Auditing

Detecting fraud
Gerald Chau and Yu How-yuen highlight the procedures
outlined in HKSA 240 (Clarified) on auditing financial statements

n response to the infamous

accounting scandals at Enron,
Adelphia, Tyco and WorldCom,
the International Auditing and
Assurance Standards Board in
2004 revised the International Standards on
Auditing 240 The Auditors Responsibility
to Consider Fraud in an Audit of Financial
Statements, which aims to meet the needs
of investors, regulators and auditors
in preventing and detecting material
misstatement due to fraud.
Since then, the standard has been redrafted
in the clarified format several times and
renamed as The Auditors Responsibilities
Relating to Fraud in an Audit of Financial
Statements. The latest redraft was issued in
April 2009 and is effective for audits of financial
statements for periods beginning on or after
15 December 2009.
In Hong Kong, the comparable HKSA 240
(Clarified) was issued by the Institutes Auditing
and Assurance Standards Committee last July,
and has the same effective date as ISA 240.
HKSA 240 (Clarified) provides expanded
guidance for auditors to consider the existence
of material misstatement due to fraud in a
financial statement audit. It emphasizes the
auditors increased responsibility for detecting
fraud and requires a proactive search for fraud
during the whole audit. The revised standard
requires auditors to:
Maintain professional scepticism
An attitude of professional scepticism is the
foundation for identifying the risk of material
misstatements arising from fraud. HKSA 240
(Clarified) emphasizes the importance of such
an attitude throughout the audit and provides
42

February 2010

more requirements for risk assessment

and other practices designed to heighten
professional scepticism.
Auditors must plan and approach their audit
with a mind-set that recognizes the possibility
of material misstatements due to fraud and
perform audit testing during auditing to make
sure fraud has not occurred.

Fraud can easily be perpetrated when management

can override controls by
manipulating accounting
records a serious limitation
on an auditors procedures
for detecting fraud.

Identify and evaluate fraud risks

Fraud can usually be detected by
identifying signals of fraud, or so-called
fraud risk factors. Paragraph 24 of the
standard requires that the auditor
shall evaluate whether the information
obtained from the other risk assessment
procedures and related activities
performed indicates that one or more
fraud risk factors are present.
The fraud risk factors described in
the standard are based on the fraud
triangle proposed in 1973 by D.R. Cressey,
who categorizes the main conditions of
fraudulent financial activities into:

Pressure or incentive
Management or other employees may
have an incentive or be under pressure to
Hold discussions among
commit fraud. This might include excessive
audit team members
pressure to meet the expectations of
To fulfil their responsibility for detecting fraud, investors, lenders and financial analysts
auditors should hold discussions within
or personal financial obligations.
the audit team as required by paragraph 15
of HKSA 240 (Clarified), which states that
Opportunity
discussions should include an exchange of
Circumstances provide opportunities for
ideas about: (1) how the entitys financial
management or employees to commit
statements might be susceptible to material
fraud, which may include domination by
misstatement due to fraud, (2) how the fraud a single person or a small group in a
could be perpetrated and concealed, and
family-owned business, the ability of
(3) the audit procedures including additional management to override controls, or
or alternative ones that might be selected
inadequate internal controls.
to respond to the susceptibility of material
misstatements due to fraud.
Rationalization
There should also be discussions about
An attitude, a character or set of ethical
the risk of management overriding controls
values exists that allows management or
resulting in fraudulent financial reporting,
employees to commit dishonest acts such
setting aside any previously held views about
as the need to protect the shareholders and
managements integrity.
keep the stock price high.

A PLUS

Illustration: James Yang/Getty Images

Make enquiries within the entity

HKSA 240 (Clarified) suggests that one of the
main sources for identifying fraud risk factors
and obtaining knowledge about any actual,
suspected or alleged fraud is to make enquiries
with management and others within the entity.
Paragraph 17 of the standard outlines
some of the more important questions that
the auditor might raise with management
in relation to material misstatement due to
fraud. These are (1) managements assessment
of the risk that the financial statements
may be materially misstated due to fraud,
(2) managements process for identifying
and responding to the risks of fraud and (3)
managements communication to those
charged with governance regarding its
processes for identifying and responding
to the risks of fraud.
Conduct analytical procedures
Analytical procedures represent one of the
most important techniques in highlighting
fraud risk factors. Paragraph 22 of the
standard requires that the auditor shall
evaluate whether unusual or expected
relationships that have been identified in
performing analytical procedures.
When using such procedures in detecting possible risks of fraudulent material
misstatement, the auditor needs to be alert
to unexpected or unusual relationships
and must have a clear understanding of
the business environment in which their
client operates. Based on the auditors
understanding of the clients financial
relationships, any unexpected features
of the audit should prompt the auditor
to consider fraud risk factors.

Appendix 2 of the standard also suggests

using disaggregated data analysis to further
identify the risk of fraud relating to revenue
recognition. Data can be disaggregated
by division, product or location, and
comparisons of this data during the current
period with those of prior periods should be
performed. In general, the more detailed the

level of comparison, the more likely it is

that anomalies will be identified.
Test for management override of controls
Fraud can easily be perpetrated when
management can override controls by
manipulating accounting records a serious
limitation on an auditors procedures for
February 2010

43

Auditing

A PLUS

Predictability in the audit

approach may create
opportunities for management or other employees to
commit fraud and reduce
the effectiveness of audit
tests in detecting fraud.
detecting fraud. To counteract this, auditors are
required to add tests of the appropriateness of
journal entries, reviews of accounting estimates
and their appropriateness, and show an
understanding of the business rationale for
significant transactions outside the normal
course of business.
Addressing identified fraud risks
According to paragraph 29 of HKSA 240
(Clarified), procedures carried out by auditors
to determine how best to address fraud
risks may include: (1) reviewing the level of
supervisory personnel to ensure that it is
commensurate with the auditors assessment
of the fraud risk, including additional staff
with specialized skill (forensic and IT experts),
(2) considering managements selection of
accounting policies, especially those related
to subjective measurements and complex
transactions, (3) incorporating an element of
unpredictability into the audit approach as
discussed below and (4) reviewing the nature,
timing and extent of audit procedures related
to their effectiveness in addressing these
identified risks.
44

February 2010

Conduct unpredictable audit tests

Predictability in the audit approach may
create opportunities for management or
other employees to commit fraud and reduce
the effectiveness of audit tests in detecting
fraud. Paragraph A36 of the standard
specifically states that introducing an
element of unpredictability in the selection
of the nature, timing and extent of audit
procedures is important.
This can be achieved by performing audit
procedures at different locations, changing
sampling methods, testing items that might
not be selected or anticipated by management
due to their materiality or risk, and adjusting
the timing of substantive procedures.
Obtaining representations
from management
HKSA 240 (Clarified) revises basic requirements
regarding the nature of representations
related to fraud that the auditors obtain from
management. According to paragraph 39
of the standard, some examples of specific
representations obtained from management
for assessing the material misstatement

due to fraud are: (1) They acknowledge their

responsibility for the design, implementation
and maintenance of internal controls to prevent
and detect fraud. (2) They have disclosed to the
auditor managements assessment of the risk
that the financial statements may be materially
misstated as a result of fraud. (3) They have
disclosed to the auditor their knowledge of
fraud or suspected fraud.
Keeping proper documentation
To guard against future litigation against
auditors relating to fraud, paragraphs 44
to 46 of the standard require the auditor to
document: (1) the significant decisions made as
a result of engagement teams discussion about
the susceptibility of fraud, (2) the identified and
assessed risks of material misstatement due to
fraud, (3) the overall responses to the assessed
risk of material misstatement due to fraud,
(4) the results of the specific audit procedure
designed to address the risk of management
override of controls and (5) communication
with management about fraud.

Gerald Chau is an assistant professor of the School of

Accounting and Finance at The Hong Kong Polytechnic
University and Yu How-yuen is a practising CPA and sole
proprietor of Yu How Yuen & Co.