Fraud Risk

FRAUD-RISK: Identify and assess fraud
risk [effective for audits of periods

ending on or after 15 December 2020]
GAM LAYERS: Core,Non-complex,Listed
ISSUER: EY (Global)
STATUS: Final
LAST MODIFIED: 22/07/2020
DOCUMENT ID: GAM FRAUD-RISK
Periods ending after 15 Dec 2020 Global Audit Methodology / Identify and
DOCUMENT LOCATION: assess risks / FRAUD-RISK: Identify and assess fraud risk [effective for audits of
periods ending on or after 15 December 2020]
Purpose
Misstatements in the financial statements can arise from either fraud or error. Risk of material misstatement
due to fraud (“fraud risk”) is a risk that the financial statements are materially misstated as a result of an
intentional act by one or more individuals among management, those charged with governance,
employees, or third parties involving the use of deception to obtain an unjust or illegal advantage.
We identify risks of material misstatement due to fraud and obtain sufficient appropriate audit evidence to
determine whether a material misstatement due to fraud has occurred. All risks of material misstatement due to
fraud are significant risks.
We identify fraud risk factors to assist in identifying fraud risks. Professional skepticism assists us in identifying
fraud risk factors and is crucial in detecting material misstatements due to fraud. Throughout the audit we remain
mindful that a material misstatement due to fraud may exist despite past experience of the honesty and integrity
of management and those charged with governance. We acknowledge that fraud may occur in any entity, at any
time, and may be perpetrated by anyone.
Even a properly planned and performed audit may not detect a material misstatement due to fraud, because of
the:
Internal Use Only

Exported on 24/10/2020 8:25 pm © All rights are reserved. Page 1
 Concealment of fraudulent activity. Fraud may be disguised by sophisticated and carefully organized
schemes (e.g., forgery, deliberate failure to record transactions, or intentional misrepresentations).
Collusion may make such concealment even more difficult to detect.
 Professional judgment involved in identifying and evaluating risks that cause a material misstatement due
to fraud and other conditions.
 Difficulty in determining whether misstatements in judgmental areas, such as accounting estimates, are
caused by fraud or error.
We may, however, be able to identify potential opportunities for fraud to occur. Therefore, we plan and perform
our audit to obtain reasonable assurance, rather than absolute assurance, that the financial statements are free
of material misstatement due to fraud.
We refer to FRAUD-RESPOND when developing procedures to respond to identified risks of material

misstatement due to fraud.
1 Identify fraud risk factors

We identify fraud risk factors to assist in identifying risks of material misstatement due to fraud. We use
professional judgment in determining whether a fraud risk factor is present. We determine fraud risk factors in
the context of the three conditions generally present when fraud occurs (i.e., incentive/pressure, opportunity
and attitude/rationalization).1
Fraud risk factors are events or conditions that indicate an incentive or pressure to commit fraud or provide an
opportunity to commit fraud.
We identify fraud risk factors by considering the information we obtain throughout the audit, as further described
in FRAUD-RISK 3.
Internal Use Only

FRAUD-RISK Appendix 1 provides further guidance on the three conditions that potentially lead to fraud. It can
be difficult to determine risk factors that indicate an attitude permitting rationalization of fraudulent activity.
Nevertheless, we are alert to the existence of such risk factors in information we use to identify risks of material
misstatement due to fraud as we perform other procedures.
When we identify an indicator of potential fraud or our inquiries suggest the entity’s financial statements may be
susceptible to fraud, we consider these fraud risk factors, together with the specific facts and circumstances, and
determine if there is a risk of material misstatement due to fraud.
Refer to example risk factors listed in FRAUD-RISK Appendix 1.2.
2 Presumptive risks of material

misstatement due to fraud
We presume, at a minimum, the following risks of material misstatement due to fraud to be present in
every entity:
 Revenue recognition - refer to FRAUD-RISK 2.1
Internal Use Only

 Management override of controls - refer to FRAUD-RISK 2.2,
We perform the following procedures in response to the presumptive risk of management override of
controls:2
 Test the appropriateness of journal entries - refer to FRAUD-RISK 2.3
 Evaluate the business rationale for significant, unusual transactions outside the normal course of
business - refer to FRAUD-RISK 2.4
 Evaluate management bias in determination of accounting estimates - refer to FRAUD-RESPOND

6.2
Further, as we obtain our understanding of the entity’s related party relationships and transactions, we consider
whether there are any fraud risk factors associated with these transactions and if so, whether they give rise to a
risk of material misstatement due to fraud. Refer to FRAUD-RISK 2.5.
2.1 Revenue recognition

We presume there is a risk of material misstatement due to fraud related to improper revenue recognition on
every audit. We evaluate which types of revenue, revenue transactions or assertions give rise to this fraud risk.
In limited circumstances, when we conclude there is no risk of material misstatement due to improper revenue
recognition, we document the reasons supporting this conclusion for each type of revenue, revenue
transaction or assertion.3
Material misstatements due to fraudulent financial reporting often result from an overstatement of revenues (e.g.,
premature revenue recognition or recording fictitious revenues) or an understatement of revenues (e.g.,
improperly shifting revenues to a later period). Therefore, there is a presumption that we will identify a risk of
material misstatement due to fraud relating to revenue recognition.
However, if the revenue processes are non-complex with little subjectivity in meeting revenue recognition
criteria, we may conclude that there is not a risk of material misstatement due to fraud related to revenue
recognition.
Internal Use Only

EXAMPLE
If an entity has a single type of revenue transaction (e.g., leasehold revenue from a single unit
rental property), we may conclude that there is no risk of material misstatement due to fraud relating
to revenue recognition because the revenue amount can be predicted with a high degree of
confidence.
If an entity has two types of revenue transactions (e.g., selling a product such as a washing
machine and separately selling maintenance including spare parts) we consider the risk of material
misstatement due to fraud relating to revenue recognition for each type of revenue transaction
separately.
We remain alert to information throughout the audit that may indicate a fraud risk factor is present, including
those related to revenue recognition, and evaluate those factors to determine if they give rise to a risk of material
misstatement due to fraud. Refer to FRAUD-RISK 4 and STRATEGY 2 for further discussion.
EXAMPLE
As we review the correlation between revenue, trade receivables and cash, we consider the
following:
 Does the revenue which does not correlate to trade receivables indicate an unusual or
unexpected source of revenue or a revenue recognition adjustment?
 Are any other accounts affected by the correlation journals between revenue and trade
receivables expected (e.g., VAT/GST) or an indication of an override in the recognition of
revenue?
 Is the conversion of revenue to cash, via trade receivables, aligned with our expectation of
the business operations?
When we identify a risk of material misstatement due to fraud relating to revenue recognition, our identification
includes the specific aspects of the revenue account or SCOT that we believe are more susceptible to the risk.
We document how and where we believe the risk of material misstatement due to fraud is more likely to occur.
Typically, it is not helpful to identify a general risk of material misstatement due to fraud related to revenue
recognition. Instead, we specifically identify:
Internal Use Only

 The classes of revenue transactions where we believe a material misstatement due to fraud is more likely
to occur
 The revenue accounts, and related relevant assertions, that may be affected
 How such fraud could occur
For examples of areas to consider when identifying the risks of material misstatement due to fraud relating to
revenue recognition, refer to FRAUD-RESPOND Appendix 1.2.
Refer to FRAUD-RESPOND 5 for guidance on responding to risks of material misstatement due to fraud related
to revenue recognition.
2.2 Risk of management override of controls

Management is in a unique position to perpetrate fraud because of management's ability to manipulate
accounting records and prepare fraudulent financial statements by overriding controls that otherwise appear to
be operating effectively. Although the level of risk of management override of controls will vary from entity to
entity, the risk is nevertheless present in all entities.
Due to the unpredictable way in which management override could occur, we consider the risk of management
override of controls to be a risk of material misstatement due to fraud, and thus a significant risk. 4
Internal Use Only

EXAMPLE
Examples of management override of controls include:
 Recording, or instructing others to record, fictitious journal entries, particularly close to the
end of an accounting period, to manipulate operating results or achieve other objectives
 Inappropriately adjusting assumptions and changing judgments used to estimate account

balances
 Omitting, advancing or delaying recognition in the financial statements of events and

transactions that have occurred during the reporting period
 Omitting, obscuring or misstating disclosures required by the applicable financial reporting

framework, or disclosures that are necessary to achieve fair presentation
 Concealing facts that could affect the amounts recorded in the financial statements
 Engaging in complex transactions that are structured to misrepresent the financial position or
financial performance of the entity
 Altering records and terms related to a significant and unusual transaction
We evaluate fraud risk factors related to the risk of management override of controls in the context of the three
conditions generally present when fraud occurs (i.e., incentive/pressure, opportunity and attitude/rationalization),
as described in FRAUD-RISK Appendix 1. The nature, timing and extent of the procedures we design to respond
to the risk of management override is influenced by this consideration. Refer to FRAUD-RESPOND 6.
Internal Use Only

EXAMPLE
When an entity must meet loan covenant ratios that are dependent upon earnings, and the current
earnings trend may result in covenant violations, management may be under greater pressure to
achieve certain levels of earnings and has an incentive to manipulate earnings.
Conversely, when an audit of an entity is performed to fulfil statutory filing requirements, with little
interest from third parties, there may be almost no risk that management would have an incentive to
manipulate financial results.
In other entities, there may be a risk of misappropriation of assets which may be concealed through
overriding controls over the processing of transactions or journal entries.
The identification of risks of material misstatement related to the risk of management override allows us to
consider these risks when designing journal entry testing or other procedures to address the risk of management
override of controls. The higher the likelihood of management override of controls, the greater the extent of our
testing. Refer to FRAUD-RESPOND 6.1.5
We document identified risks relating to management override of controls (e.g., manipulation by management of
current assets and liabilities to meet certain loan covenant requirements) as significant risks and our response to
them.
In the unlikely event we do not identify a risk related to the management override of controls at an account or
assertion level, it is not necessary to create a risk of management override of controls to respond to the
presumed risk of management override of controls in EY Canvas. However, we perform the required procedures
to respond to the presumed risks of management override of controls on every audit.
TIP
The “Execute required fraud procedures” task grouping in EY Canvas summarize these required
audit procedures.
As we determine risks of management override of controls, we consider that these can occur as subledger
transactions that are initiated and recorded or in controls over judgmental areas, such as in the development of
estimates.
2.3 Journal entries and other adjustments

Internal Use Only
Material misstatement of financial statements due to fraud often involves the manipulation of the financial
reporting process by recording inappropriate or unauthorized journal entries. This may occur throughout the
period or at period-end, or by management making adjustments to amounts reported in the financial statements
that are not reflected in journal entries, such as through consolidating adjustments and reclassifications.
Automated processes and controls may reduce the risk of inadvertent error, but do not overcome the risk that
individuals may inappropriately override such automated processes (e.g., by changing the amounts being
automatically posted to the general ledger or to the financial reporting system). When IT is used to transfer
information automatically, there may be little or no visible evidence of such intervention in the information
systems.
There may be a higher risk of management overriding controls over the processing of journal entries and other
adjustments as there may be fewer controls in this area, and management may be able to:
 Intervene in the processing or recording of a transaction
EXAMPLE
We filter the list of journal entries obtained from the entity for transactions posted directly by the
CFO at period-end that may indicate the result of management override of controls. We examine
documentation indicating that journal entries are properly supported and approved by management
and adequately reflect the underlying events and transactions.
 Direct less senior personnel to process or record a transaction in a way that is outside normal processes
and controls
 Manipulate the financial statement close process (FSCP) with the intention to materially misstate the
financial statements
Journal entries typically result from system entries within the accounting software used, as well as from manual
entries throughout the period, including from the FSCP. As management intervenes more easily in non-complex
entities, such entities may have a higher risk of management override.
We assess management’s incentive and opportunity to override controls over journal entries through
consideration of the following:
 The results of specific inquiries of others related to the processing on journal entries and other
adjustments. Refer to FRAUD-RESPOND 6.1.1.
Internal Use Only

 The presence of fraud risk factors and other information obtained during our assessment of the risks of
material misstatement due to fraud, which may help to identify specific types of journal entries and other
adjustments that are more susceptible to management override.
 Our understanding of the types of journal entries that exist within the financial reporting process. Refer to
FRAUD-RESPOND 6.1.2.
 Our understanding of the sources of transactions recorded in the general ledger, including journal entries
recording transactions from the sub-ledger to the general ledger, and how the general ledger is
transformed into the financial statements.
 Our understanding of the transaction processing systems and sub-ledgers (e.g., for the recording of
fictitious sales invoices). Refer to SCOTS 2.2.
 Controls that have been implemented over journal entries and other adjustments. Effective controls over
the preparation and posting of journal entries and other adjustments may reduce the risk of management
override, provided that we have tested the operating effectiveness of the controls. Refer to FSCP 3 and
CONTROLS.
Asking the following two questions can guide our assessment and evaluation of and response to management’s
incentive and opportunity to override controls over journal entries:
 How likely is management to do it?
This question considers the incentive/pressure and attitude/rationalization elements of the fraud triangle
(refer to FRAUD-RISK Appendix 1.2). The answer to this question will define the lens through which we
analyze journal entries and other adjustments and how extensive our procedures are to identify
manipulation of the financial reporting process by recording inappropriate or unauthorized journal entries.
When the results of inquiries have heightened our professional skepticism, or when the presence of fraud
risk factors have highlighted risks of material misstatement at the financial statement level as a whole or
related to specific classes of journal entries or other adjustments, we alter the nature, timing and extent of
our procedures.
 How will management do it?
Our understanding of the types of journal entries, the sources, and the controls in place allows us to
identify where manipulation in the financial reporting process may occur (e.g., by recording inappropriate or
unauthorized journal entries).
When we design our tests of journal entries, we keep in mind our understanding of where in the financial
reporting process manipulation can occur. This allows us to identify those journal entries that have a higher
risk of material misstatement for further investigation. Refer to FRAUD-RESPOND 6.1.
Internal Use Only
2.4 Significant unusual transactions
We identify significant unusual transactions and evaluate the business rationale for these transactions in
response to the risk of management override. 6
Significant unusual transactions are those transactions outside the normal course of business, or that appear
unusual based on our understanding of the entity’s business (e.g., journal entries to record the acquisition of a
building, the issue of new capital or a loan).Unusual transactions do not automatically constitute fraudulent
financial reporting, however we remain aware that there is a higher risk of material misstatement whether
through fraud or error associated with them.
Our identification of significant unusual transactions takes into account information obtained during our risk
assessment procedures and other procedures performed during the audit. 7
EXAMPLE
Examples of risk assessment procedures include:
 Risk assessment analytical procedures
 Making inquiries of management and others
 Obtaining an understanding of the methods used to account for significant unusual

transactions
 Obtaining an understanding of internal control over financial reporting
Example of other procedures include:
 Reading minutes of the board of directors’ meetings
 Performing journal entry testing
 Reviewing other information (e.g. significant contracts, internal audit reports)
As we identify significant unusual transactions, we also consider that transactions with related parties are more
likely to be significant unusual transactions. Refer to RPT 1.
Refer to RPT 5 for additional procedures when we have identified significant related party transactions outside
the normal course of business.
Internal Use Only

Refer to FRAUD-RESPOND 6.3 for a discussion of the response to risks of material misstatement due to
significant unusual transactions.
2.5 Related party relationships and transactions

When we identify fraud risk factors associated with related parties (including circumstances relating to the
existence of a related party with dominant influence), we consider whether this gives rise to a risk of material
misstatement due to fraud.9
Refer to RPT 4.
Refer to FRAUD-RESPOND 7 for a discussion of the response to risks of material misstatement due to fraud
related to related party relationships and transactions.
3 Obtain information to identify fraud risk

factors
In addition to the presumptive risks of material misstatement due to fraud, we identify and assess risks of
material misstatement due to fraud at the financial statement level and at the assertion level for classes of
transactions, account balances, and disclosures in order to design an appropriate response.
We obtain information throughout the audit that we use in identifying risks of material misstatement due to
fraud. We remain alert to new information and re-evaluate our conclusions with respect to risks of material
misstatement due to fraud throughout the audit.10
When we identify an indicator of potential fraud or our inquiries suggest the entity’s financial statements may be
susceptible to fraud, we consider these fraud risk factors – together with the specific facts and circumstances –
and determine whether there is a risk of material misstatement due to fraud.
Internal Use Only

When performing risk assessment procedures and related activities to obtain an understanding of the entity and
its environment, including the entity's internal control, we obtain information for use in identifying fraud risk
factors that may give rise to risks of material misstatement due to fraud. These information-gathering procedures
include the following:
Internal Use Only

 Performing risk assessment analytical procedures to identify unusual or unexpected relationships -
FRAUD-RISK 3.1
 Making inquiries - FRAUD-RISK 3.2
 Holding an audit team discussion on the susceptibility of the entity’s financial statements to material
misstatement due to fraud – FRAUD-RISK 3.3
 Obtaining other information – FRAUD-RISK 3.4
3.1 Perform risk assessment analytical procedures

to identify unusual or unexpected relationships
We perform risk assessment analytical procedures to assist in identifying fraud risk factors.
When the results of our risk assessment analytical procedures do not align with our understanding of the
business, current developments in the period under audit or our other expectations, we evaluate whether these
unusual or unexpected relationships, including those related to revenue accounts, indicate a fraud risk factor
that may give rise to a risk of material misstatement due to fraud. 11
We expect that plausible relationships among data exist and continue in the absence of known conditions to the
contrary. It is important to consider the reasons that make relationships plausible because data sometimes
appears to be related when it is not. This may lead to erroneous conclusions. Unexpected relationships may
provide important evidence when appropriately followed up.
EXAMPLE
We may:
 Verify the movement in inventories is a result of purchases made through payables and
charges to cost of sales when goods are sold. We can then further link those movements with
changes in revenues on a period by period basis.
 Determine an increase or decrease in the trade payables balance corresponds to an increase

or decrease in the inventory balance.
The identification and response to risks of material misstatement due to fraud is an iterative process. We remain
alert to information that arises throughout the remaining activities of the audit when identifying risks of material
Internal Use Only
3.2 Make inquiries
We make inquiries of management, those charged with governance, internal audit and others within the entity to
help us identify fraud risk factors that may indicate risks of material misstatement due to fraud. 12
When responses to inquiries of management or those charged with governance are unsatisfactory or
inconsistent with responses received from other members of management or those charged with governance
or other employees of the entity with whom we have made inquiries, we investigate these inconsistencies or
unsatisfactory responses.13
Whenever possible, we make inquiries after we have performed our risk assessment analytical procedures so
that our inquiries consider the information we observed in the entity’s financial information (refer to FRAUD-RISK
3.1).
EXAMPLE
We determine that there is an unusually large increase in revenue activity near quarter ends. We
may inquire of management why this occurs and what they do to address the risk that revenue may
not be recognized in the correct period.
In addition, our inquiries also consider aspects external to the entity, such as external pressures or expectations
of stakeholders.
We make our inquiries in person during the audit’s early planning stages. The inquiries are made by a team
member, generally a manager or above, who has the knowledge and experience to ask appropriate follow-up
questions. Experienced team members (i.e., the audit executives) are generally involved when we inquire of
senior management (e.g., the owner-manager, CFO, CEO or COO) or those charged with governance.
We use our knowledge of the entity and its environment, as well as information from other risk assessment
procedures, together with our professional judgment to determine the nature and extent of our inquiries and the
extent of follow-up questions. 15
Inquiries of management
Internal Use Only

We inquire of management about:16
 Management’s assessment of the risks of material misstatement due to fraud, including the nature,
extent and frequency of such assessments
 Management’s process for identifying and responding to risks of fraud in the entity, including programs
and controls the entity has established to address risks identified by the entity, or that otherwise prevent,
deter and detect fraud, and how senior management monitors those programs and controls
 Any risks of fraud that have been identified by management or brought to management’s attention
 Management’s communication, if any, to those charged with governance (when relevant) regarding its
processes for identifying and responding to the risks of fraud
 Management’s communication, if any, to employees regarding its views on business practices and ethical
behavior
 Management’s knowledge of any actual or suspected fraud or allegations of fraudulent financial reporting
affecting the entity and if so, management’s responses to such allegations or complaints
 For an entity with multiple components or business segments, the nature and extent of monitoring of
components or business segments, and whether there are particular components or business segments
for which a risk of fraud of the group financial statements may be more likely to exist.
 Whether the entity has entered into any significant unusual transactions and, if so, the nature, terms and
business purposes of those transactions and whether such transactions involved related parties (refer to
FRAUD-RISK 2.4)
EXAMPLE
Management may obtain knowledge of actual, suspected or alleged fraudulent reporting from a
“whistleblower” or other communications from employees, former employees, analysts, short sellers
or other investors.
We recognize that the risk of material misstatement due to fraud by management (whether fraudulent financial
reporting or misappropriation of assets) increases when management is actively involved in financial aspects of
the business, particularly the initiation, recording and reporting of transactions.
However, it is still appropriate to make inquiries of management regarding its own assessment of the risk of
fraud and the controls in place to prevent, deter and detect it. In some entities, management may make detailed
assessments of the risk of fraud. In other entities, management’s assessment may be less structured and occur
infrequently. The nature, extent and frequency of management’s assessment of the risk of fraud are relevant to
our understanding of the entity’s control environment.
Internal Use Only

In non-complex entities, when there is no formal governance body or it is inactive, controls that prevent or detect
misstatements due to fraud involving management are unlikely to exist. If an entity has controls, they may not be
sufficient to address the risks of material misstatement due to fraud because of the increased risk of
management overriding them.
EXAMPLE
The fact that management has not assessed the risk of fraud may indicate the lack of importance it
places on internal control so the risk of fraud increases.
We apply professional skepticism during our inquiries of management.
We determine whether new information comes to our attention during our inquiries of management that has an
effect on our assessment of the control environment and its effect on our audit strategy. 17
When making our inquiries of management, we may inquire about:
 Unusual or unexpected items identified from the results of risk assessment analytical procedures (refer to
FRAUD-RISK 3.1)
 Knowledge of actual or suspected or alleged fraud
EXAMPLE
 Are you aware of any fraud at the entity?

 Do you have suspicions of fraud at the entity?
 Are you aware of allegations of actual or suspected fraud affecting the entity, for example, via
communications from employees, ex-employees, analysts, regulators or others?
 Assessment of, and process for, identifying risks of material misstatement due to fraud
Internal Use Only

EXAMPLE
 Have you identified risks of material misstatement due to fraud at the entity?
 What is your process for identifying risks, including risks of material misstatement due to
fraud?
 Does the entity have any deficiencies in internal control?
 Do you know of instances when controls have been overridden?
 Which accounts, particularly estimates, would be most susceptible to manipulation if
someone were inclined to do so?
 Controls to address the risks of fraud
EXAMPLE
 Does the entity have a code of conduct or ethics policy?

 Has the entity established a hotline for reporting suspected or alleged violations?
 Who is responsible for following up alleged violations of the code of conduct or ethics policy?
Have any violations occurred in the past year?
 What is your view of the internal controls over those accounts you believe have a higher risk
of material misstatement due to fraud?
 What procedures are there for initiating, approving and processing non-routine or unusual
transactions?
 How are these programs and controls monitored?
 Management’s communication with those charged with governance
Internal Use Only

EXAMPLE
 Do you regularly report to, or discuss with, those charged with governance the entity’s
significant risks, including risks of material misstatement due to fraud, that affect the financial
statements?
 Have you communicated to those charged with governance your views on how the entity’s
internal control serves to prevent, or detect and correct, material misstatements due to fraud?
 If so, which programs and controls were the focus of this communication?
Inquiries of those charged with governance
We inquire of those charged with governance about:
 How they exercise oversight of management’s processes for identifying and responding to risks of fraud
and the controls established by management to address specific risks of fraud the entity has identified, or
that otherwise help prevent, deter and detect fraud. 18
 Their views about the risks of fraud and whether they have knowledge of any actual or suspected or
alleged fraud affecting the entity.19
When all of those charged with governance are involved in managing the entity, we do not need to inquire about
how those charged with governance exercise oversight of management’s processes relating to identifying and
responding to risks of fraud.
We also make inquiries of those charged with governance in accordance with the requirements in LAWS+REGS
2.1 and RPT 1.
Our inquiries of those charged with governance are made in part to corroborate the responses to the inquiries of
management. Understanding the oversight and responsibilities of those charged with governance may give
insights into the entity’s susceptibility to management fraud, the adequacy of internal control over risks of fraud,
and the competency and integrity of management.
Inquiries of internal audit
Internal audit has significant insight into the operations of the business and can provide useful information that
would assist us in identifying risks of material misstatement due to fraud.
Internal Use Only

For entities that have an internal audit function, we inquire of the director of internal audit (or equivalent), at a
minimum, and other internal audit personnel, as appropriate, about: 22
 Their views of the risks of fraud

 Whether they have knowledge of any actual or suspected or alleged fraud
EXAMPLE
When there have been changes in controls or policies and procedures in the entity, we may inquire
of internal audit about whether they believe there is an increased risk of fraud as a result of these
changes. In addition, internal audit may be aware of controls that were effective in prior periods but
are weaker in the current period due to changes in circumstances.
Inquiries of others
We make inquiries of others within the entity, as appropriate, to determine whether they have knowledge of
any actual or suspected or alleged fraud affecting the entity. 24
As we confirm our understanding of the SCOTs, we make inquiries of individuals involved in the financial
reporting process about inappropriate or unusual activity relating to the processing of journal entries and other
adjustments.
Refer to FRAUD-RESPOND 6.1.1.
EXAMPLE
When meeting with an accounting department employee to obtain or update our understanding of
SCOTs and related controls, we may ask if he or she has seen:
 Anything unusual in the processing of routine transactions, handling of exceptions in

transaction processing or application of a control (e.g., the follow up and resolution of items
on an error report, any recorded sales where risk has not passed to buyers)
 Any unusual involvement of management in the initiation, recording, processing or reporting

of transactions
Internal Use Only

TIP
Others we may make inquiries of:
 Employees (financial and operating) – about the existence, or suspicion, of inappropriate

activities
 Marketing or sales personnel – about sales trends or contractual arrangements with

customers
 Employees involved in accounting for complex or unusual transactions (including supervisors)

– about the existence of inappropriate activities
 Employees involved in correcting incorrect information – about journal entries and authorizing
transactions
 Personnel dealing with allegations of fraud – about their knowledge of actual, suspected or
alleged fraud
 In-house legal counsel – about litigation; compliance with laws and regulations; knowledge of
actual, suspected or alleged fraud; warranties, post-sales obligations or joint venture
arrangements that may indicate inappropriate activities
We use our professional judgment and experience of the entity or of similar organizations within its industry to
determine who we speak to, and to what extent. In most cases, these inquiries are a natural extension of the
discussions we have during the audit.
To help identify risks of material misstatement due to fraud, we may ask others within the entity, including those
outside of the finance function, the following questions:
 Circumstances that may be indicative of fraud
Internal Use Only

EXAMPLE
 Have you observed anything unusual in your position?

 Has management ever asked you to do something that you consider unethical?
 Has management ever bypassed the “normal” process to record a journal entry, such as one
without supporting documentation or one you thought is improper?
 Are you aware of recorded sales where risk has not passed to buyers?
 If someone of authority wanted to commit fraud, what would be the easiest way to do it?
 Have there been any significant unusual or complex transactions?
 Controls to address the risks of fraud
EXAMPLE
 What is management's attitude toward internal control?

 What controls are in place for sales cutoff?
 What controls exist for recording journal entries?
 What policies and procedures ensure revenue is properly recorded?
3.3 Audit team discussion

We discuss the susceptibility of the entity’s financial statements to material misstatement due to fraud (refer to
EDAP 3.2.2).
We evaluate the information we obtained from that discussion to identify fraud risk factors. This discussion
provides an opportunity for engagement executives and the team to:
 Share their insights about how and where the financial statements may be susceptible to material
misstatement due to fraud
 Focus on how to perform the audit with a heightened level of professional skepticism
3.4 Obtain other information

We determine other information that may be helpful in identifying risks of material misstatement due to fraud. 26
Internal Use Only

3.4.1 Understand the business
We evaluate the information arising from our understanding of the entity and its environment (e.g., the nature
of the business, ownership characteristics, the industry in which the entity operates and the size and
complexity of the entity’s operations) to identify fraud risk factors.27
In addition to the risk assessment analytical procedures (refer to FRAUD-RISK 3.1), the other procedures we
perform to understand the entity’s business may lead to identification of fraud risk factors. Refer to UTB.
Our understanding of the entity’s business model, and how it is affected by its business strategy and business
objectives, may assist us in identifying business risks that are relevant in identifying risks of material
misstatement due to both fraud and error.
EXAMPLE
Incentives and pressures on management may result in intentional or unintentional management

bias, which may affect the reasonableness of significant assumptions and expectations of
management or those charged with governance thereby increasing the susceptibility to risks of
material misstatement due to fraud.
3.4.2 Understand SCOTs, significant disclosure processes and types

of journal entries
Our understanding of SCOTs and significant disclosure processes facilitates the identification of WCGWs, and
risks of material misstatement due to fraud within the processes.
Internal Use Only

EXAMPLE
As we obtain our understanding of SCOTs, we may identify fraud risk factors such as:
 Inappropriate use of IT
 Segregation of duties issues
 Overly complex SCOTs that may hide inappropriate transactions or incorrect accounting
under the appropriate financial reporting framework
 Poorly designed SCOTs that lead to significant manual intervention and therefore may give
rise to a higher risk of fraudulent activity
 Inappropriate activity by IT personnel
As we obtain our understanding of the SCOTs, we also obtain an understanding of the types of journal entries
that exist within the financial reporting process, as described in FRAUD-RESPOND 6.1.2.
3.4.3 Additional information

The following table summarizes where we may obtain additional information that may be helpful in identifying
risks of material misstatement due to fraud.
Procedures Reference
New information from the results of our client and ENGAGE

engagement acceptance and continuance process.
Reviews of interim financial information. UTB
Consideration of whether trends and relationships in the FSCP

financial statements indicate a previously unidentified
risk of material misstatement due to fraud
The existence of related party transactions, including UTB

circumstances related to the existence of a related party
RPT
with dominant influence.
Consideration of the information obtained during our ELC

understanding of entity-level controls and our
Internal Use Only

understanding of the influence of the control
environment.
The nature of the account. SCOTS, ACCTS
Certain assertions have a higher inherent risk because FSCP, STRATEGY

of the high degree of management judgment involved in
determining the account balance, existence of complex
and unusual transactions, significant estimates and
period-end adjustments, intercompany transactions and
large unreconciled amounts. The related accounts may
contain risks of material misstatement due to fraud
because they are susceptible to manipulation by
management.
Assessment of inherent risk for relevant assertions of STRATEGY

significant accounts.
Consideration of how IT processes affect journal entries IT

including how unauthorized access and changes to
applications that prepare and record journal entries are
prevented or detected
4 Assess fraud risk factors to identify

fraud risks
Internal Use Only

We use the information we have obtained at different points in the audit, including the identification of fraud risk
factors, to identify and assess risks of material misstatement due to fraud. 28
When identifying risks of material misstatement due to fraud, we evaluate: 29
 The collective knowledge we have obtained throughout the audit

 The information obtained through our inquiries
 The type of risk (i.e., fraudulent financial reporting or misappropriation of assets)
 The magnitude of the risk
 The likelihood that the risk will result in a material misstatement in the financial statements
If a fraud risk factor has a higher likelihood of occurrence and a higher magnitude of potential misstatement, we
identify it as a risk of material misstatement due to fraud.
PARTNER IN CHARGE REQUIREMENT

The partner in charge of the audit evidences his or her review and approval of the identified risks of material
misstatement due to fraud, by signing the required fraud forms or Form 800 NCE Audit Planning Template.30
Identifying risks of material misstatement due to fraud is not just about reviewing a checklist of risk factors. Fraud
risk factors may be present at the entity, yet due to the circumstances and nature of its business these may not
result in risks of material misstatement due to fraud.
Further, a fraud does not have to have occurred for a risk of material misstatement due to fraud to exist.
Therefore, we challenge our assessment of the potential risk of material misstatement due to fraud and our
response each period.
Internal Use Only

EXAMPLE
We may identify lack of independent oversight over the financial reporting process as a fraud risk
factor in both a more complex entity and a less complex entity.
Lack of effective oversight by those charged with governance or an ineffective internal audit function
in a more complex entity is likely to be a cause for concern that inappropriate or unauthorized
transactions may go undetected. We may identify this as a risk of material misstatement due to
fraud.
In a less complex entity, we may not identify lack of independent oversight over the financial
reporting process as a risk of material misstatement due to fraud because of management’s
extensive involvement in the entity, the need for management authorization of transactions and the
limited number of transactions.
We consider the information we have obtained to identify fraud risk factors to determine if conditions indicate
risks of material misstatement due to fraud.
In assessing whether a condition represents a risk of material misstatement due to fraud or just a fraud risk
factor, we consider the ‘likelihood’ of one or more misstatements, and their potential ‘magnitude’ if the condition
occurred.
The likelihood is the possibility that the condition can occur. We evaluate this in the context of the fraud triangle
(i.e., we consider whether there is an incentive or pressure to commit fraud, an opportunity to do so and whether
individuals can rationalize a fraudulent act).
Internal Use Only

The magnitude is the potential misstatement to the financial statements if the condition occurs. In evaluating
magnitude, we determine whether the condition could have a material effect on the financial statements,
individually or in the aggregate. If a condition has a higher likelihood of occurrence and a higher magnitude of
potential misstatement, we identify it as a risk of material misstatement due to fraud.
EXAMPLE
A jewelry manufacturer has numerous small inventory items with a high monetary value. The
characteristics of the items make them more susceptible to misappropriation. Consequently, we
may determine that there is a higher likelihood of misstatement of inventory. In addition, the
potential magnitude of the misstatement is higher due to the monetary value of the items.
Therefore, we may identify a risk of material misstatement due to fraud.
If a condition is either likely to occur or has a higher magnitude of misstatement but not both, we may not identify
a risk of material misstatement due to fraud. However, we may identify a fraud risk factor that needs to be
evaluated in combination with other identified fraud risk factors.
When we determine that fraud risk factors give rise to risks of material misstatement due to fraud, we document
the risk in sufficient detail so that it is clear what the risk is and how it affects the financial statements. When our
rationale for determining a risk of material misstatement due to fraud is not obvious, we document any significant
judgements made in their identification. Refer to FRAUD-RISK 5.
5 Determine the effect the fraud risk has

on the financial statements
We determine whether risks of material misstatements due to fraud: 31
 Are pervasive to the financial statements as a whole, or

 Relate to a particular account, assertion or significant class of transactions
Risks of material misstatement due to fraud at the financial statement level refer to risks that relate pervasively
to the financial statements as a whole and potentially affect many assertions. Risks of this nature are not
necessarily risks identifiable with specific assertions at the class of transactions, account balance, or disclosure
level. Rather, they represent circumstances that may increase the risks of material misstatement at the financial
statements level (e.g., through management override of internal control). Risks of material misstatement at the
Internal Use Only

financial statement level may be especially relevant to the auditor’s consideration of the risks of material
EXAMPLE
Risks at the financial statement level may occur from a deficient control environment (although
these risks may also relate to other factors, such as declining economic conditions). For example,
deficiencies such as management’s lack of communication to employees regarding its views on
ethical behavior and proper business practices may indicate to employees that management is not
conscious about fraud and create opportunities for fraud to be perpetrated. Such conditions have a
more pervasive effect on the financial statements and may require an overall response.
When a risk of material misstatement due to fraud is considered pervasive to the financial statements as a
whole, we also determine if we can relate the risk to specific account balances where we believe a potential
material misstatement is likely to arise in order to design a specific response, as described in FRAUD-
RESPOND 4. When the risk cannot be related to a specific account balance, we determine an overall response,
as described in FRAUD-RESPOND 3.
When a risk of material misstatement due to fraud relates to a particular account assertion, disclosure, or
significant class of transactions, we describe the specific aspect of the account assertion, disclosure, or SCOT
that is affected by the risk.
For each identified risk of material misstatement due to fraud, we consider how management could perpetrate
and conceal fraudulent financial reporting or how assets of the entity could be misappropriated.
EXAMPLE
We consider how fraud could be perpetrated or concealed by omitting or presenting incomplete or

inaccurate disclosures.32
A control environment that supports the prevention, or detection and correction, of material misstatements
relevant to financial reporting is not an absolute deterrent to fraud, but it may help reduce some risk of fraud,
giving us more confidence in internal control and the reliability of audit evidence. However, the risk of
management override of controls is present in all entities and an effective control environment, although
important, does not eliminate this risk. Additionally, negative factors within the control environment may
undermine the effectiveness of controls and create more risks of material misstatement due to fraud. We
describe in detail the risks of material misstatement due to fraud. If our concerns relate to specific elements or
Internal Use Only
components of an account (e.g., certain management’s assumptions used in the determination of an estimate or
elements of a revenue stream at an entity that has multiple revenue streams), then our identification and
documentation of the risk of material misstatement due to fraud articulates those specific elements or
components.
Account assertions affected by a risk of material misstatement due to fraud have a higher inherent risk
assessment, which directly affects the nature, timing and extent of our audit procedures. As a result, it is
important that we effectively articulate each risk of material misstatement due to fraud and associate it only to
those assertions that are affected so that we can design audit procedures responsive to the fraud risks identified.
We document risks of material misstatement due to fraud in appropriate detail in order to:
 Facilitate effective communication among the members of the audit team, which helps the team apply
appropriate professional skepticism
 Reduce the risk of undetected material misstatement due to fraud
 Focus audit efforts on specific areas of the financial statements or the entity’s internal controls over
financial reporting when we believe a risk of material misstatement due to fraud exists
 Avoid inadvertent communication among the audit team of additional risks of material misstatement due to
fraud
Specific considerations for non-complex entities
In some entities, management may view the business as an extension of its own personal resources and may
not perceive their actions as fraudulent. However, when an entity is incorporated to conduct a business, other
interested parties (e.g., tax authorities or third-party creditors) expect operating results to fairly reflect the
conduct of the business, without management’s personal use of its resources. We therefore consider the risks of
material misstatement due to fraud involving management, whether performed directly by them or under their
direction.
Internal Use Only

EXAMPLE
Risks of material misstatement due to fraud related to misappropriation of assets involving

management include:
 Personal use of entity assets
 Payments to family members or close friends when no service has been rendered
 Obtaining loans on behalf of the entity for personal use
 Using the entity’s assets as collateral for personal loans
 Entering into transactions at other than an arm’s length basis with related parties
EXAMPLE
Risks of material misstatement due to fraud related to fraudulent financial reporting involving
management include:
 Inflating expenses to reduce results and, therefore, tax liabilities
 Adjusting results or reclassifying balances to meet debt covenant restrictions
 Inflating results for future sales
 Fraudulent tax declarations, including VAT (sales tax) and income tax
 Under- or overstating reserves, such as those for inventory obsolescence or doubtful

receivables
These examples are more likely to occur in non-complex entities when management may have more opportunity
to commit fraud. As well as considering management’s attitude and potential to rationalize fraud, we also assess
any pressures and incentives to commit fraud.
Internal Use Only

EXAMPLE
The existence of related parties with dominant influence over the entity and its management could
result in a risk of a material misstatement due to fraud being identified.
Our consideration of risks of material misstatement due to fraud involving employees in a non-complex entity are
similar to those of other entities.
In non-complex entities, the most likely risks of material misstatement due to fraud involving employees relate to
misappropriation of assets, especially where products are small and valuable. Due to management’s direct
involvement in operations, we may conclude there is little opportunity for fraud involving employees to occur, or
that it is unlikely to cause a material misstatement of the financial statements.
Refer to FRAUD-RISK Appendix 3 for further examples of circumstances that may be indicative of fraud and
FRAUD-RISK Appendix 1.2 for example fraud risk factors.
6 Communication requirements
We communicate the risks of material misstatement due to fraud to those charged with governance as part of
our communication of significant risks that we have identified (refer to COMMS 3.1).33
When we have identified significant deficiencies (or material weaknesses if required to be communicated in the
jurisdiction) in internal control related to the prevention or detection of fraud, we communicate these significant
deficiencies (or material weaknesses) to those charged with governance and when appropriate, to
management (refer to COMMS 3.4).35
When we identify or suspect fraud, we communicate these matters to management and those charged with
governance as appropriate (refer to COMMS 3.6 for further requirements and guidance on communication
regarding fraud).36
Documentation
Internal Use Only

We document the following in the Fraud considerations form or APT:
 The procedures performed to obtain the necessary information to identify risks of material misstatement
due to fraud. This includes details of the sources of the information obtained, such as data analytics, of
whom we made inquiries and documents examined. 37
 The fraud risk factors (i.e., those events or conditions that indicate an incentive or pressure to commit
fraud or provide an opportunity to commit fraud).38
 The risks of material misstatement due to fraud at the assertion level and risks of material misstatement
due to fraud at the financial statement level, including any significant judgements made in their
identification (refer to STRATEGY Documentation)39
 The specific risks relating to management override of controls, including when relevant, the information
that led us to determine that the likelihood of management override of controls is higher. 40
 If we have not identified a risk of material misstatement due to fraud relating to revenue recognition, the
reasons supporting this conclusion.41
 For each identified risk of material misstatement due to fraud:
 How and where the fraud could occur, in sufficient detail, to be clear as to the potential effect on the
financial statements.42
 The controls related to each identified risk of material misstatement due to fraud. 43
Documenting sufficient detail of how and where fraud could occur addresses all aspects of the affected accounts
including the assertions affected by the risk, and includes:
 How the entity’s financial statements might be susceptible to material misstatement due to fraud
 How management could perpetrate or conceal fraudulent financial reporting
 How assets of the entity might be misappropriated
Our documentation is sufficiently robust to be clear about which assertions are affected and that our
considerations of the risk of material misstatement due to fraud are complete.
Enablement
Refer to the following EY Atlas auditing topic page for additional enablement, including forms, and external
standards related to this EY GAM topic:
 Fraud
Internal Use Only

Appendix 1 Description and
characteristics of fraud
The primary factor that distinguishes fraud from error is whether the action that resulted in the misstatement of
the financial statements is intentional. Fraud is intentional and usually involves concealing facts.
Our ability to detect a fraud depends on such factors as the:
 Skill of the perpetrator
 Frequency and extent of manipulation
 Degree of collusion
 Size of amounts manipulated
 Seniority of those involved
Fraud is a broad legal concept; our interest relates specifically to fraudulent acts that cause a material
misstatement in the financial statements.
Two types of fraud are relevant to a financial statement audit:
1. Fraudulent financial reporting
2. Misappropriation of assets
As we gather information to identify risks of material misstatement due to fraud, we consider both types of fraud.
Fraudulent financial reporting may involve different types of acts.
Internal Use Only

EXAMPLE
Fraudulent financial reporting may involve:
 Manipulation, falsification or alteration of accounting records or supporting documents from

which financial statements are prepared
 Misrepresentation in, or intentional omission from, financial statements of events,

transactions or other significant information
 Intentional misapplication of accounting principles relating to amounts, classification, manner

of presentation or disclosure
Misappropriation can be accomplished in various ways.
EXAMPLE
Misappropriation may be accomplished by:
 Embezzling receipts (e.g., misappropriating collections on trade receivables or diverting

receipts for written-off accounts to personal bank accounts)
 Stealing physical assets or intellectual property (e.g., taking inventory for personal use or for
sale, stealing scrap for resale, colluding with a competitor by disclosing technological data for
payment)
 Causing an entity to pay for goods and services not received (e.g., payments to fictitious
vendors or employees, kickbacks from vendors to the entity’s purchasing agents in return for
inflating prices)
 Using an entity’s assets for personal use (e.g., using them as collateral for a personal loan or
a loan to a related party)
Misappropriation of assets may be accompanied by false or misleading records or documents and may involve
one or more people among management, employees or third parties.
Fraud, regardless of the type, is often concealed by:
 Falsified documentation
Internal Use Only
 Collusion among management, employees or third parties
Appendix 1.1 Collusion

Collusion may cause us to believe false evidence is persuasive.
EXAMPLE
Through collusion, we may receive false evidence that control activities have been performed
effectively, or we may receive false confirmation from a third party in collusion with management.
Although fraud is concealed and management’s intent is difficult to determine, certain conditions may alert us to
the possibility of fraud.
EXAMPLE
An important contract may be missing, a sub-ledger may not be satisfactorily reconciled to its
control account, or the results of an analytical procedure may not be consistent with expectations.
Appendix 1.2 The fraud triangle
Internal Use Only

An entity’s size, complexity and ownership characteristics influence how we consider fraud risk factors.
TIP
Management of a non-complex entity may have a greater incentive to manage earnings as this has
a more direct personal benefit and have more opportunity to influence the recording of transactions
to achieve this.
Certain risk factors related to misstatements arising from fraudulent financial reporting may also be present with
those arising from misappropriation of assets.
Below are examples of risk factors relating to each of the three conditions generally present when material
misstatement due to fraud occurs.
Condition Risk factor examples
Incentive or pressure Relating to misstatements arising from fraudulent
Internal Use Only

Management or other employees have an incentive or financial reporting
are under pressure, which provides a reason to commit
a) Operating conditions and financial stability
fraud.
under threat.
EXAMPLE
Due to:
 Strong competition and declining

margins
 Vulnerability to rapid changes in

the industry (e.g., changes in
technology or product
obsolescence)
 Vulnerability to changes in interest

rates
 Decline in demand and increasing

business failures in the industry or
overall economy
 Threat of imminent bankruptcy,

foreclosure or hostile takeover
 Recurring negative cash flows or

inability to generate cash flows
while reporting earnings and
earnings growth
 Rapid growth or profitability

especially compared to other
entities
 New accounting, statutory or

regulatory requirements that could
impair financial stability or
profitability
Internal Use Only

b) Excessive pressure to deliver on expectations
of third parties
EXAMPLE
Due to:
 Failure to meet profit or trend level

expectations (particularly
expectations that are unduly
aggressive or unrealistic), including
those created by management
 Need for additional debt or equity

financing to stay competitive,
including need for funding of
research and development or
capital expenditure
 Dependence on debt, or marginal

ability to meet debt repayment
requirements or covenants
 Adverse consequences on pending

transactions (e.g., a business
combination or contract award) if
poor financial results are reported
c) Threats to the personal net worth of
management or those charged with governance,
due to the entity’s financial performance, may
provide incentives to override controls by (i)
directing the entity, against its interests, to
conclude transactions for the benefit of these
parties or (ii) colluding with such parties or
controlling their actions
Internal Use Only

EXAMPLE
Due to:
 The concentration of the personal

net worth of management or those
charged with governance in the
entity
 Management compensation having

significant links with the entity’s
financial results
 Management and those charged

with governance having personally
guaranteed the entity’s debt
d) Pressure to meet financial targets set by those
charged with governance or management
Relating to misstatements arising from

misappropriation of assets
a) Personal financial obligations may create
pressure to misappropriate cash or other assets
susceptible to theft
b) Adverse relationships between the entity and
employees may cause staff to misappropriate
cash or other assets.
EXAMPLE
Adverse relationships may be created by

layoffs, changes to compensation or
benefit plans
Internal Use Only

Opportunity Relating to misstatements arising from fraudulent
financial reporting
Circumstances may provide opportunities for fraud
(e.g., the absence of controls, ineffective controls or a) The nature of the industry or the entity’s
management’s ability to override controls).
operations provides opportunities for fraudulent
financial reporting:
EXAMPLE
Due to:
 Significant related party

transactions not in the ordinary
course of business or with others
 The exertion of dominant influence

by a related party
 Strong financial presence or

industry domination allowing the
entity to dictate terms or conditions
resulting in non-arm’s length
transactions
 Accounts based on significant

estimates involving unusually
subjective judgments difficult to
corroborate
 Significant, unusual or highly

complex transactions, close to
period-end, posing ‘substance over
form’ questions
 Operations in jurisdictions with

differing business environments
and cultures
 Intermediaries, bank accounts,

subsidiaries or operations in tax-
havens, with no clear business
Internal Use Only

justification
b) There is ineffective monitoring of management
EXAMPLE
Due to:
 Domination by a single person or

small group (in a non-owner-
managed business) without
compensating controls
 Ineffective oversight over the

financial reporting process and
internal control by those charged
with governance
c) There is a complex or unstable organizational
structure
EXAMPLE
As evidenced by:
 Difficulty in determining the

organization or individuals that
controls the entity
 Unusual legal entities or

managerial lines of authority
 High turnover of senior

management, legal counsel or
those charged with governance
d) Internal control components are deficient44

Internal Use Only
EXAMPLE
Due to:
 Inadequate monitoring of controls,

including automated controls and
controls over interim financial
reporting (when external reporting
is required)
 High turnover rates or employment

of ineffective accounting, internal
audit or IT staff
 Poor accounting and information

systems involving significant
deficiencies

a) Certain characteristics or circumstances may
increase assets’ susceptibility to misappropriation.
EXAMPLE
 Large amounts of cash on hand or

processed
 Inventory characteristics (e.g.,

small size, high value or high
demand)
 Easily convertible assets (e.g.,

bearer bonds, diamonds)
 Fixed asset characteristics (e.g.,

small size or lack of ownership
Internal Use Only

identification)
b) Inadequate internal control over assets may
increase their susceptibility to misappropriation.
EXAMPLE
 Inadequate segregation of duties or

independent checks
 Poor management oversight
 Poor oversight of management

expenditure
 Inadequate job applicant screening

for employees with access to
assets susceptible to
misappropriation
 Inadequate recordkeeping of
assets
 Inadequate systems for timely

authorization, approval and
documentation of transactions
 Poor physical safeguards over

assets
 Lack of complete reconciliations of

assets
 No mandatory vacations for

employees with key control
functions
 Poor management understanding

of IT leading to weak access
Internal Use Only

controls
Attitude or rationalization Relating to misstatements arising from fraudulent

financial reporting
Some people have an attitude, character or set of
values that leaves them untroubled about committing a) Ineffective communication, implementation,
dishonest acts. However, even honest individuals can
support or enforcement of the entity’s values or
commit fraud if sufficient pressure is imposed on them.
ethical standards by management; or ineffective
The greater the incentive or pressure, the more an
communication by management when
individual is likely to rationalize the acceptability of
committing fraud. inappropriate values or ethical standards occur
b) Non-financial management’s excessive

Generally, we cannot detect risk factors reflective of
attitudes/rationalizations. However, if we become aware participation in, or preoccupation with, the
of such behavior, we consider it in identifying risks of selection of accounting principles or the

material misstatement due to fraud. determination of significant estimates
c) A history of violations of securities law or other
laws and regulations or claims against the entity,
its senior management or those charged with
governance alleging fraud or violations of
securities law or other laws and regulations
d) Excessive management interest in maintaining
or increasing the entity’s stock price or earnings
trend
e) A management practice of committing to
aggressive or unrealistic forecasts
f) Management failure to correct known significant
deficiencies on a timely basis
g) Management interest in employing
inappropriate means to minimize reported
earnings for tax reasons

Internal Use Only
h) Low morale among senior management
i) The owner-manager makes no distinction
between personal and business transactions
j) Dispute between shareholders in a closely held
entity
k) Recurring management attempts to justify
marginal or inappropriate accounting on the basis
of materiality
l) A strained relationship between management
and us, or the predecessor auditor
EXAMPLE
As exhibited by:
 Frequent disputes on accounting,

auditing or reporting matters
 Unreasonable demands such as

unreasonable time constraints
regarding the completion of our
audit or the issuance of our
auditor’s report
 Limited access to people –

including those charged with
governance – and information
 Domineering management
behavior, especially attempts to
influence the scope of our work or
the selection of audit personnel

Internal Use Only

a) Disregard for the need for monitoring or
reducing risks related to misappropriations of
assets
b) Disregard for internal control by overriding
existing controls or by failing to correct control
deficiencies
c) Behavior indicating displeasure or
dissatisfaction with the entity or its treatment of
the employees
d) Changes in behavior or lifestyle
e) Tolerance of petty theft
In some cases, those perpetrating fraud do not directly benefit but may have a misguided belief that it benefits
others.
Although risk of material misstatement due to fraud may be greatest when the three fraud conditions are evident,
we cannot assume that inability to observe all three conditions means there is no risk.
Certain assertions, accounts and classes of transactions that have higher inherent risk, because they involve a
high degree of management judgment and subjectivity, may present risks of material misstatement due to fraud
because they are susceptible to (conscious or unconscious) management manipulation.
EXAMPLE
Restructuring liabilities may be deemed to have higher inherent risk because of the subjectivity and
management judgment in their estimation. Similarly, revenues for software developers may be
deemed to have higher inherent risk because of the subjectivity in recognizing and measuring
software revenue transactions.
Appendix 2 Discussion of fraud

considerations
Appendix 2.1 Susceptibility of financial statements
to fraud
Internal Use Only
In discussing the susceptibility of an entity’s financial statements to material misstatement due to fraud we may
consider:
 The organizational structure and operating environment, particularly the monitoring of remote locations
 Management’s involvement in overseeing employees with access to cash, or other assets susceptible to
misappropriation
 The complexity of transaction processing, including the extent of use of IT and the possibility for
management override of automated controls
 The nature and extent of management involvement in setting accounting policies, developing significant
accounting estimates and preparing financial statements
 Significant pressures on management to meet expected earnings or operating targets, and how such
pressures affect financial and accounting personnel
 Significant accounts and disclosures or relevant assertions we have assessed, or are likely to assess, as
‘higher’ inherent risk because they involve a high degree of management judgment and subjectivity, which
(in certain circumstances) could lead to inappropriate earnings management
 Segregation of duties, authorization of transactions and asset safeguarding
 Incorporating an element of unpredictability into the nature, timing and extent of audit procedures
 Selecting audit procedures to respond to the susceptibility of the entity’s financial statements to material
misstatement due to fraud, and whether certain procedures are more effective than others
 Allegations of fraud that have come to our attention
 Consideration of any unusual or unexplained changes in behavior or lifestyle of management or employees

that have come to our attention
 The nature of significant transactions outside the normal course of business including those with related
parties
 Related party relationships and transactions issues, such as:
 The nature and extent of the entity’s related party relationships and transactions
 The importance of maintaining professional skepticism throughout the audit when considering related
party relationships and transactions
 Conditions that may indicate related party relationships or transactions that management has not
identified or disclosed (i.e., a complex organizational structure, use of special-purpose entities for off-
balance sheet transactions, or an inadequate information system)
Internal Use Only

 Records or documents that may indicate related party relationships or transactions
 The importance management and those charged with governance attach to identifying, accounting
for and disclosing related party relationships and transactions, and the related risk of management
override of controls over related party transactions
 Potential for fraud, such as how:
 Special-purpose entities controlled by management may be used to facilitate earnings

management
 Transactions between the entity and a known business partner of a key management member
could be arranged to misappropriate entity assets
 Circumstances that may indicate earnings management, and practices followed by management to
manage earnings, that could lead to fraudulent financial reporting
 Risk of management override of controls
 Other circumstances that, if encountered, may indicate the possibility of fraud
Appendix 2.2 Question prompts on fraud

Thought-provoking questions help generate ideas about how fraud may be perpetrated. The following may be
used to facilitate discussion at both planning and post-interim stages:
 Have we considered how and where the entity’s financial statements (including the individual statements
and disclosures) contain a risk of material misstatement due to fraud from the entity’s perspective?
 Have we considered how management could present disclosures to obscure a proper understanding of the
matters disclosed (e.g., by including too much immaterial information or using unclear or ambiguous
language)?
 Have we appropriately considered the known external and internal fraud risk factors affecting the entity that
create conditions of fraud (incentive/pressure, opportunity and rationale)? Have we considered the risk of
management override of controls? If so, do our identified risks of fraud clearly articulate our concerns on
the specific actions that management could take?
 What matters were identified in our client and engagement acceptance and continuance process that
indicate a risk of material misstatement due to fraud?
 How may fraud occur in significant accounts where inherent risk has been previously assessed as higher
or is likely to be assessed as such this period (e.g., revenue recognition at a software company)?
Internal Use Only

 Which accounts do we suspect may be most vulnerable to manipulation?
 Have we encountered recurring misstatements (either uncorrected or corrected) for certain accounts in
previous audits that may indicate a risk of material misstatement due to fraud (e.g., related to significant
estimates that may indicate management bias or earnings management)?
 In what areas did we identify exceptions in our testing of controls or substantive procedures? Do any of the
exceptions indicate the possibility of management override?
 In what areas did we encounter numerous reconciling items or significant, unexplained reconciling items or
adjustments?
 In previous audits, were there areas where management had little or incomplete documentation to support
its conclusions?
 What provisions in executive compensation plans – including key clauses in employment contracts for
specific executives – may create incentives or pressures to misstate the financial statements?
 How aggressive were previous forecasts? What controls are in place related to forecasts?
 How aggressive are the entity’s accounting policies?
 Has management been domineering in dealing with us, exerted undue pressure to accept a certain
accounting treatment, or imposed unreasonable deadlines for completing the audit?
 Are any types of transactions within a single class (e.g., purchase, sales, and payroll) initiated, recorded,
processed, reported or had incorrect information corrected differently than others in that class? If so, why?
 What areas of the financial statement close process (including eliminating entries and other adjustments)
may be more susceptible to management override?
 Which of the entity’s operating entities receive little oversight and analysis from management? Do any
locations consistently meet budgets and forecasts with unrealistic precision?
 What is the business purpose for non-operating entities (e.g., other tax or legal entities that have no sales
but may affect earnings)?
 What types of related party transactions does the entity enter into? What is the underlying business
purpose for these transactions?
 Have we had indications from employees that management has asked or directed them to record a
transaction outside normal processing procedures or to make an unusual journal entry? Have employees
expressed discomfort about the entity’s selection and application of accounting policies or accounting for
certain transactions?
 In what ways could management originate and post inappropriate journal entries or other adjustments?
Internal Use Only
 Has management been reluctant to implement our recommendations for improving internal control? Are
there indications that management is not paying appropriate attention to internal control (including IT
controls), particularly for high-growth businesses or those with frequent mergers or acquisitions? Has
management implemented appropriate physical safeguards over assets that may be easily stolen?
 If you were the management, what impression would you want to make on third parties and how might you
manipulate the financial statements to do so?
 If someone in a position of authority at the entity wanted to commit fraud, what would be the easiest way to
do it?
 What assets does the entity have that would have value to employees or be sold easily on the street?
 If you were the entity’s financial controller, how could you embezzle funds and not get caught?
 If you worked on the loading dock, how could you steal inventory?
Appendix 3 Circumstances that may

indicate fraud
Our evaluation of the risks of material misstatement due to fraud is a cumulative process throughout the audit.
We may identify conditions that change or support our evaluation of the risks. The following may indicate fraud: 45
 Discrepancies in accounting records, including:
 Transactions not recorded in a complete, or timely manner or incorrectly recorded with respect to
amount, accounting period, classification or entity policy
 Unsupported or unauthorized balances or transactions
 Last-minute adjustments that significantly affect the financial results
 Evidence of employee access to systems and records inconsistent with that necessary to perform
authorized duties
 Conflicting, missing or unusual audit evidence, including:
 Missing documents
 Documents that appear to have been altered
 Availability of photocopied documents only, when we expect originals
 Significant unexplained items on reconciliations
Internal Use Only

 Inconsistent, vague or implausible responses from management or employees to inquiries or
analytical or data analysis procedures
 Unusual discrepancies between the entity’s records and confirmation replies
 Missing inventory or physical assets of significant magnitude
 Unavailable or missing electronic evidence, inconsistent with the entity’s record retention practices or
policies
 No available evidence of key systems development and program-change testing and implementation
activities for current period system changes and deployments
 Unusual balance sheet changes or changes in trends or important financial statement ratios or
relationships
 Large numbers of credit entries and other adjustments made to accounts receivable records
 Unexplained or inadequately explained differences between the accounts receivable subsidiary

ledger and the general ledger control account, or between the customer statement and the accounts
receivable subsidiary ledger
 Missing or nonexistent cancelled checks in circumstances in which cancelled checks are ordinarily
returned to the entity with the bank statement
 Fewer responses to confirmation requests than anticipated or a greater number of responses than
anticipated
 Problematic or unusual relationships between us and the entity, including:
 Denied access to records, facilities, certain employees, customers, vendors or others from whom we
may seek audit evidence
 Undue time pressures imposed by management to resolve complex or contentious issues
 Management complaints about the conduct of the audit or management intimidation of audit team
members
 Unusual delays in providing information we request
 Unwillingness to allow access to key electronic files for testing through automated techniques
 Denied access to key IT operations staff and facilities
 Management's unwillingness to add or revise disclosures in the financial statements to make them
more complete and transparent
Internal Use Only

 Management's unwillingness to appropriately address significant deficiencies in internal control on a
timely basis
 Other matters, including:
 Tips or complaints to us about alleged fraud.
 Objections by management to us meeting privately with those charged with governance
 Accounting policies that appear inconsistent with industry practices that are widely recognized and
prevalent
 Frequent changes in accounting estimates that do not appear to result from changing circumstances
 Tolerance of violations of the entity’s code of conduct
While the preceding factors may indicate fraud, they may not be due to fraud. Documents may be legitimately
lost, the general ledger may be out of balance because of an unintentional accounting error and unexpected
analytical relationships may be due to unrecognized changes in underlying economic factors. Even reports of
alleged fraud may not be reliable because an employee or outsider may be mistaken or motivated to make a
false allegation.
Footnotes
1 ISA 240.24, AICPA AU-C 240.24, AICPA AU-C 315.09, PCAOB AS 2110.65
2 ISA 240.32, AICPA AU-C 240.32, PCAOB AS 2401.57, PCAOB AS 2301.15
3 ISA 240.26, ISA 240.47, AICPA AU-C 240.26, PCAOB AS 2110.68
4 ISA 240.31, AICPA AU-C 240.31, PCAOB AS 2110.69
5 PCAOB AS 2305.10
Internal Use Only

7 PCAOB AS 2401.66
9 ISA 550.19, AICPA AU-C 550.20
12 PCAOB AS 2110.54
15 PCAOB AS 2110.55
16 EY Policy, ISA 240.17, ISA 240.18, ISA 240.32, AICPA AU-C 240.17, AICPA AU-C 240.18, PCAOB
AS 2110.26, PCAOB AS 2110.56
19 ISA 240.21, AICPA AU-C 240.21
24 ISA 240.18, AICPA AU–C 240.18, PCAOB AS 2110.57
26 ISA 240.23, AICPA AU-C 240.23
27 ISA 240.24, AICPA AU-C 240.24
Internal Use Only

28 ISA 240.24, AICPA AU-C 240.24
29 ISA 240.25, AICPA AU-C 240.25
30 EY Policy, ISA 300.5
31 ISA 240.25, AICPA AU-C 240.25
32 PCAOB AS 2110.67
33 ISA 240.42, ISA 260.15, AICPA AU-C 240.41, AICPA AU-C 240.12, PCAOB AS 2401.81, PCAOB AS
1301.9
35 ISA 240.41, ISA 265.9, AICPA AU-C 240.39-.40, PCAOB AS 2401.80
36 ISA 240.41, ISA 265.9, PCAOB AS 2401.80
38 EY Policy
39 EY Policy
40 EY Policy
41 ISA 240.26, ISA 240.47, AICPA AU-C 240.46, PCAOB AS 2401.83, PCAOB AS 2110.67
43 EY Policy
Internal Use Only

44 PCAOB AS 2110.25
45 PCAOB AS 2801 Appendix C
Internal Use Only


Fraud Risk

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fraud Risk

Uploaded by

Copyright:

Available Formats

FRAUD-RISK: Identify and assess fraud

risk [effective for audits of periods

LAST MODIFIED: 22/07/2020

DOCUMENT ID: GAM FRAUD-RISK

Internal Use Only

We refer to FRAUD-RESPOND when developing procedures to respond to identified risks of material

1 Identify fraud risk factors

Internal Use Only

Refer to example risk factors listed in FRAUD-RISK Appendix 1.2.

2 Presumptive risks of material

 Revenue recognition - refer to FRAUD-RISK 2.1

Internal Use Only

 Test the appropriateness of journal entries - refer to FRAUD-RISK 2.3

 Evaluate management bias in determination of accounting estimates - refer to FRAUD-RESPOND

2.1 Revenue recognition

Internal Use Only

Internal Use Only

 How such fraud could occur

2.2 Risk of management override of controls

Internal Use Only

Examples of management override of controls include:

 Inappropriately adjusting assumptions and changing judgments used to estimate account

 Omitting, advancing or delaying recognition in the financial statements of events and

 Omitting, obscuring or misstating disclosures required by the applicable financial reporting

 Altering records and terms related to a significant and unusual transaction

Internal Use Only

2.3 Journal entries and other adjustments

 Intervene in the processing or recording of a transaction

Internal Use Only

 How likely is management to do it?

 How will management do it?

Examples of risk assessment procedures include:

 Risk assessment analytical procedures

 Making inquiries of management and others

 Obtaining an understanding of the methods used to account for significant unusual

 Obtaining an understanding of internal control over financial reporting

Example of other procedures include:

 Reading minutes of the board of directors’ meetings

 Performing journal entry testing

 Reviewing other information (e.g. significant contracts, internal audit reports)

Internal Use Only

2.5 Related party relationships and transactions

3 Obtain information to identify fraud risk

Internal Use Only

Internal Use Only

 Making inquiries - FRAUD-RISK 3.2

 Obtaining other information – FRAUD-RISK 3.4

3.1 Perform risk assessment analytical procedures

 Determine an increase or decrease in the trade payables balance corresponds to an increase

Internal Use Only

Internal Use Only

We apply professional skepticism during our inquiries of management.

When making our inquiries of management, we may inquire about:

 Knowledge of actual or suspected or alleged fraud

 Are you aware of any fraud at the entity?

Internal Use Only

 Controls to address the risks of fraud

 Does the entity have a code of conduct or ethics policy?

 Management’s communication with those charged with governance

Internal Use Only

Inquiries of those charged with governance

We inquire of those charged with governance about: