by an owner-manager, and the related fraud risk factors. 3. Application of professional scepticism to those charged with governance We agree that the auditor should maintain an attitude of professional scepticism throughout the audit notwithstanding the auditor s past experience with the entity and the auditor s belief about the honesty and integrity of management and those charged with governance. However, while the ED provides sufficient guidance on the types of procedures the auditor performs when exercising professional scepticism with respect to management, we believe there needs to be more detailed guidance on the types of procedures the auditor performs when exercising professional scepticism with respect to those charged with governance. 4. Concerns associated with taking a procedural approach in this proposed ISA We agree with the specific procedural requirements in the Exposure Draft (e.g., required procedures concerning revenue recognition, journal entries, inventories, accounting estimates and understanding of the business rationale for significant transactions). However, it must be recognized that, once these standards are finalized, management, aware of the specific procedures the auditor will perform and bent on perpetrating fraud, will presumably take extra care not to do so, for example, by means of a journal entry in a round amount close to the year-end. A risk of having a set of prescribed procedures is that auditors, having performed them, will believe they have done enough. This may not always be the case. To alleviate this risk, we recommend that the phrase at a minimum or at least be incorporated into the lead-in to paragraph 70 and suitable wording be inserted immediately after paragraph 70 to state that, notwithstanding the particular methods of perpetrating fraud described in paragraphs 71 to 76, and in paragraph 67 concerning revenue recognition, management may use different methods of perpetrating fraud that would not be detected by any of the procedures contemplated in paragraphs 70 or 68 1. There should be a strong statement that auditors should also be alert for evidence of fraud from whatever source and by any method. This will reinforce the basic principle in the standard that the auditor is alert to risks of material misstatement, whether due to revenue recognition, management override of internal controls or some other cause. 5. Auditor communications to those charged with governance We are concerned that the requirements for reporting to those charged with governance are, given the current environment, too limited - even less stringent in some respects than existing ISA 240. For example, the matters that are ordinarily communicated as described in existing ISA 240, paragraph 58, are not all included in the Exposure Draft. Whereas the existing requirement is for the auditor to communicate fraud involving all management, the ED 1 More auditing techniques are usefully described in Appendix 2 but they are not all linked to specific methods of perpetrating fraud.
Page 3 paragraph 88 only requires the auditor to communicate fraud involving senior management. 2 Furthermore, existing ISA 240, paragraph 58, requires the communication of misstatements that may cause future financial statements to be misstated. We believe that this requirement should be retained, either in ISA 240 or ISA 260. We are also concerned that both the ED and SAS99 set too high a threshold before the auditor reports fraud (whether caused by senior management or other employees) to those charged with governance. The requirement in the ED is only for material or possibly material frauds to be reported. We believe that the requirement should be for all non-trivial frauds to be reported. Accordingly, we believe that paragraph 88 should be amended to read: If the auditor has identified any of the following matters, the auditor should communicate them to those charged with governance as soon as practicable: a) Questions concerning the competence and integrity of management; 3 b) Fraud involving management; c) Fraud (whether caused by management or other employees) that results, or may result, in a non-trivial misstatement of the financial statements; and d) Matters that may cause future financial statements to be materially misstated. Specific comments Paragraph 10 The focus of this paragraph is on earnings management and on frauds that have an impact on net income. It is true that fraudulent financial reporting is often caused in this way, however mention should also be made of pressures on management to meet financial ratios involving asset and liabilities and therefore the possibility that there are misstatements due to fraud in these areas. Paragraph 23 Consideration should be given to adding text or a footnote along the lines of footnote 26 of SAS99 which indicates that if the auditor believes that documents may not be authentic he or she should investigate further and consider using the work of a specialist to determine the authenticity. Paragraph 24 The concept that communication and sharing of information should take place throughout the audit, as described in paragraph 27, is important and should be added to the end of paragraph 24 along the following lines: The discussions should take place throughout the audit. 2 ISA 260.11 requires the reporting of fraud involving management. We interpret this requirement to mean that the auditor should report all fraud involving management. 3 i.e, put the last bullet in paragraph 94 into bold.
Page 4 Paragraph 25 It is not sufficient for only key members of the engagement team to be involved in the discussion. All members of the audit team make judgments and determinations during the audit, and not just the senior members of the team. Junior members therefore need to hear the discussions of the more senior members to gain an understanding of the risks and related audit approach. Since the word ordinarily is already used to qualify the need for team members to be involved, the wording could be: Ordinarily the discussion involves all members of the engagement team. Consideration should also be given to incorporating into this paragraph some of the important messages that are set out in SAS99 paragraph 16 regarding how the discussion among the engagement team members reinforces professional scepticism. Paragraph 26 A sentence should be added at the end of this paragraph along the lines of: Difficult issues would be discussed if necessary with a professional colleague. Paragraph 34 If there is an internal audit function, enquiries should be required. At a minimum, the word ordinarily should be deleted. Consideration should also be given to amending paragraph 32 to include reference to internal auditors. For example, The auditor should make enquiries of management, internal auditors, if any, and others Paragraph 35 We recommend changing the last bullet to read: Chief ethics officer or equivalent person or persons charged with the responsibility for dealing with allegations of fraud. Paragraph 36 The phrase the auditor uses professional judgment in deciding when it is necessary to corroborate responses to enquiries appears to leave open the possibility that an auditor can accept such responses without corroboration in some cases. We believe this is the wrong message. It is possible that such a response will correspond with other evidence already obtained by the auditor so that no further corroborating evidence will be required. However, this does not mean that responses from management can be accepted without corroboration. This (perhaps unintended) problem can be remedied by amending the second sentence as follows: Therefore, the auditor needs to have or to obtain corroborating evidence for responses to such enquiries. Paragraph 42 to 46 Indications that fraud risk factors are present should be considered not only when obtaining an understanding of the entity, as implied in paragraph 42 and related following paragraphs. Although identification of fraud risk factors is covered in certain aspects of the audit (see
Page 5 paragraphs 47, 49 and 77), it may be preferable to add the phrase and throughout the audit into paragraph 42 and relevant places in 43 to 46. Although fraud risk factors are said to be examples, paragraph 45 should be strengthened to make it clear that the auditor is responsible for identifying risk factors whether or not they are on the list. Wording such as the following could be added after the penultimate sentence: Also, the auditor needs to be alert for risk factors specific to the entity that are not included in the examples in Appendix 1. Paragraph 47 Although probably not intended, this paragraph can be interpreted to mean that analytical procedures are used to understand internal control, which is not usually the case. The phrase including its internal control should be deleted. Paragraph 47 requires the performance of analytical procedures with the objective of identifying unusual or unexpected relationships that may identify a risk of material misstatement due to fraud. The way it is worded, paragraph 47 requires auditors to actively seek unusual or unexpected relationships in all areas of the audit. On the other hand, SAS99 (with the exception of paragraph 29 re analytical procedures relating to revenue recognition) only requires the auditor to consider whether analytical procedures performed as substantive procedures, or in the overall review stage of the audit, indicate a previously unrecognized risk of material misstatement due to fraud (see SAS99 paragraph 69). We believe that the ED therefore goes beyond SAS99 in this respect. We also believe that the final ISA should limit the auditor s responsibilities to be consistent with SAS99 and paragraph 47 should reflect the guidance in SAS99 paragraph 69. Paragraph 52 The term fraud risks used in (a), (b) and (c) is problematical because the term is unclear (see general editorial comment below). The simple solution is to remove the word fraud from each of these sub-points. Paragraph 54 This paragraph belongs more appropriately in the section dealing with the auditor s enquiries of management when obtaining an understanding of the entity and its environment (paragraphs 29-31). The two requirements in paragraph 54 are important and should be in bold text. Therefore, they could be incorporated as extra items (c) and (d) in paragraph 29. The first sentence of paragraph 54 states that the auditor enquires about whether management has reported to those charged with governance how the entity s internal control serves to prevent or detect material misstatements due to fraud. We believe there should be a corresponding requirement for the auditor to enquire of those charged with governance
Page 6 concerning what management has reported to them in this respect (i.e., corroborating evidence). This could appear in, or in a paragraph after, paragraph 39. Paragraph 62 Elements of unpredictability should always (not ordinarily ) be incorporated into audit procedures. We suggest that the word ordinarily be dropped from this paragraph. Consideration should be given to amending paragraph 55 to specifically refer to the need for unpredictable procedures. This could be done by adding the following new sentence at the end of the paragraph: The auditor should incorporate an element of unpredictability into such procedures. Paragraphs 71 to 74 Consideration should be given to including a requirement to perform audit procedures on executive compensation and travel and other reimbursed expenses with a view to assessing the risk that they are fraudulent. This requirement is of particular importance with respect to audits of public entities. Consideration might be given to incorporating into 74(b) the last sentence in SAS.99 paragraph 64. Paragraph 75 The second sentence should begin For example.... There are reasons other than earnings management that might cause management to insert bias into financial reporting. Paragraph 76 At the end of the first sentence, we suggest adding and other information obtained during the audit. Paragraph 83 The requirement in 83(c)(iii) that management represent that, for fraud involving others, they have disclosed only fraud that could have a material effect on the financial statements is too high a threshold. Many frauds that concern the auditor would not have a material impact on the financial statements. At the very least, the threshold should be non-trivial. However, there are advantages to having management report even trivial frauds that they are aware of so that the auditor can make the decision whether or not they are of concern. Paragraph 100 SAS99 paragraph 83 requires the auditor to document the reasons for the auditor s conclusion if the auditor has not identified, in a particular circumstance, improper revenue recognition as a risk of material misstatement due to fraud. We believe this should be a requirement in paragraph 100. There may also be a need to refer to paragraph 67.
Page 7 Appendix 1 Under Incentives/Pressures, item two, we recommend adding an additional factor that has been significant in several problem cases: Control has changed, especially when the price paid by new management appears, in hindsight, to have been too high. We hope our comments will be helpful to the IAASB in completing this standard. If you have questions about any of the points raised or require additional information, please contact Eric Turner at (416) 204-3240. Yours very truly, Peter Gregory, CA Chair, Auditing and Assurance Standards Board cc: Auditing and Assurance Standards Board Members L.D. Esdon, FCA L.D. Desautels, FCA
Page 8 Appendix - Editorial comments General There are inconsistencies in phraseology that could be corrected. Examples noted are: the use of risk of material misstatements (e.g., paragraph 3), risks of material misstatement (e.g., paragraphs 51,52 and 55), and risks of material misstatements (paragraph 33) and fraud risks (see paragraphs 52 and 100) and fraud risk factors. Appendix 1 refers to Risk factors related to misstatements, and SAS99 refers to specific risks of material misstatement due to fraud, either of which might be preferable phraseology generally and in paragraph 100. The solution in paragraph 52 is to eliminate the word fraud, as suggested above. Paragraph 3 The language in the first sentence in paragraph.03 of SAS.99 might usefully be added to paragraph 3 in the proposed ISA. Paragraph 22 Since enquiries are not audit evidence, but a means of obtaining audit evidence, we suggest the beginning of the last sentence read When making enquiries and performing other audit procedures.... Paragraph 25 In the second bullet, we suggest A consideration of practices that might be followed by management.... Paragraph 29 The heading in front of paragraph 29 should be in front of paragraph 37. If a heading is needed in front of paragraph 29 it should refer to enquiries of management and others. Paragraph 69 Clarity would be significantly improved if a heading were inserted in front of this paragraph Audit Procedures Responsive to the Risk of Management Override of Controls. Then the procedures required in paragraphs 70 through 76 have a logical header. A similar level subheading may also be appropriate in front of paragraph 67.