Exposure Draft The Auditor s Responsibility to Consider Fraud in an Audit of Financial Statements

Similar documents
Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

ISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

ADVANCED AUDIT AND ASSURANCE

Audit Considerations Relating to an Entity Using a Service Organization

Issue for Consideration: Appropriateness of the Drafting of Paragraph A17

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

CITADEL INFORMATION GROUP, INC.

SAS70 Type II Reports Use and Interpretation for SOX

Learning Objectives. External confirmations procedures as per SA330 and SA 500 requirements

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

International Standard on Auditing (UK) 505

Probe MMX Compilation

Evaluating SOC Reports and NEW Reporting Requirements

18 April Re.: Exposure Draft, Improving the Structure of the Code of Ethics for Professional Accountants - Phase 1. Dear Mr.

Information for entity management. April 2018

International Standard on Auditing (Ireland) 505 External Confirmations

ISA 540 (Revised): Update. May 2018 ASB meeting Dan Montgomery May 17, 2018

Audit confirmation is hereafter referred to as "confirmation."

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

THE CORPORATE CON: INTERNAL FRAUD AND THE AUDITOR

December 21, 1998 BY ELECTRONIC MAIL AND HAND DELIVERY

Period from October 1, 2013 to September 30, 2014

Policy for Translating and Reproducing Standards Issued by the International Federation of Accountants

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

The Australian Accounting Standards Board (AASB) is pleased to provide its comments on the above named Consultation Paper (CP).

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

ACCOUNTING (ACCT) Kent State University Catalog

Comment on Exposure Draft, IFRS Practice Statement: Application of Materiality to Financial Statements

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS

Audit and Assurance Overview

CASA External Peer Review Program Guidelines. Table of Contents

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Table of Contents 2. Welcome to Checkpoint Engage 5. Creating an Engagement in Advance Flow or Onvio 6. Create Checkpoint Engage Engagement 8

Case Study: Simply Soups Inc. Version 1.8

PEM Contents Checklist

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

Definition of Internal Control

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Using Security to Lock in Commercial Banking Customers

Smart Lite User Guidance Pack

Action Plan Developed by The Iranian Institute of Certified Accountants (IICA) BACKGROUND NOTE ON ACTION PLANS

Introduction to Automated Controls. Jay Swaminathan Senior Manager, SOAProjects. San Francisco Chapter

AND ASSURANCE AN INTEGRATED APPROACH SIXTEENTH EDITION GLOBAL EDITION

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

IS Audit and Assurance Guideline 2001 Audit Charter

Article II - Standards Section V - Continuing Education Requirements

Financial Planning Standards Council 2016 ENFORCEMENT AND DISCIPLINARY REVIEW REPORT

Action Plan Developed by. Institute of Certified Public Accountants of Uganda BACKGROUND NOTE ON ACTION PLANS

BACKGROUND NOTE ON ACTION PLANS

OF ACCOUNTANTS IAASB CAG MEETING MARCH 7, 2011

NASD NOTICE TO MEMBERS 97-58

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Advanced Corporate Reporting. Corporate Reporting. Financial Accounting. Management in Organisations

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

Effective Cyber Incident Response in Insurance Companies

Implementation of the NATS-only recommendations of the Independent Enquiry

Independent Assurance Statement

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

( ' ' (6-6 (6/%& A ' (6 -& (6 - & & (& %& (6-6 (6 $&&&

26 May Victoria Learmonth Prudential Supervision Department PO Box 2498 Wellington

IS Audit and Assurance Guideline 2002 Organisational Independence

DATA SUBJECT ACCESS REQUEST PROCEDURE

Article I - Administrative Bylaws Section IV - Coordinator Assignments

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Managing Linear & Non-Linear Content Development

MODEL COMPLAINTS SYSTEM AND POLICY THE OMBUDSMAN'S GUIDE TO DEVELOPING A COMPLAINT HANDLING SYSTEM

XBRL Accounts Taxonomies

Building Consent Authority Complaint 2017/002 6 October 2017 Complaint against Auckland Council

CPA National Accreditation Standards for the ACAF Program and Applied Courses. Effective: May 19, 2017

Small Entities Audit Manual (SEAM)

Mega International Commercial bank (Canada)

Elders Estates Privacy Notice

EXAM PREPARATION GUIDE

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

IIA EXAM - IIA-CGAP. Certified Government Auditing Professional. Buy Full Product.

Contents. Process flow diagrams and other documentation

FOLLOW-UP REPORT Industrial Control Systems Audit

ICAEW REPRESENTATION 68/16

Upcoming PIPEDA Changes What is changing and what to do about it

COBIT 5 With COSO 2013

NOW IS THE TIME. to secure our future

Exam Questions IIA-CGAP

ISACA Cincinnati Chapter March Meeting

EXAM PREPARATION GUIDE

NERC Staff Organization Chart

MODULE SPECIFICATIONS

Application for Certification

INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010

Transcription:

Chartered Accountants of Canada Comptables agréés du Canada The Canadian Institute of Chartered Accountants 277 Wellington Street West Toronto, Ontario Canada M5V 3H2 Tel: (416) 977-3222 Fax: (416) 977-8585 http://www.cica.ca Mr. J.M. Sylph, FCA Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14 th Floor New York, New York 10017 USA L Institut Canadien des Comptables Agréés 277, rue Wellington ouest Toronto, Ontario Canada M5V 3H2 Tél: (416) 977-3222 Fax: (416) 977-8585 http://www.cica.ca Dear Mr. Sylph: Re: Exposure Draft The Auditor s Responsibility to Consider Fraud in an Audit of Financial Statements The Auditing and Assurance Standards Board (AASB) is pleased to respond to the above Exposure Draft and strongly supports the proposed standard, subject to the undernoted comments and recommended changes. We believe that these comments and changes are consistent with the substance of the proposed standard and would result in important improvements that merit your consideration. The comments and recommendations result from the deliberations of the AASB during the course of the parallel Canadian project, and from comments by respondents to the equivalent Canadian Exposure Draft. We also include as an appendix a number of editorial comments for your consideration. Significant overall comments 1. Need for additional implementation guidance There is a need for significant additional guidance on implementation of the proposed ISA. The AICPA has published very extensive additional guidance for SAS99, for example by issuing Fraud Detection in a GAAS Audit: SAS No. 99 Implementation Guide and by including extensive guidance on fraud risk assessment and related techniques, and case studies, on its fraud web site. Although the ED does not change the auditor s responsibility to detect fraud, because of the importance of this new standard, and the degree of change required in auditor mindset and performance, we strongly urge the IAASB to issue background guidance concurrently with the ISA, or shortly thereafter. IAASB could use the AICPA guidance as a starting point. Such guidance, we believe, is particularly important for auditors of small owner-managed enterprises. Other matters on which guidance would be useful include evaluation of corporate culture and tone at the top. 2. Applicability to audits of small entities Notwithstanding the reference in several paragraphs to audits of small entities, we believe the particular issues relating to such audits are insufficiently addressed. For example, more

Page 2 guidance would be desirable in or after paragraph 28 and in paragraphs 59 through 70 concerning the limited opportunity in such entities for segregation of duties, the compensating controls exercised by an owner-manager, and the related fraud risk factors. 3. Application of professional scepticism to those charged with governance We agree that the auditor should maintain an attitude of professional scepticism throughout the audit notwithstanding the auditor s past experience with the entity and the auditor s belief about the honesty and integrity of management and those charged with governance. However, while the ED provides sufficient guidance on the types of procedures the auditor performs when exercising professional scepticism with respect to management, we believe there needs to be more detailed guidance on the types of procedures the auditor performs when exercising professional scepticism with respect to those charged with governance. 4. Concerns associated with taking a procedural approach in this proposed ISA We agree with the specific procedural requirements in the Exposure Draft (e.g., required procedures concerning revenue recognition, journal entries, inventories, accounting estimates and understanding of the business rationale for significant transactions). However, it must be recognized that, once these standards are finalized, management, aware of the specific procedures the auditor will perform and bent on perpetrating fraud, will presumably take extra care not to do so, for example, by means of a journal entry in a round amount close to the year-end. A risk of having a set of prescribed procedures is that auditors, having performed them, will believe they have done enough. This may not always be the case. To alleviate this risk, we recommend that the phrase at a minimum or at least be incorporated into the lead-in to paragraph 70 and suitable wording be inserted immediately after paragraph 70 to state that, notwithstanding the particular methods of perpetrating fraud described in paragraphs 71 to 76, and in paragraph 67 concerning revenue recognition, management may use different methods of perpetrating fraud that would not be detected by any of the procedures contemplated in paragraphs 70 or 68 1. There should be a strong statement that auditors should also be alert for evidence of fraud from whatever source and by any method. This will reinforce the basic principle in the standard that the auditor is alert to risks of material misstatement, whether due to revenue recognition, management override of internal controls or some other cause. 5. Auditor communications to those charged with governance We are concerned that the requirements for reporting to those charged with governance are, given the current environment, too limited - even less stringent in some respects than existing ISA 240. For example, the matters that are ordinarily communicated as described in existing ISA 240, paragraph 58, are not all included in the Exposure Draft. Whereas the existing requirement is for the auditor to communicate fraud involving all management, the ED 1 More auditing techniques are usefully described in Appendix 2 but they are not all linked to specific methods of perpetrating fraud.

Page 3 paragraph 88 only requires the auditor to communicate fraud involving senior management. 2 Furthermore, existing ISA 240, paragraph 58, requires the communication of misstatements that may cause future financial statements to be misstated. We believe that this requirement should be retained, either in ISA 240 or ISA 260. We are also concerned that both the ED and SAS99 set too high a threshold before the auditor reports fraud (whether caused by senior management or other employees) to those charged with governance. The requirement in the ED is only for material or possibly material frauds to be reported. We believe that the requirement should be for all non-trivial frauds to be reported. Accordingly, we believe that paragraph 88 should be amended to read: If the auditor has identified any of the following matters, the auditor should communicate them to those charged with governance as soon as practicable: a) Questions concerning the competence and integrity of management; 3 b) Fraud involving management; c) Fraud (whether caused by management or other employees) that results, or may result, in a non-trivial misstatement of the financial statements; and d) Matters that may cause future financial statements to be materially misstated. Specific comments Paragraph 10 The focus of this paragraph is on earnings management and on frauds that have an impact on net income. It is true that fraudulent financial reporting is often caused in this way, however mention should also be made of pressures on management to meet financial ratios involving asset and liabilities and therefore the possibility that there are misstatements due to fraud in these areas. Paragraph 23 Consideration should be given to adding text or a footnote along the lines of footnote 26 of SAS99 which indicates that if the auditor believes that documents may not be authentic he or she should investigate further and consider using the work of a specialist to determine the authenticity. Paragraph 24 The concept that communication and sharing of information should take place throughout the audit, as described in paragraph 27, is important and should be added to the end of paragraph 24 along the following lines: The discussions should take place throughout the audit. 2 ISA 260.11 requires the reporting of fraud involving management. We interpret this requirement to mean that the auditor should report all fraud involving management. 3 i.e, put the last bullet in paragraph 94 into bold.

Page 4 Paragraph 25 It is not sufficient for only key members of the engagement team to be involved in the discussion. All members of the audit team make judgments and determinations during the audit, and not just the senior members of the team. Junior members therefore need to hear the discussions of the more senior members to gain an understanding of the risks and related audit approach. Since the word ordinarily is already used to qualify the need for team members to be involved, the wording could be: Ordinarily the discussion involves all members of the engagement team. Consideration should also be given to incorporating into this paragraph some of the important messages that are set out in SAS99 paragraph 16 regarding how the discussion among the engagement team members reinforces professional scepticism. Paragraph 26 A sentence should be added at the end of this paragraph along the lines of: Difficult issues would be discussed if necessary with a professional colleague. Paragraph 34 If there is an internal audit function, enquiries should be required. At a minimum, the word ordinarily should be deleted. Consideration should also be given to amending paragraph 32 to include reference to internal auditors. For example, The auditor should make enquiries of management, internal auditors, if any, and others Paragraph 35 We recommend changing the last bullet to read: Chief ethics officer or equivalent person or persons charged with the responsibility for dealing with allegations of fraud. Paragraph 36 The phrase the auditor uses professional judgment in deciding when it is necessary to corroborate responses to enquiries appears to leave open the possibility that an auditor can accept such responses without corroboration in some cases. We believe this is the wrong message. It is possible that such a response will correspond with other evidence already obtained by the auditor so that no further corroborating evidence will be required. However, this does not mean that responses from management can be accepted without corroboration. This (perhaps unintended) problem can be remedied by amending the second sentence as follows: Therefore, the auditor needs to have or to obtain corroborating evidence for responses to such enquiries. Paragraph 42 to 46 Indications that fraud risk factors are present should be considered not only when obtaining an understanding of the entity, as implied in paragraph 42 and related following paragraphs. Although identification of fraud risk factors is covered in certain aspects of the audit (see

Page 5 paragraphs 47, 49 and 77), it may be preferable to add the phrase and throughout the audit into paragraph 42 and relevant places in 43 to 46. Although fraud risk factors are said to be examples, paragraph 45 should be strengthened to make it clear that the auditor is responsible for identifying risk factors whether or not they are on the list. Wording such as the following could be added after the penultimate sentence: Also, the auditor needs to be alert for risk factors specific to the entity that are not included in the examples in Appendix 1. Paragraph 47 Although probably not intended, this paragraph can be interpreted to mean that analytical procedures are used to understand internal control, which is not usually the case. The phrase including its internal control should be deleted. Paragraph 47 requires the performance of analytical procedures with the objective of identifying unusual or unexpected relationships that may identify a risk of material misstatement due to fraud. The way it is worded, paragraph 47 requires auditors to actively seek unusual or unexpected relationships in all areas of the audit. On the other hand, SAS99 (with the exception of paragraph 29 re analytical procedures relating to revenue recognition) only requires the auditor to consider whether analytical procedures performed as substantive procedures, or in the overall review stage of the audit, indicate a previously unrecognized risk of material misstatement due to fraud (see SAS99 paragraph 69). We believe that the ED therefore goes beyond SAS99 in this respect. We also believe that the final ISA should limit the auditor s responsibilities to be consistent with SAS99 and paragraph 47 should reflect the guidance in SAS99 paragraph 69. Paragraph 52 The term fraud risks used in (a), (b) and (c) is problematical because the term is unclear (see general editorial comment below). The simple solution is to remove the word fraud from each of these sub-points. Paragraph 54 This paragraph belongs more appropriately in the section dealing with the auditor s enquiries of management when obtaining an understanding of the entity and its environment (paragraphs 29-31). The two requirements in paragraph 54 are important and should be in bold text. Therefore, they could be incorporated as extra items (c) and (d) in paragraph 29. The first sentence of paragraph 54 states that the auditor enquires about whether management has reported to those charged with governance how the entity s internal control serves to prevent or detect material misstatements due to fraud. We believe there should be a corresponding requirement for the auditor to enquire of those charged with governance

Page 6 concerning what management has reported to them in this respect (i.e., corroborating evidence). This could appear in, or in a paragraph after, paragraph 39. Paragraph 62 Elements of unpredictability should always (not ordinarily ) be incorporated into audit procedures. We suggest that the word ordinarily be dropped from this paragraph. Consideration should be given to amending paragraph 55 to specifically refer to the need for unpredictable procedures. This could be done by adding the following new sentence at the end of the paragraph: The auditor should incorporate an element of unpredictability into such procedures. Paragraphs 71 to 74 Consideration should be given to including a requirement to perform audit procedures on executive compensation and travel and other reimbursed expenses with a view to assessing the risk that they are fraudulent. This requirement is of particular importance with respect to audits of public entities. Consideration might be given to incorporating into 74(b) the last sentence in SAS.99 paragraph 64. Paragraph 75 The second sentence should begin For example.... There are reasons other than earnings management that might cause management to insert bias into financial reporting. Paragraph 76 At the end of the first sentence, we suggest adding and other information obtained during the audit. Paragraph 83 The requirement in 83(c)(iii) that management represent that, for fraud involving others, they have disclosed only fraud that could have a material effect on the financial statements is too high a threshold. Many frauds that concern the auditor would not have a material impact on the financial statements. At the very least, the threshold should be non-trivial. However, there are advantages to having management report even trivial frauds that they are aware of so that the auditor can make the decision whether or not they are of concern. Paragraph 100 SAS99 paragraph 83 requires the auditor to document the reasons for the auditor s conclusion if the auditor has not identified, in a particular circumstance, improper revenue recognition as a risk of material misstatement due to fraud. We believe this should be a requirement in paragraph 100. There may also be a need to refer to paragraph 67.

Page 7 Appendix 1 Under Incentives/Pressures, item two, we recommend adding an additional factor that has been significant in several problem cases: Control has changed, especially when the price paid by new management appears, in hindsight, to have been too high. We hope our comments will be helpful to the IAASB in completing this standard. If you have questions about any of the points raised or require additional information, please contact Eric Turner at (416) 204-3240. Yours very truly, Peter Gregory, CA Chair, Auditing and Assurance Standards Board cc: Auditing and Assurance Standards Board Members L.D. Esdon, FCA L.D. Desautels, FCA

Page 8 Appendix - Editorial comments General There are inconsistencies in phraseology that could be corrected. Examples noted are: the use of risk of material misstatements (e.g., paragraph 3), risks of material misstatement (e.g., paragraphs 51,52 and 55), and risks of material misstatements (paragraph 33) and fraud risks (see paragraphs 52 and 100) and fraud risk factors. Appendix 1 refers to Risk factors related to misstatements, and SAS99 refers to specific risks of material misstatement due to fraud, either of which might be preferable phraseology generally and in paragraph 100. The solution in paragraph 52 is to eliminate the word fraud, as suggested above. Paragraph 3 The language in the first sentence in paragraph.03 of SAS.99 might usefully be added to paragraph 3 in the proposed ISA. Paragraph 22 Since enquiries are not audit evidence, but a means of obtaining audit evidence, we suggest the beginning of the last sentence read When making enquiries and performing other audit procedures.... Paragraph 25 In the second bullet, we suggest A consideration of practices that might be followed by management.... Paragraph 29 The heading in front of paragraph 29 should be in front of paragraph 37. If a heading is needed in front of paragraph 29 it should refer to enquiries of management and others. Paragraph 69 Clarity would be significantly improved if a heading were inserted in front of this paragraph Audit Procedures Responsive to the Risk of Management Override of Controls. Then the procedures required in paragraphs 70 through 76 have a logical header. A similar level subheading may also be appropriate in front of paragraph 67.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback