Professional Documents
Culture Documents
ISSUER: EY (Global)
STATUS: Final
Periods ending after 15 Dec 2020 Global Audit Methodology / Identify and
DOCUMENT LOCATION: assess risks / FRAUD-RISK: Identify and assess fraud risk [effective for audits of
periods ending on or after 15 December 2020]
Purpose
Misstatements in the financial statements can arise from either fraud or error. Risk of material misstatement
due to fraud (“fraud risk”) is a risk that the financial statements are materially misstated as a result of an
intentional act by one or more individuals among management, those charged with governance,
employees, or third parties involving the use of deception to obtain an unjust or illegal advantage.
We identify risks of material misstatement due to fraud and obtain sufficient appropriate audit evidence to
determine whether a material misstatement due to fraud has occurred. All risks of material misstatement due to
fraud are significant risks.
We identify fraud risk factors to assist in identifying fraud risks. Professional skepticism assists us in identifying
fraud risk factors and is crucial in detecting material misstatements due to fraud. Throughout the audit we remain
mindful that a material misstatement due to fraud may exist despite past experience of the honesty and integrity
of management and those charged with governance. We acknowledge that fraud may occur in any entity, at any
time, and may be perpetrated by anyone.
Even a properly planned and performed audit may not detect a material misstatement due to fraud, because of
the:
Professional judgment involved in identifying and evaluating risks that cause a material misstatement due
to fraud and other conditions.
Difficulty in determining whether misstatements in judgmental areas, such as accounting estimates, are
caused by fraud or error.
We may, however, be able to identify potential opportunities for fraud to occur. Therefore, we plan and perform
our audit to obtain reasonable assurance, rather than absolute assurance, that the financial statements are free
of material misstatement due to fraud.
Fraud risk factors are events or conditions that indicate an incentive or pressure to commit fraud or provide an
opportunity to commit fraud.
We identify fraud risk factors by considering the information we obtain throughout the audit, as further described
in FRAUD-RISK 3.
When we identify an indicator of potential fraud or our inquiries suggest the entity’s financial statements may be
susceptible to fraud, we consider these fraud risk factors, together with the specific facts and circumstances, and
determine if there is a risk of material misstatement due to fraud.
We perform the following procedures in response to the presumptive risk of management override of
controls:2
Evaluate the business rationale for significant, unusual transactions outside the normal course of
business - refer to FRAUD-RISK 2.4
Further, as we obtain our understanding of the entity’s related party relationships and transactions, we consider
whether there are any fraud risk factors associated with these transactions and if so, whether they give rise to a
risk of material misstatement due to fraud. Refer to FRAUD-RISK 2.5.
Material misstatements due to fraudulent financial reporting often result from an overstatement of revenues (e.g.,
premature revenue recognition or recording fictitious revenues) or an understatement of revenues (e.g.,
improperly shifting revenues to a later period). Therefore, there is a presumption that we will identify a risk of
material misstatement due to fraud relating to revenue recognition.
However, if the revenue processes are non-complex with little subjectivity in meeting revenue recognition
criteria, we may conclude that there is not a risk of material misstatement due to fraud related to revenue
recognition.
If an entity has a single type of revenue transaction (e.g., leasehold revenue from a single unit
rental property), we may conclude that there is no risk of material misstatement due to fraud relating
to revenue recognition because the revenue amount can be predicted with a high degree of
confidence.
If an entity has two types of revenue transactions (e.g., selling a product such as a washing
machine and separately selling maintenance including spare parts) we consider the risk of material
misstatement due to fraud relating to revenue recognition for each type of revenue transaction
separately.
We remain alert to information throughout the audit that may indicate a fraud risk factor is present, including
those related to revenue recognition, and evaluate those factors to determine if they give rise to a risk of material
misstatement due to fraud. Refer to FRAUD-RISK 4 and STRATEGY 2 for further discussion.
EXAMPLE
As we review the correlation between revenue, trade receivables and cash, we consider the
following:
Does the revenue which does not correlate to trade receivables indicate an unusual or
unexpected source of revenue or a revenue recognition adjustment?
Are any other accounts affected by the correlation journals between revenue and trade
receivables expected (e.g., VAT/GST) or an indication of an override in the recognition of
revenue?
Is the conversion of revenue to cash, via trade receivables, aligned with our expectation of
the business operations?
When we identify a risk of material misstatement due to fraud relating to revenue recognition, our identification
includes the specific aspects of the revenue account or SCOT that we believe are more susceptible to the risk.
We document how and where we believe the risk of material misstatement due to fraud is more likely to occur.
Typically, it is not helpful to identify a general risk of material misstatement due to fraud related to revenue
recognition. Instead, we specifically identify:
The revenue accounts, and related relevant assertions, that may be affected
For examples of areas to consider when identifying the risks of material misstatement due to fraud relating to
revenue recognition, refer to FRAUD-RESPOND Appendix 1.2.
Refer to FRAUD-RESPOND 5 for guidance on responding to risks of material misstatement due to fraud related
to revenue recognition.
Due to the unpredictable way in which management override could occur, we consider the risk of management
override of controls to be a risk of material misstatement due to fraud, and thus a significant risk. 4
Recording, or instructing others to record, fictitious journal entries, particularly close to the
end of an accounting period, to manipulate operating results or achieve other objectives
Concealing facts that could affect the amounts recorded in the financial statements
Engaging in complex transactions that are structured to misrepresent the financial position or
financial performance of the entity
We evaluate fraud risk factors related to the risk of management override of controls in the context of the three
conditions generally present when fraud occurs (i.e., incentive/pressure, opportunity and attitude/rationalization),
as described in FRAUD-RISK Appendix 1. The nature, timing and extent of the procedures we design to respond
to the risk of management override is influenced by this consideration. Refer to FRAUD-RESPOND 6.
When an entity must meet loan covenant ratios that are dependent upon earnings, and the current
earnings trend may result in covenant violations, management may be under greater pressure to
achieve certain levels of earnings and has an incentive to manipulate earnings.
Conversely, when an audit of an entity is performed to fulfil statutory filing requirements, with little
interest from third parties, there may be almost no risk that management would have an incentive to
manipulate financial results.
In other entities, there may be a risk of misappropriation of assets which may be concealed through
overriding controls over the processing of transactions or journal entries.
The identification of risks of material misstatement related to the risk of management override allows us to
consider these risks when designing journal entry testing or other procedures to address the risk of management
override of controls. The higher the likelihood of management override of controls, the greater the extent of our
testing. Refer to FRAUD-RESPOND 6.1.5
We document identified risks relating to management override of controls (e.g., manipulation by management of
current assets and liabilities to meet certain loan covenant requirements) as significant risks and our response to
them.
In the unlikely event we do not identify a risk related to the management override of controls at an account or
assertion level, it is not necessary to create a risk of management override of controls to respond to the
presumed risk of management override of controls in EY Canvas. However, we perform the required procedures
to respond to the presumed risks of management override of controls on every audit.
TIP
The “Execute required fraud procedures” task grouping in EY Canvas summarize these required
audit procedures.
As we determine risks of management override of controls, we consider that these can occur as subledger
transactions that are initiated and recorded or in controls over judgmental areas, such as in the development of
estimates.
Automated processes and controls may reduce the risk of inadvertent error, but do not overcome the risk that
individuals may inappropriately override such automated processes (e.g., by changing the amounts being
automatically posted to the general ledger or to the financial reporting system). When IT is used to transfer
information automatically, there may be little or no visible evidence of such intervention in the information
systems.
There may be a higher risk of management overriding controls over the processing of journal entries and other
adjustments as there may be fewer controls in this area, and management may be able to:
EXAMPLE
We filter the list of journal entries obtained from the entity for transactions posted directly by the
CFO at period-end that may indicate the result of management override of controls. We examine
documentation indicating that journal entries are properly supported and approved by management
and adequately reflect the underlying events and transactions.
Direct less senior personnel to process or record a transaction in a way that is outside normal processes
and controls
Manipulate the financial statement close process (FSCP) with the intention to materially misstate the
financial statements
Journal entries typically result from system entries within the accounting software used, as well as from manual
entries throughout the period, including from the FSCP. As management intervenes more easily in non-complex
entities, such entities may have a higher risk of management override.
We assess management’s incentive and opportunity to override controls over journal entries through
consideration of the following:
The results of specific inquiries of others related to the processing on journal entries and other
adjustments. Refer to FRAUD-RESPOND 6.1.1.
Our understanding of the types of journal entries that exist within the financial reporting process. Refer to
FRAUD-RESPOND 6.1.2.
Our understanding of the sources of transactions recorded in the general ledger, including journal entries
recording transactions from the sub-ledger to the general ledger, and how the general ledger is
transformed into the financial statements.
Our understanding of the transaction processing systems and sub-ledgers (e.g., for the recording of
fictitious sales invoices). Refer to SCOTS 2.2.
Controls that have been implemented over journal entries and other adjustments. Effective controls over
the preparation and posting of journal entries and other adjustments may reduce the risk of management
override, provided that we have tested the operating effectiveness of the controls. Refer to FSCP 3 and
CONTROLS.
Asking the following two questions can guide our assessment and evaluation of and response to management’s
incentive and opportunity to override controls over journal entries:
This question considers the incentive/pressure and attitude/rationalization elements of the fraud triangle
(refer to FRAUD-RISK Appendix 1.2). The answer to this question will define the lens through which we
analyze journal entries and other adjustments and how extensive our procedures are to identify
manipulation of the financial reporting process by recording inappropriate or unauthorized journal entries.
When the results of inquiries have heightened our professional skepticism, or when the presence of fraud
risk factors have highlighted risks of material misstatement at the financial statement level as a whole or
related to specific classes of journal entries or other adjustments, we alter the nature, timing and extent of
our procedures.
Our understanding of the types of journal entries, the sources, and the controls in place allows us to
identify where manipulation in the financial reporting process may occur (e.g., by recording inappropriate or
unauthorized journal entries).
When we design our tests of journal entries, we keep in mind our understanding of where in the financial
reporting process manipulation can occur. This allows us to identify those journal entries that have a higher
risk of material misstatement for further investigation. Refer to FRAUD-RESPOND 6.1.
Internal Use Only
Exported on 24/10/2020 8:25 pm © All rights are reserved. Page 10
2.4 Significant unusual transactions
We identify significant unusual transactions and evaluate the business rationale for these transactions in
response to the risk of management override. 6
Significant unusual transactions are those transactions outside the normal course of business, or that appear
unusual based on our understanding of the entity’s business (e.g., journal entries to record the acquisition of a
building, the issue of new capital or a loan).Unusual transactions do not automatically constitute fraudulent
financial reporting, however we remain aware that there is a higher risk of material misstatement whether
through fraud or error associated with them.
Our identification of significant unusual transactions takes into account information obtained during our risk
assessment procedures and other procedures performed during the audit. 7
EXAMPLE
As we identify significant unusual transactions, we also consider that transactions with related parties are more
likely to be significant unusual transactions. Refer to RPT 1.
Refer to RPT 5 for additional procedures when we have identified significant related party transactions outside
the normal course of business.
Refer to RPT 4.
Refer to FRAUD-RESPOND 7 for a discussion of the response to risks of material misstatement due to fraud
related to related party relationships and transactions.
We obtain information throughout the audit that we use in identifying risks of material misstatement due to
fraud. We remain alert to new information and re-evaluate our conclusions with respect to risks of material
misstatement due to fraud throughout the audit.10
When we identify an indicator of potential fraud or our inquiries suggest the entity’s financial statements may be
susceptible to fraud, we consider these fraud risk factors – together with the specific facts and circumstances –
and determine whether there is a risk of material misstatement due to fraud.
Holding an audit team discussion on the susceptibility of the entity’s financial statements to material
misstatement due to fraud – FRAUD-RISK 3.3
When the results of our risk assessment analytical procedures do not align with our understanding of the
business, current developments in the period under audit or our other expectations, we evaluate whether these
unusual or unexpected relationships, including those related to revenue accounts, indicate a fraud risk factor
that may give rise to a risk of material misstatement due to fraud. 11
We expect that plausible relationships among data exist and continue in the absence of known conditions to the
contrary. It is important to consider the reasons that make relationships plausible because data sometimes
appears to be related when it is not. This may lead to erroneous conclusions. Unexpected relationships may
provide important evidence when appropriately followed up.
EXAMPLE
We may:
Verify the movement in inventories is a result of purchases made through payables and
charges to cost of sales when goods are sold. We can then further link those movements with
changes in revenues on a period by period basis.
The identification and response to risks of material misstatement due to fraud is an iterative process. We remain
alert to information that arises throughout the remaining activities of the audit when identifying risks of material
misstatement due to fraud.
Internal Use Only
Exported on 24/10/2020 8:25 pm © All rights are reserved. Page 14
3.2 Make inquiries
We make inquiries of management, those charged with governance, internal audit and others within the entity to
help us identify fraud risk factors that may indicate risks of material misstatement due to fraud. 12
When responses to inquiries of management or those charged with governance are unsatisfactory or
inconsistent with responses received from other members of management or those charged with governance
or other employees of the entity with whom we have made inquiries, we investigate these inconsistencies or
unsatisfactory responses.13
Whenever possible, we make inquiries after we have performed our risk assessment analytical procedures so
that our inquiries consider the information we observed in the entity’s financial information (refer to FRAUD-RISK
3.1).
EXAMPLE
We determine that there is an unusually large increase in revenue activity near quarter ends. We
may inquire of management why this occurs and what they do to address the risk that revenue may
not be recognized in the correct period.
In addition, our inquiries also consider aspects external to the entity, such as external pressures or expectations
of stakeholders.
We make our inquiries in person during the audit’s early planning stages. The inquiries are made by a team
member, generally a manager or above, who has the knowledge and experience to ask appropriate follow-up
questions. Experienced team members (i.e., the audit executives) are generally involved when we inquire of
senior management (e.g., the owner-manager, CFO, CEO or COO) or those charged with governance.
We use our knowledge of the entity and its environment, as well as information from other risk assessment
procedures, together with our professional judgment to determine the nature and extent of our inquiries and the
extent of follow-up questions. 15
Inquiries of management
Management’s assessment of the risks of material misstatement due to fraud, including the nature,
extent and frequency of such assessments
Management’s process for identifying and responding to risks of fraud in the entity, including programs
and controls the entity has established to address risks identified by the entity, or that otherwise prevent,
deter and detect fraud, and how senior management monitors those programs and controls
Any risks of fraud that have been identified by management or brought to management’s attention
Management’s communication, if any, to those charged with governance (when relevant) regarding its
processes for identifying and responding to the risks of fraud
Management’s communication, if any, to employees regarding its views on business practices and ethical
behavior
Management’s knowledge of any actual or suspected fraud or allegations of fraudulent financial reporting
affecting the entity and if so, management’s responses to such allegations or complaints
For an entity with multiple components or business segments, the nature and extent of monitoring of
components or business segments, and whether there are particular components or business segments
for which a risk of fraud of the group financial statements may be more likely to exist.
Whether the entity has entered into any significant unusual transactions and, if so, the nature, terms and
business purposes of those transactions and whether such transactions involved related parties (refer to
FRAUD-RISK 2.4)
EXAMPLE
Management may obtain knowledge of actual, suspected or alleged fraudulent reporting from a
“whistleblower” or other communications from employees, former employees, analysts, short sellers
or other investors.
We recognize that the risk of material misstatement due to fraud by management (whether fraudulent financial
reporting or misappropriation of assets) increases when management is actively involved in financial aspects of
the business, particularly the initiation, recording and reporting of transactions.
However, it is still appropriate to make inquiries of management regarding its own assessment of the risk of
fraud and the controls in place to prevent, deter and detect it. In some entities, management may make detailed
assessments of the risk of fraud. In other entities, management’s assessment may be less structured and occur
infrequently. The nature, extent and frequency of management’s assessment of the risk of fraud are relevant to
our understanding of the entity’s control environment.
EXAMPLE
The fact that management has not assessed the risk of fraud may indicate the lack of importance it
places on internal control so the risk of fraud increases.
We determine whether new information comes to our attention during our inquiries of management that has an
effect on our assessment of the control environment and its effect on our audit strategy. 17
Unusual or unexpected items identified from the results of risk assessment analytical procedures (refer to
FRAUD-RISK 3.1)
EXAMPLE
Assessment of, and process for, identifying risks of material misstatement due to fraud
Have you identified risks of material misstatement due to fraud at the entity?
What is your process for identifying risks, including risks of material misstatement due to
fraud?
Does the entity have any deficiencies in internal control?
Do you know of instances when controls have been overridden?
Which accounts, particularly estimates, would be most susceptible to manipulation if
someone were inclined to do so?
EXAMPLE
Do you regularly report to, or discuss with, those charged with governance the entity’s
significant risks, including risks of material misstatement due to fraud, that affect the financial
statements?
Have you communicated to those charged with governance your views on how the entity’s
internal control serves to prevent, or detect and correct, material misstatements due to fraud?
If so, which programs and controls were the focus of this communication?
How they exercise oversight of management’s processes for identifying and responding to risks of fraud
and the controls established by management to address specific risks of fraud the entity has identified, or
that otherwise help prevent, deter and detect fraud. 18
Their views about the risks of fraud and whether they have knowledge of any actual or suspected or
alleged fraud affecting the entity.19
When all of those charged with governance are involved in managing the entity, we do not need to inquire about
how those charged with governance exercise oversight of management’s processes relating to identifying and
responding to risks of fraud.
We also make inquiries of those charged with governance in accordance with the requirements in LAWS+REGS
2.1 and RPT 1.
Our inquiries of those charged with governance are made in part to corroborate the responses to the inquiries of
management. Understanding the oversight and responsibilities of those charged with governance may give
insights into the entity’s susceptibility to management fraud, the adequacy of internal control over risks of fraud,
and the competency and integrity of management.
Internal audit has significant insight into the operations of the business and can provide useful information that
would assist us in identifying risks of material misstatement due to fraud.
EXAMPLE
When there have been changes in controls or policies and procedures in the entity, we may inquire
of internal audit about whether they believe there is an increased risk of fraud as a result of these
changes. In addition, internal audit may be aware of controls that were effective in prior periods but
are weaker in the current period due to changes in circumstances.
Inquiries of others
We make inquiries of others within the entity, as appropriate, to determine whether they have knowledge of
any actual or suspected or alleged fraud affecting the entity. 24
As we confirm our understanding of the SCOTs, we make inquiries of individuals involved in the financial
reporting process about inappropriate or unusual activity relating to the processing of journal entries and other
adjustments.
EXAMPLE
When meeting with an accounting department employee to obtain or update our understanding of
SCOTs and related controls, we may ask if he or she has seen:
Employees involved in correcting incorrect information – about journal entries and authorizing
transactions
Personnel dealing with allegations of fraud – about their knowledge of actual, suspected or
alleged fraud
In-house legal counsel – about litigation; compliance with laws and regulations; knowledge of
actual, suspected or alleged fraud; warranties, post-sales obligations or joint venture
arrangements that may indicate inappropriate activities
We use our professional judgment and experience of the entity or of similar organizations within its industry to
determine who we speak to, and to what extent. In most cases, these inquiries are a natural extension of the
discussions we have during the audit.
To help identify risks of material misstatement due to fraud, we may ask others within the entity, including those
outside of the finance function, the following questions:
EXAMPLE
We evaluate the information we obtained from that discussion to identify fraud risk factors. This discussion
provides an opportunity for engagement executives and the team to:
Share their insights about how and where the financial statements may be susceptible to material
misstatement due to fraud
Focus on how to perform the audit with a heightened level of professional skepticism
In addition to the risk assessment analytical procedures (refer to FRAUD-RISK 3.1), the other procedures we
perform to understand the entity’s business may lead to identification of fraud risk factors. Refer to UTB.
Our understanding of the entity’s business model, and how it is affected by its business strategy and business
objectives, may assist us in identifying business risks that are relevant in identifying risks of material
misstatement due to both fraud and error.
EXAMPLE
As we obtain our understanding of SCOTs, we may identify fraud risk factors such as:
Inappropriate use of IT
Overly complex SCOTs that may hide inappropriate transactions or incorrect accounting
under the appropriate financial reporting framework
Poorly designed SCOTs that lead to significant manual intervention and therefore may give
rise to a higher risk of fraudulent activity
As we obtain our understanding of the SCOTs, we also obtain an understanding of the types of journal entries
that exist within the financial reporting process, as described in FRAUD-RESPOND 6.1.2.
Procedures Reference
If a fraud risk factor has a higher likelihood of occurrence and a higher magnitude of potential misstatement, we
identify it as a risk of material misstatement due to fraud.
Identifying risks of material misstatement due to fraud is not just about reviewing a checklist of risk factors. Fraud
risk factors may be present at the entity, yet due to the circumstances and nature of its business these may not
result in risks of material misstatement due to fraud.
Further, a fraud does not have to have occurred for a risk of material misstatement due to fraud to exist.
Therefore, we challenge our assessment of the potential risk of material misstatement due to fraud and our
response each period.
We may identify lack of independent oversight over the financial reporting process as a fraud risk
factor in both a more complex entity and a less complex entity.
Lack of effective oversight by those charged with governance or an ineffective internal audit function
in a more complex entity is likely to be a cause for concern that inappropriate or unauthorized
transactions may go undetected. We may identify this as a risk of material misstatement due to
fraud.
In a less complex entity, we may not identify lack of independent oversight over the financial
reporting process as a risk of material misstatement due to fraud because of management’s
extensive involvement in the entity, the need for management authorization of transactions and the
limited number of transactions.
We consider the information we have obtained to identify fraud risk factors to determine if conditions indicate
risks of material misstatement due to fraud.
In assessing whether a condition represents a risk of material misstatement due to fraud or just a fraud risk
factor, we consider the ‘likelihood’ of one or more misstatements, and their potential ‘magnitude’ if the condition
occurred.
The likelihood is the possibility that the condition can occur. We evaluate this in the context of the fraud triangle
(i.e., we consider whether there is an incentive or pressure to commit fraud, an opportunity to do so and whether
individuals can rationalize a fraudulent act).
EXAMPLE
A jewelry manufacturer has numerous small inventory items with a high monetary value. The
characteristics of the items make them more susceptible to misappropriation. Consequently, we
may determine that there is a higher likelihood of misstatement of inventory. In addition, the
potential magnitude of the misstatement is higher due to the monetary value of the items.
Therefore, we may identify a risk of material misstatement due to fraud.
If a condition is either likely to occur or has a higher magnitude of misstatement but not both, we may not identify
a risk of material misstatement due to fraud. However, we may identify a fraud risk factor that needs to be
evaluated in combination with other identified fraud risk factors.
When we determine that fraud risk factors give rise to risks of material misstatement due to fraud, we document
the risk in sufficient detail so that it is clear what the risk is and how it affects the financial statements. When our
rationale for determining a risk of material misstatement due to fraud is not obvious, we document any significant
judgements made in their identification. Refer to FRAUD-RISK 5.
Risks of material misstatement due to fraud at the financial statement level refer to risks that relate pervasively
to the financial statements as a whole and potentially affect many assertions. Risks of this nature are not
necessarily risks identifiable with specific assertions at the class of transactions, account balance, or disclosure
level. Rather, they represent circumstances that may increase the risks of material misstatement at the financial
statements level (e.g., through management override of internal control). Risks of material misstatement at the
EXAMPLE
Risks at the financial statement level may occur from a deficient control environment (although
these risks may also relate to other factors, such as declining economic conditions). For example,
deficiencies such as management’s lack of communication to employees regarding its views on
ethical behavior and proper business practices may indicate to employees that management is not
conscious about fraud and create opportunities for fraud to be perpetrated. Such conditions have a
more pervasive effect on the financial statements and may require an overall response.
When a risk of material misstatement due to fraud is considered pervasive to the financial statements as a
whole, we also determine if we can relate the risk to specific account balances where we believe a potential
material misstatement is likely to arise in order to design a specific response, as described in FRAUD-
RESPOND 4. When the risk cannot be related to a specific account balance, we determine an overall response,
as described in FRAUD-RESPOND 3.
When a risk of material misstatement due to fraud relates to a particular account assertion, disclosure, or
significant class of transactions, we describe the specific aspect of the account assertion, disclosure, or SCOT
that is affected by the risk.
For each identified risk of material misstatement due to fraud, we consider how management could perpetrate
and conceal fraudulent financial reporting or how assets of the entity could be misappropriated.
EXAMPLE
A control environment that supports the prevention, or detection and correction, of material misstatements
relevant to financial reporting is not an absolute deterrent to fraud, but it may help reduce some risk of fraud,
giving us more confidence in internal control and the reliability of audit evidence. However, the risk of
management override of controls is present in all entities and an effective control environment, although
important, does not eliminate this risk. Additionally, negative factors within the control environment may
undermine the effectiveness of controls and create more risks of material misstatement due to fraud. We
describe in detail the risks of material misstatement due to fraud. If our concerns relate to specific elements or
Internal Use Only
Exported on 24/10/2020 8:25 pm © All rights are reserved. Page 29
components of an account (e.g., certain management’s assumptions used in the determination of an estimate or
elements of a revenue stream at an entity that has multiple revenue streams), then our identification and
documentation of the risk of material misstatement due to fraud articulates those specific elements or
components.
Account assertions affected by a risk of material misstatement due to fraud have a higher inherent risk
assessment, which directly affects the nature, timing and extent of our audit procedures. As a result, it is
important that we effectively articulate each risk of material misstatement due to fraud and associate it only to
those assertions that are affected so that we can design audit procedures responsive to the fraud risks identified.
We document risks of material misstatement due to fraud in appropriate detail in order to:
Facilitate effective communication among the members of the audit team, which helps the team apply
appropriate professional skepticism
Focus audit efforts on specific areas of the financial statements or the entity’s internal controls over
financial reporting when we believe a risk of material misstatement due to fraud exists
Avoid inadvertent communication among the audit team of additional risks of material misstatement due to
fraud
In some entities, management may view the business as an extension of its own personal resources and may
not perceive their actions as fraudulent. However, when an entity is incorporated to conduct a business, other
interested parties (e.g., tax authorities or third-party creditors) expect operating results to fairly reflect the
conduct of the business, without management’s personal use of its resources. We therefore consider the risks of
material misstatement due to fraud involving management, whether performed directly by them or under their
direction.
Payments to family members or close friends when no service has been rendered
Entering into transactions at other than an arm’s length basis with related parties
EXAMPLE
Risks of material misstatement due to fraud related to fraudulent financial reporting involving
management include:
Fraudulent tax declarations, including VAT (sales tax) and income tax
These examples are more likely to occur in non-complex entities when management may have more opportunity
to commit fraud. As well as considering management’s attitude and potential to rationalize fraud, we also assess
any pressures and incentives to commit fraud.
The existence of related parties with dominant influence over the entity and its management could
result in a risk of a material misstatement due to fraud being identified.
Our consideration of risks of material misstatement due to fraud involving employees in a non-complex entity are
similar to those of other entities.
In non-complex entities, the most likely risks of material misstatement due to fraud involving employees relate to
misappropriation of assets, especially where products are small and valuable. Due to management’s direct
involvement in operations, we may conclude there is little opportunity for fraud involving employees to occur, or
that it is unlikely to cause a material misstatement of the financial statements.
Refer to FRAUD-RISK Appendix 3 for further examples of circumstances that may be indicative of fraud and
FRAUD-RISK Appendix 1.2 for example fraud risk factors.
6 Communication requirements
We communicate the risks of material misstatement due to fraud to those charged with governance as part of
our communication of significant risks that we have identified (refer to COMMS 3.1).33
When we have identified significant deficiencies (or material weaknesses if required to be communicated in the
jurisdiction) in internal control related to the prevention or detection of fraud, we communicate these significant
deficiencies (or material weaknesses) to those charged with governance and when appropriate, to
management (refer to COMMS 3.4).35
When we identify or suspect fraud, we communicate these matters to management and those charged with
governance as appropriate (refer to COMMS 3.6 for further requirements and guidance on communication
regarding fraud).36
Documentation
The procedures performed to obtain the necessary information to identify risks of material misstatement
due to fraud. This includes details of the sources of the information obtained, such as data analytics, of
whom we made inquiries and documents examined. 37
The fraud risk factors (i.e., those events or conditions that indicate an incentive or pressure to commit
fraud or provide an opportunity to commit fraud).38
The risks of material misstatement due to fraud at the assertion level and risks of material misstatement
due to fraud at the financial statement level, including any significant judgements made in their
identification (refer to STRATEGY Documentation)39
The specific risks relating to management override of controls, including when relevant, the information
that led us to determine that the likelihood of management override of controls is higher. 40
If we have not identified a risk of material misstatement due to fraud relating to revenue recognition, the
reasons supporting this conclusion.41
For each identified risk of material misstatement due to fraud:
How and where the fraud could occur, in sufficient detail, to be clear as to the potential effect on the
financial statements.42
The controls related to each identified risk of material misstatement due to fraud. 43
Documenting sufficient detail of how and where fraud could occur addresses all aspects of the affected accounts
including the assertions affected by the risk, and includes:
How the entity’s financial statements might be susceptible to material misstatement due to fraud
Our documentation is sufficiently robust to be clear about which assertions are affected and that our
considerations of the risk of material misstatement due to fraud are complete.
Enablement
Refer to the following EY Atlas auditing topic page for additional enablement, including forms, and external
standards related to this EY GAM topic:
Fraud
Degree of collusion
Fraud is a broad legal concept; our interest relates specifically to fraudulent acts that cause a material
misstatement in the financial statements.
2. Misappropriation of assets
As we gather information to identify risks of material misstatement due to fraud, we consider both types of fraud.
EXAMPLE
Stealing physical assets or intellectual property (e.g., taking inventory for personal use or for
sale, stealing scrap for resale, colluding with a competitor by disclosing technological data for
payment)
Causing an entity to pay for goods and services not received (e.g., payments to fictitious
vendors or employees, kickbacks from vendors to the entity’s purchasing agents in return for
inflating prices)
Using an entity’s assets for personal use (e.g., using them as collateral for a personal loan or
a loan to a related party)
Misappropriation of assets may be accompanied by false or misleading records or documents and may involve
one or more people among management, employees or third parties.
Falsified documentation
Internal Use Only
Exported on 24/10/2020 8:25 pm © All rights are reserved. Page 35
Collusion among management, employees or third parties
EXAMPLE
Through collusion, we may receive false evidence that control activities have been performed
effectively, or we may receive false confirmation from a third party in collusion with management.
Although fraud is concealed and management’s intent is difficult to determine, certain conditions may alert us to
the possibility of fraud.
EXAMPLE
An important contract may be missing, a sub-ledger may not be satisfactorily reconciled to its
control account, or the results of an analytical procedure may not be consistent with expectations.
TIP
Management of a non-complex entity may have a greater incentive to manage earnings as this has
a more direct personal benefit and have more opportunity to influence the recording of transactions
to achieve this.
Certain risk factors related to misstatements arising from fraudulent financial reporting may also be present with
those arising from misappropriation of assets.
Below are examples of risk factors relating to each of the three conditions generally present when material
misstatement due to fraud occurs.
EXAMPLE
Due to:
of third parties
EXAMPLE
Due to:
Due to:
susceptible to theft
EXAMPLE
financial reporting:
EXAMPLE
Due to:
EXAMPLE
Due to:
structure
EXAMPLE
As evidenced by:
Due to:
EXAMPLE
EXAMPLE
Inadequate recordkeeping of
assets
trend
entity
of materiality
EXAMPLE
As exhibited by:
Domineering management
behavior, especially attempts to
influence the scope of our work or
the selection of audit personnel
assets
deficiencies
the employees
In some cases, those perpetrating fraud do not directly benefit but may have a misguided belief that it benefits
others.
Although risk of material misstatement due to fraud may be greatest when the three fraud conditions are evident,
we cannot assume that inability to observe all three conditions means there is no risk.
Certain assertions, accounts and classes of transactions that have higher inherent risk, because they involve a
high degree of management judgment and subjectivity, may present risks of material misstatement due to fraud
because they are susceptible to (conscious or unconscious) management manipulation.
EXAMPLE
Restructuring liabilities may be deemed to have higher inherent risk because of the subjectivity and
management judgment in their estimation. Similarly, revenues for software developers may be
deemed to have higher inherent risk because of the subjectivity in recognizing and measuring
software revenue transactions.
The organizational structure and operating environment, particularly the monitoring of remote locations
Management’s involvement in overseeing employees with access to cash, or other assets susceptible to
misappropriation
The complexity of transaction processing, including the extent of use of IT and the possibility for
management override of automated controls
The nature and extent of management involvement in setting accounting policies, developing significant
accounting estimates and preparing financial statements
Significant pressures on management to meet expected earnings or operating targets, and how such
pressures affect financial and accounting personnel
Significant accounts and disclosures or relevant assertions we have assessed, or are likely to assess, as
‘higher’ inherent risk because they involve a high degree of management judgment and subjectivity, which
(in certain circumstances) could lead to inappropriate earnings management
Incorporating an element of unpredictability into the nature, timing and extent of audit procedures
Selecting audit procedures to respond to the susceptibility of the entity’s financial statements to material
misstatement due to fraud, and whether certain procedures are more effective than others
The nature of significant transactions outside the normal course of business including those with related
parties
The nature and extent of the entity’s related party relationships and transactions
The importance of maintaining professional skepticism throughout the audit when considering related
party relationships and transactions
Conditions that may indicate related party relationships or transactions that management has not
identified or disclosed (i.e., a complex organizational structure, use of special-purpose entities for off-
balance sheet transactions, or an inadequate information system)
The importance management and those charged with governance attach to identifying, accounting
for and disclosing related party relationships and transactions, and the related risk of management
override of controls over related party transactions
Transactions between the entity and a known business partner of a key management member
could be arranged to misappropriate entity assets
Circumstances that may indicate earnings management, and practices followed by management to
manage earnings, that could lead to fraudulent financial reporting
Have we considered how and where the entity’s financial statements (including the individual statements
and disclosures) contain a risk of material misstatement due to fraud from the entity’s perspective?
Have we considered how management could present disclosures to obscure a proper understanding of the
matters disclosed (e.g., by including too much immaterial information or using unclear or ambiguous
language)?
Have we appropriately considered the known external and internal fraud risk factors affecting the entity that
create conditions of fraud (incentive/pressure, opportunity and rationale)? Have we considered the risk of
management override of controls? If so, do our identified risks of fraud clearly articulate our concerns on
the specific actions that management could take?
What matters were identified in our client and engagement acceptance and continuance process that
indicate a risk of material misstatement due to fraud?
How may fraud occur in significant accounts where inherent risk has been previously assessed as higher
or is likely to be assessed as such this period (e.g., revenue recognition at a software company)?
Have we encountered recurring misstatements (either uncorrected or corrected) for certain accounts in
previous audits that may indicate a risk of material misstatement due to fraud (e.g., related to significant
estimates that may indicate management bias or earnings management)?
In what areas did we identify exceptions in our testing of controls or substantive procedures? Do any of the
exceptions indicate the possibility of management override?
In what areas did we encounter numerous reconciling items or significant, unexplained reconciling items or
adjustments?
In previous audits, were there areas where management had little or incomplete documentation to support
its conclusions?
What provisions in executive compensation plans – including key clauses in employment contracts for
specific executives – may create incentives or pressures to misstate the financial statements?
How aggressive were previous forecasts? What controls are in place related to forecasts?
Has management been domineering in dealing with us, exerted undue pressure to accept a certain
accounting treatment, or imposed unreasonable deadlines for completing the audit?
Are any types of transactions within a single class (e.g., purchase, sales, and payroll) initiated, recorded,
processed, reported or had incorrect information corrected differently than others in that class? If so, why?
What areas of the financial statement close process (including eliminating entries and other adjustments)
may be more susceptible to management override?
Which of the entity’s operating entities receive little oversight and analysis from management? Do any
locations consistently meet budgets and forecasts with unrealistic precision?
What is the business purpose for non-operating entities (e.g., other tax or legal entities that have no sales
but may affect earnings)?
What types of related party transactions does the entity enter into? What is the underlying business
purpose for these transactions?
Have we had indications from employees that management has asked or directed them to record a
transaction outside normal processing procedures or to make an unusual journal entry? Have employees
expressed discomfort about the entity’s selection and application of accounting policies or accounting for
certain transactions?
In what ways could management originate and post inappropriate journal entries or other adjustments?
Internal Use Only
Exported on 24/10/2020 8:25 pm © All rights are reserved. Page 50
Has management been reluctant to implement our recommendations for improving internal control? Are
there indications that management is not paying appropriate attention to internal control (including IT
controls), particularly for high-growth businesses or those with frequent mergers or acquisitions? Has
management implemented appropriate physical safeguards over assets that may be easily stolen?
If you were the management, what impression would you want to make on third parties and how might you
manipulate the financial statements to do so?
If someone in a position of authority at the entity wanted to commit fraud, what would be the easiest way to
do it?
What assets does the entity have that would have value to employees or be sold easily on the street?
If you were the entity’s financial controller, how could you embezzle funds and not get caught?
If you worked on the loading dock, how could you steal inventory?
Transactions not recorded in a complete, or timely manner or incorrectly recorded with respect to
amount, accounting period, classification or entity policy
Evidence of employee access to systems and records inconsistent with that necessary to perform
authorized duties
Missing documents
Unavailable or missing electronic evidence, inconsistent with the entity’s record retention practices or
policies
No available evidence of key systems development and program-change testing and implementation
activities for current period system changes and deployments
Unusual balance sheet changes or changes in trends or important financial statement ratios or
relationships
Large numbers of credit entries and other adjustments made to accounts receivable records
Missing or nonexistent cancelled checks in circumstances in which cancelled checks are ordinarily
returned to the entity with the bank statement
Fewer responses to confirmation requests than anticipated or a greater number of responses than
anticipated
Denied access to records, facilities, certain employees, customers, vendors or others from whom we
may seek audit evidence
Management complaints about the conduct of the audit or management intimidation of audit team
members
Unwillingness to allow access to key electronic files for testing through automated techniques
Management's unwillingness to add or revise disclosures in the financial statements to make them
more complete and transparent
Accounting policies that appear inconsistent with industry practices that are widely recognized and
prevalent
Frequent changes in accounting estimates that do not appear to result from changing circumstances
While the preceding factors may indicate fraud, they may not be due to fraud. Documents may be legitimately
lost, the general ledger may be out of balance because of an unintentional accounting error and unexpected
analytical relationships may be due to unrecognized changes in underlying economic factors. Even reports of
alleged fraud may not be reliable because an employee or outsider may be mistaken or motivated to make a
false allegation.
Footnotes
1 ISA 240.24, AICPA AU-C 240.24, AICPA AU-C 315.09, PCAOB AS 2110.65
5 PCAOB AS 2305.10
12 PCAOB AS 2110.54
15 PCAOB AS 2110.55
16 EY Policy, ISA 240.17, ISA 240.18, ISA 240.32, AICPA AU-C 240.17, AICPA AU-C 240.18, PCAOB
AS 2110.26, PCAOB AS 2110.56
32 PCAOB AS 2110.67
33 ISA 240.42, ISA 260.15, AICPA AU-C 240.41, AICPA AU-C 240.12, PCAOB AS 2401.81, PCAOB AS
1301.9
38 EY Policy
39 EY Policy
40 EY Policy
41 ISA 240.26, ISA 240.47, AICPA AU-C 240.46, PCAOB AS 2401.83, PCAOB AS 2110.67
43 EY Policy