ch 10 Assessing and Responding to Fraud Risks

What's easier to detect? Why? Liability/expense understatement schemes Asset/revenue overstatement schemes

Asset/revenue overstatement schemes

Fraud risk factors

Auditing standards require the auditor to evaluate whether fraud risk factors indicate incentives or pressure to perpetrate fraud, opportunities to carry out fraud, or attitudes or rationalizations used to justify fraudulent actions. The existence of fraud risk factors does not mean fraud exists, but that the likelihood of fraud is higher

•What is the difference between fraud and an error?

Intent

Misappropriation in the Acquisition and Payment Cycle

Most common fraud is to issue payments to fictitious vendors and deposit cash in a fictitious account Employees may also steal legitimate payments and then reissue the supporting documents for payment

Why Good People Do Bad Things

The vast majority of us are capable of behaving in profoundly unethical ways We are frequently blind to the ethics of a situation; in part due to decision framing. If something is framed as a business decision (vs. an ethical decision), people are more likely to cheat. This framing activates certain cognitive goals. Sometimes people lie because they "care"...trying to help someone out because we like, or relate to, them. People can focus on the immediate instead of the more abstract. Example of car inspectors. They are helping "real people".

Window dressing

When a company takes actions to improve the appearance of their financial statements - generally, before the end of an accounting period. Misclassification of long term assets as current assets. Done to impress shareholders, gain approval for a loan, or prior to a merger.

Earnings Management

deliberate actions taken by management to meet earnings objectives

Income Smoothing (Accruals Earnings management)

form of earnings management in which revenues and expenses are shifted between periods to reduce fluctuations in earnings Ex. Record a very high reserve for inventory obsolescence to offset high earnings "Cookie jar reserves" are reserves of income to be used in later periods- for example recording a liability to reduce income and then release it in later periods (restructuring charges)

•When fraud is suspected, the auditor often begins by

•Making additional inquiries to determine whether fraud actually exists !!!

Conditions for fraud: Internal Audit

"Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud, whether caused by error or fraud." (IIA Standard 1210.A2)

•What are the four elements of fraud?

1) A material false statement, 2) Knowledge that the statement was false when it was uttered, 3) Reliance on the false statement by the victim, and 4) Damages resulting from the victim's reliance on the false statement.

Most common types of revenue related fraud

1. Fictitious Revenue 2. Premature Revenue Recognition - Accelerating the timing of revenue recognition to meet earnings or sales forecasts Ex. "bill-and-hold" sales- goods are invoiced (recorded as revenue) before they are shipped Ex. Side agreements where a customer agrees to "buy" inventory at year end, but the side agreement gives them more favorable pricing and unrestricted return of goods if not sold by the customer 3. Manipulation of Adjustments to Revenue - Most common adjustment involves sales returns and allowances Ex. A company may hide sales returns from the auditors to increase income. If the returned goods are counted as part of inventory, an asset increase is recognized, but the related reduction to AR is not made. Ex. Understate bad debt expense

Audit committee oversight

Audit committee has primary responsibility to oversee the organization's financial reporting and internal control processes Serves as a deterrent to fraud by senior management. - Oversight may include: - Internal audit reporting findings directly to the audit committee - Periodic reports by ethics officers about whistleblowing - Other reports about lack of ethical behavior or suspected fraud Under PCAOB Standard 5, public company auditors are required to evaluate the effectiveness of the board and audit committee as part of their evaluation of the operative effectiveness of internal control over financial reporting

Communication among audit team

Audit teams are required to hold "brainstorming" sessions to disseminate information from more senior members of the audit team to the junior audit team members They address the following: -How and where they believe the entity's financial statements might be susceptible to fraud -How management could perpetrate and conceal fraudulent financial reporting -How anyone might misappropriate assets of the entity -How the auditor might respond to the susceptibility of material misstatements due to fraud

Inquiries of management

Auditing standards require the auditor to make specific inquiries about fraud on every audit - This provides employees with an opportunity to tell the auditor information that otherwise might not be communicated Auditor must also talk with the audit committee or others charged with governance about their views of the risks of fraud and whether they have knowledge of any fraud or suspected fraud Auditors should also make inquiries of other employees whose duties like outside of financial reporting (ex. Inventory manager)

Other information

Auditor should consider all information they have obtained in any phase or part of the audit as they assess the risk of fraud Many of the risk assessment procedures that the auditor performs during planning to assess the risk of material misstatement may indicate a heightened risk of fraud For example: During client acceptance or quarterly reviews

Analytical procedures

Auditors must perform analytical procedures during the planning and completion phases of the audit to help identify unusual transactions or events that might indicate the presence of material misstatements in the financial statements

Real Earnings management

Changing the organization's investment, financing, expenditure, production, etc. decisions with the intent of portraying earnings more positively.

Identifying and Measuring Fraud Risks (mgmt)

Effective fraud oversight begins with management's recognition that fraud is possible and that almost any employee is capable of committing a dishonest act under the right circumstances

Concealed Liabilities & Expenses

Examples: Liability/Expense omissions Capitalized expenses Failure to disclose warranty costs and liabilities Understatement of pension liability

Inventory Related Fraud

Fictitious inventory has been at the center of several major cases of fraudulent financial reporting When auditors are required to verify the existence of physical inventories, audit testing is done on a sample basis and not all locations with inventory are typically tested - Inventory is susceptible to: - Manipulation by managers who want to achieve certain financial reporting objectives - Misappropriation because it is usually readily saleable Warning signs - Analytical procedures are one useful technique for detecting inventory fraud; fictitious inventory can understate COGS (depending on how it is recorded), overstates gross margin percentage, and lowers inventory turnover (inflates inventory but COGS is unaffected) - Documentary discrepancies

Monitoring Fraud Prevention Programs and Controls (mgmt)

For high fraud risk areas, management should periodically evaluate whether appropriate antifraud programs and controls have been implemented and are operating effectively Internal audit plays a key role in monitoring activities to ensure that antifraud programs and controls are operating effectively

Fraudulent Financial Reporting A/P

Generally results in an understatement of purchases and COGS and an overstatement of net income. Companies could postpone recording AP until the subsequent period or record fictitious reductions to AP Companies also often have complex arrangements with suppliers that result in reductions to AP for advertising credits and other allowances- companies could use fictitious reductions to AP to overstate income

In addition to ratio analysis, auditors can perform a:

Horizontal Analysis- account balance is compared to the previous period, and the percentage change in the account balances for the prior is calculated Vertical Analysis- financial statement numbers are converted to percentages

Improper Asset Valuations

How do we value assets? Lower of cost or market value; Fair value Types: Inventory Valuation Accounts Receivable Business Combinations E.g., Goodwill Fixed Assets Others (including intangible assets)

Generally, a fraudster will understate liabilities and expenses. What is the net effect?

Increase net income

Cookie jar reserves

Inflated or improper reserves posted to provide a cushion against earnings shortfalls in later periods, when those reserves can be drawn into income. "Sunbeam's senior management created $35 million in improper restructuring reserves and other "cookie jar" reserves as part of a year-end 1996 restructuring, which were reversed into income the following year."

Why revenues and not other accounts?

Largest account on the I.S. Overstatement of revenue often increases net income by an equal amount, because related cost of sales are usually not recognized on prematurely recognized revenue Revenue growth is often a key performance indicator for analysts and investors and affects company valuation There is difficulty in determining the appropriate timing of revenue recognition in many situations

Mitigating Fraud Risks (mgmt)

Management is responsible for designing and implementing programs and controls to mitigate fraud risks, and it can change business activities and processes prone to fraud to reduce incentives and opportunities for fraud (ex. Use a lockbox system for cash collections)

Revenue Related Fraud

More than half of financial statement frauds involve revenues and AR On most audits, standards require auditors to identify revenue recognition as a fraud risk. Fictitious revenue overstates the gross margin percentage and premature revenue can if COGS is not recognized

One can successfully perpetrate a fraud because of their: (Why Do Perpetrators Succeed?)

Position/function within an organization Brains - They're smart enough to understand and exploit internal control weaknesses or they are bored with their job Confidence/ego - They believe they won't be detected or smart enough to talk themselves out of trouble Coercion skills - i.e. persuasive personality - "charismatic" Ability to lie Immunity to stress Ability and willingness to take risks and break the rules

Conditions for fraud: External Audit

SOX 404 requires public companies to have external auditors test their system of internal controls "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud." (AU 316, 01 & SAS 99)

Research indicates that the most effective way to prevent and deter fraud is to implement antifraud programs and controls that are based on core values embraced by the company

Set a "tone at the top" based on honesty and integrity Create a positive workplace environment - Can generate improved employee morale, which may reduce employee's likelihood of committing fraud against the company Hiring and Promoting Appropriate Employees - Well-run companies implement effective screening policies to reduce the likelihood of hiring and promoting individuals with low levels of honesty, especially those who hold positions of trust Train about the company's expectation of employees' ethical conduct Require employees to confirm their responsibility for complying with the code of conduct Discipline - Employees must know that they will be held accountable for failing to follow the company's code of conduct

Fraud is NOT

Taken by physical force A mistake or error Victimless Insignificant because no one is hurt (physically / violently) Acceptable or justifiable

Big bath

When a company writes off assets or accelerates expenses to increase the loss in a period or to reduce a large profit in a period. More likely when there is a change in management or during a really bad/good year.

Auditors Responsibilities when fraud is suspected

When the auditor determines fraud may be present, they must discuss the matter and audit approach for further investigation with an appropriate level of management (one level above those involved, as well as senior management and the audit committee) For audits of internal control over FR (public companies), a fraud of any magnitude by senior management is at least a significant deficiency and may be a material weakness Auditor must discuss with those charged with governance when they identify that management's antifraud programs and controls fail to mitigate risks of fraud Disclosure of fraud to parties other than the client's senior management and its audit committee ordinarily is not part of the auditor's responsibility

Inquiries of management should address...

Whether management has knowledge of any fraud or suspected fraud within a company Management's process of assessing fraud risks Nature of fraud risks identified by management Internal controls implemented to address the management's fraud risks Information about fraud risks and related controls that management has reported to the audit committee

•Three conditions for fraud arising from fraudulent financial reporting and misappropriations of assets are referred to as the

fraud triangle

Bounded ethicality

the notion that cognitively, our ability to behave ethically is seriously limited, because we don't always see the ethical big picture.

•When the auditor identifies risks of material misstatements due to fraud, auditing standards require the auditor to develop responses to those risks at three levels:

•1. Responses Overall level •2. Responses at Assertion Level •3. Responses related to Management Override

•Auditing standards require the auditor to obtain additional evidence to determine whether material fraud has occurred •In addition to inquiry, auditors often:

•Apply data analytics - searching for duplicate sales invoice numbers or breaks in doc sequences •Expand other substantive testing - modify audit procedures to address heightened fraud risks

Assessing the Risk of Fraud

•Auditing standards require the auditor to assess the risk of material misstatement due to fraud

Identified Risks of Material Misstatement Due to Fraud

•Auditors evaluate all the sources of information gathered to assess the risk of material misstatement due to fraud as part of audit planning •While the assessment of fraud is conducted as part of audit planning, the auditor's assessment of fraud risk should be ongoing throughout the audit

•There are five sources of information that help auditors to assess fraud risks:

•Communications among audit team •Inquiries of management •Risk factors •Analytical procedures •Other information

•Guidance developed for auditors by the AICPA identifies three elements to prevent, deter, and detect fraud:

•Culture of honesty and high ethics •Management's responsibility to evaluate risks of fraud •Audit committee oversight

•2. Responses at the assertion level

•Design and perform audit procedures to address fraud risks •Ex. Review sales journal at, and after, year end if you expect channel stuffing is occurring

•3. Responses related to management override

•Design and perform procedures to address management override of controls •Risk of management override exists on almost all audits •Three procedures must be performed on every audit: •1. Examine journal entries and other adjustments for evidence of possible misstatements due to fraud - Journal entry testing •2. Review accounting estimates for bias - Look at prior year estimates to see if there have been any changes in judgments or assumptions •3. Evaluate the business rationale for significant unusual transactions - Want to understand the purpose of significant transactions to assess whether transactions have been entered into to engage in fraudulent financial reporting

Auditors should be alert for the following conditions when doing the audit (for fraud)

•Discrepancies in the accounting records •Conflicting or missing audit evidence •Problematic or unusual relationships between the auditor and management •Results from substantive or final review stage analytical procedures that indicate a previously unrecognized fraud risk •Responses to inquiries made throughout the audit that are vague or implausible or that produce evidence that is inconsistent with other information (SIDE) •The auditor's assessment of the risks of material misstatement due to fraud should be ongoing throughout the audit and coordinated with the auditor's other risk assessment procedures

•Other areas of fraud risk:

•Fixed assets - Companies may try to improperly capitalize expenses - Fixed assets are also targets for theft •Intangible assets - May be incorrectly valued (higher than actual) •Payroll expenses - Companies may overstate inventory inventories and net income by recording excess labor costs as inventory - Misappropriation is fairly common - Creation of fictitious employees -Overstatement of individual pay hours.

Why should we learn about fraud?

•Fraud is prevalent in business and costly! •As auditors, we're required to have some level of understanding. •As employees, we're likely to be the first line of defense. •As business owners, we're likely to identify fraud much sooner and handle a fraud occurrence much better.

Fraud Triangle (3 conditions)

•Incentives/Pressures - a reason to commit fraud •Opportunities - circumstances that permit fraud to occur •Attitudes/Rationalization - an attitude that allows fraud to occur - Even honest people can rationalize a fraud if the pressures and opportunities present themselves.

Fraudulent financial reporting

•Intentional misstatement or omission of amounts or disclosures with the intent to deceive users - Most cases of fraudulent financial reporting involves attempts to overstate income, but some companies also deliberately understate income

•Auditors can use one or more of the following inquiry categories depending on their objectives:

•Interviewing allows the auditor to clarify unobservable issues and observe the respondent's verbal and nonverbal responses. •Informational inquiry: to obtain info about facts and details the auditor doesn't have •Assessment inquiry - to corroborate or contradict prior information •Interrogative inquiry - often used to determine If the individual is being deceptive or purposefully omitting disclosure of key knowledge of facts, events or circumstances

Opportunity

•Lack of controls or weak controls; complex accounting rules/organization •Inability to judge performance; failure to discipline; lack of access to information; ignorance; lack of audit trail •Is opportunity something that someone causes to happen or something that happens to someone?

•Management is responsible for implementing corporate governance and control procedures to:

•Minimize the risk of fraud, which can be reduced through a combination of •Prevention •Deterrence •Detection measures

•Revenue and accounts receivable fraud risks

•Misappropriation of receipts involving revenue include: - Failure to record a sale - Theft of cash receipts after a sale is recorded •Warning signs - Internal controls, analytical procedures and other comparisons may be useful

Two perspectives: (professional skepticism)

•Neutrality - refers to a perspective in which the auditor neither assumes that management is dishonest nor assumes unquestioned honesty. (Auditing Standards) •Presumptive Doubt - represents an auditor's attitude in which some level of dishonesty or bias by management is assumed, unless evidence indicates otherwise.

•Misappropriation of assets

•Often these amounts are not material to the financial statements •Normally refers to theft involving employees and others internal to the organization •Normally perpetrated at lower levels of the organization hierarchy

Pressure / Incentive

•Pressure to meet certain earnings/sales goals, analyst expectations, etc. •Living beyond means, greed, vices (e.g., gambling) •Social/family pressures •Most frauds involve financial or vice-related pressures

•As auditors consider a broad set of information, including fraud risk factors, they must maintain a level of professional skepticism, which consists of:

•Questioning mind •Critical evaluation of audit evidence (be diligent)

Revenue Recognition

•Revenue is recognized when: 1.It is realized or realizable, and 2.Earned. •The above two criteria are met when all of the following are established: 1.Persuasive evidence of an arrangement exists 2.Delivery has occurred or services have been rendered 3.The seller's price to the buyer is fixed or determinable 4.Collectability is reasonably assured

Auditors are required to document the following matters related to their consideration of material misstatements due to fraud

•Significant decisions made during the discussion among engagement team in planning the audit •Procedures performed to obtain information necessary to identify and assess the risks of material fraud •Reasons supporting a conclusion that there is not a significant risk of material improper revenue recognition •Specific risks of material fraud that were identified at both the overall financial statement level and the assertion level and the auditor's response to those risks •Results of procedures performed to address the risk of management override of controls •Other conditions and analytical relationships indicating that additional auditing procedures or other responses were required, and the actions taken by the auditor in response •The nature of communications about fraud made to management, the audit committee, or others

Rationalization / Attitude

•The organization owes me, it's for a good cause, we'll fix it later •Ineffective communication of company ethics/bad attitudes to controls •Some people just don't care!

•Frauds are often detected through:

•The receipt of an anonymous tip •Management review •Internal audit •Accident

•1. Responses at Overall level:

•When auditors identify risks of material misstatements due to fraud, they should first discuss their findings with management and get management's views of the potential for fraud and existing controls designed to prevent or detect misstatements •Next, auditors should consider whether or not such antifraud programs and controls mitigate the identified risks •Change the overall conduct of the audit •Incorporate unpredictability (required by auditing standards)

Fraud is defined as

•an intentional misstatement of financial statements. The two main categories are: •Fraudulent financial reporting •Misappropriation of assets