Only 3% of fraud is identified by an auditor, according to the Association of Certified Fraud Examiners' 2024 Occupational Fraud Report. This is lower than the 5% of frauds discovered by 'accident' and lower than those identified by management, tip off (whistleblowing) or internal audit. While the audit team is commonly the last line of defence – only detecting frauds not identified through other means – most would agree that this percentage is lower than might be expected.
The UK version of the International Standards on Auditing (ISAs) covering fraud ISA (UK) 240 was revised in 2021 and provided further requirements for the auditor in this area. A revised version of the international version of ISA (UK) 240 used by much of the rest of the world was recently out for consultation and the International Auditing and Assurance Standards Board (IAASB) is now considering responses to its exposure draft.
The revised version of ISA (UK) 240 in the UK was introduced for periods commencing on or after 25 December 2021 and has now been in operation for two year-end audit cycles for most entities. This revision introduced new requirements focused on assisting auditors considering the risk of fraud and their ability to spot it. One of the key new areas of guidance is the inclusion of references to the use of specialists.
Where an auditor identifies fraud or a suspicion of fraud, there is comparatively far less guidance in the revised UK standard. The key new requirement is set out at paragraph 34-1: “If the auditor identifies a misstatement due to fraud or suspected fraud, the auditor shall determine whether specialised skills or knowledge are needed to investigate further for the purposes of the audit.”
The new standard is therefore pushing an auditor to consider the need to involve specialists, such as a forensic accountant, as part of the audit team on the assignment. As a result, new structures are being adopted by firms to ensure audit teams have access to the relevant specialist skills. With most auditors not familiar with dealing with entities where a fraud or suspected fraud has occurred, forensic accountants can assist by bringing in a forensic mindset. This will help the audit team to consider the adequacy and sufficiency of investigations, and the assessment of the wider implications of the identified issues.
ISA (UK) 240 doesn't provide specific metrics for determining under which scenarios the audit team should include specialist skills. However, given that the identification of fraud or suspected fraud generates significant audit risk, where there are indications that the impact might be material to the entity, auditors will have the regulatory landscape in mind. This expects instances of fraud or suspected fraud to be taken sufficiently seriously and, as a result, specialists are likely to be brought into the audit team in these circumstances.
In relation to Public Interest Entities, paragraph 41R-1 of ISA (UK) 240 requires that “For audits of financial statements of public interest entities, when an auditor suspects or has reasonable grounds to suspect that irregularities, including fraud with regard to the financial statements of the entity, may occur or has occurred, the auditor shall, unless prohibited by law or regulation, inform the entity and invite it to investigate the matter and take appropriate measures to deal with such irregularities and to prevent any recurrence of such irregularities in the future.”
Where the auditor considers that the issues haven't been appropriately investigated, paragraph 43R-1 of ISA (UK) 240 now requires that “the auditor shall inform the authorities responsible for investigating such irregularities”.
We've identified the five most significant challenges relating to implementation of the new requirements of ISA (UK) 240 as follows:
Where evidence provided in the final stages of an audit gives rise to the auditor identifying fraud or suspecting fraud, this causes a major challenge for the auditor and entity, particularly where there are specific reporting dates that are being worked to (such as those of listed companies reporting to the financial markets).
Audit teams need to react quickly to consider the use of specialists and ensure that they have access to the necessary support and expertise in an intensely pressured environment. They also need to engage with the client which may, unless the issue is trivial, appoint its own investigating lawyers and forensic accountants. Audit teams without access to the relevant specialists in their firm will find it more challenging to implement ISA (UK) 240 effectively.
The audited entity and its advisers often don’t have an appreciation of auditing standards and what the auditor needs to achieve, and the steps required to provide the necessary assurance. Their first priority should be to get their auditor comfortable and understand what's needed (and why) to ensure there's no hold up in their financial reporting timetable.
What the client and its advisers consider necessary in respect of investigations of fraud or suspected fraud may not be the same as what the auditor requires to provide sufficient appropriate audit evidence. Management can also fail to appreciate the iterative nature of investigations of fraud with initial findings often leading to further implications that require further consideration. The auditor has to apply significant judgement in deciding in the case of suspected or actual fraud whether they have sufficient appropriate evidence.
Where a fraud or suspected fraud is identified by the auditor, this gives rise to a higher level of audit risk compared to such a matter identified by the entity and effectively broken the lines of defence with the business. On identification of a potential issue, the auditor won't be able to draw comfort from the entity’s systems and controls having identified the issue and hence won't know how broad or deep the potential fraud is. This results in the auditor likely requiring additional evidence in order to get comfortable, including ensuring that the scope of work of any investigation performed is sufficiently broad as to isolate the extent of any potential fraud.
ISA (UK) 240 requires the auditor to evaluate the implications of misstatements arising from fraud. An audit often relies on various representations (whether oral or written) from management as part of the audit evidence. Once the integrity of a member of management is brought into question in a particular area, this may cast doubts on whether the auditor can rely on other information or explanations that individual has provided as part of the audit process.
Furthermore, members of the finance team have access to the financial reporting systems and hence a greater opportunity to make adjustments to the reported results. Evidence presented to the auditor by such individuals likely requires a greater level of re-evaluation. In addition, the more senior the member of management who is impugned, the greater the risk that they used their position to facilitate the identified fraud or an as-yet-unidentified fraud either through: requests to others to perform activities related to the fraud or by concealing or perpetrating it themselves.
Where the approach is direct to an auditor, this provides difficulties for an auditor regarding the appropriate approach and the risk of tipping off. It is also challenging for an auditor to manage the whistleblower's expectations in such circumstances. For example, the issues raised are assessed to be relevant to the audit and the information flow may only be one way (whistleblower to auditor) as there may be a limit on what the auditor can say to the whistleblower on the basis of client confidentiality constraints. In addition, in the private sector, using established internal processes will afford the whistleblower more protection.
Where there is a potential audit negligence claim and there is evidence of fraud, we see the following questions as those that (potential) claimants and defendants will be considering in their assessment of whether audit work complied with the revised ISA (UK) 240:
In matters involving suspected accounting irregularities, black holes, financial misstatements, or alleged accounting or audit malpractice, you need strong technical support from subject matter experts, supported by an experienced team.
Our accounting integrity and conduct specialists combine forensic accounting skills with technical accounting and audit expertise to provide insight on both technical and practical considerations with regards to allegations of accounting irregularities and misconduct.
Sign up to get the latest role, industry or technical updates by email
