Fraud auditing is referred to as fraud in the auditing of financial statements and is defined as intentionally misstating information contained in the financial statements. There are different kinds of fraud an auditor is responsible for identifying and assessing. The use of various devices and information technology (IT) functions require additional internal controls that carry their own risks and benefits.
Kinds of Fraud
There are two main categories of fraud in financial statements: fraudulent financial reporting and misappropriation of assets. Fraudulent financial reporting occurs when there is an omission of amounts or disclosures or intentional misstatements that are made to defraud or mislead users. Most fraudulent financial reporting is an effort to overstate income by omitting liabilities and expenses or overstating assets and income. However, there are occasions where a company will intentionally understate income by reducing inventory and asset value or overstating allowances for doubtful accounts. Understating income is often used in attempting to decrease income taxes (Arens, Elder, & Beasley, 2014).
Misappropriation of assets occurs when an organization’s assets are stolen and are often immaterial to the financial statements, but still raise concern for management as small thefts can lead to larger thefts. These thefts involve lower level employees and other internal personnel, shoplifting by customers, cheating by suppliers, and sometimes embezzlement by top management. Whether it is fraudulent financial reporting or misappropriation of assets, the fraud still raises concerns as to why it is happening and how to prevent it (Arens et al., 2014).
The fraud triangle is made up of the three conditions that arise from fraudulent financial reporting and misappropriation of assets. These three conditions are: 1) incentives/pressures, 2) opportunities, and 3) attitudes/rationalization. Although the conditions are the same for both categories of fraud, the risk factors for each are different. The risk factors for each condition for fraudulent financial reporting are:
Incentives/Pressures – Employees or management have incentives or pressures to make material misstatements in the financial statements such as: 1) declines in customer demands, 2) increasing industry business failures, and 3) meeting debt repayments.
Opportunities – Conditions make it possible for employees or management to make misstatements in the financial statements such as: 1) ineffective oversight over financial reporting, 2) high turnover of internal audit, accounting, or IT staff, and 3) inadequate internal controls.
Attitudes/Rationalization – Attitudes or ethical values are in place that permit employees or management to engage in dishonest acts, or an environment exists where pressure causes dishonest acts to be rationalized such as: 1) unacceptable or unsuccessful support and communication of the organization’s values, 2) history of violations of laws and regulations, and 3) impractical forecasts to creditors, analysts, and other third parties (Arens et al., 2014).
The risk factors for each condition for misappropriation of assets are:
Incentives/Pressures – Employees or management has incentives or pressures to make misappropriations of material assets such as: 1) personal financial obligations and access to cash or other vulnerable assets, 2) possible layoffs, and 3) rewards.
Opportunities – Conditions make it possible for employees or management to make misappropriations of assets such as: 1) large amounts of cash on hand or small, high demand, or high value inventory items, 2) lack of duty segregation or independent checks, and 3) absence of an approved vender list or mandatory vacations.
Attitudes/Rationalization – Attitudes or ethical values are in place that permit employees or management to engage in dishonest acts, or an environment exists where pressure causes dishonest acts to be rationalized such as: 1) indifference of the necessity for monitoring or reducing the risk of asset misappropriations, 2) overriding internal controls that are in place, and 3) failing to correct deficiencies in internal controls (Arens et al., 2014).
These are some of the risk factors that auditor’s look for when assessing the risks of fraudulent financial reporting and misappropriation of assets.
Auditors have a responsibility to assess the risk of fraud and detect material misstatements that are caused by fraudulent activity. They must plan and perform the audit to obtain reasonable assurance that material misstatements have not occurred and a low-level risk of fraud present. To accomplish this, auditors must maintain professional skepticism – no assumptions about management’s honesty and integrity, maintain a questioning mind, critically evaluate audit evidence, communicate with the audit team, make management inquiries, assess risk factors, perform analytical procedures, and consider all information that has been obtained in the audit performance. Auditors are also responsible for documenting all communication and discussion, procedures performed, identified material fraud risks with the auditor’s response description, reasons supporting conclusions, procedure results, any additional auditing procedures or responses that were required, and nature of communications about results with the audit committee, management, or other parties. Auditors have a responsibility to identify, document, and respond to the risk of fraud (Arens et al., 2014).
Internal Controls, Benefits, and Risks Associated with IT Functions
The internal controls associated with IT functions fall into two categories that have specific benefits and risks. The two categories of internal controls are: general controls and application controls. General controls apply to all portions of the IT function whereas application controls apply to processing transactions. The benefits associated with IT functions are:
Manual controls are replaced by computer controls.
Large amounts of complex business transactions are handled more cost-effectively.
Information is consistently processed reducing misstatements.
Higher-quality information is available.
Effective organization, procedures, and documentation.
Better management decisions (Arens et al., 2014)
The specific risks associated with IT functions are:
Risks to hardware and data – reliance on hardware and software functioning capabilities, unauthorized access, random versus systematic errors, and loss of data.
Reduced audit trail – decreased human involvement, reduced visibility of audit trail, and lack of traditional authorization.
Need for IT experience and separation of IT duties – knowledgeable and experienced IT personnel or consultants and combined duties into one IT function.
General and application controls – system crash, ineffective controls, and unauthorized changes to application software, master file update, and processing (Arens et al., 2014).
IT functions require additional internal controls that are accompanied by their own benefits and risks.
Fraud auditing is concerned with fraud found in the financial statements and is defined as intentionally misstating information contained in the financial statements. There are different types of fraud and risk factors (fraud triangle) an auditor is responsible for identifying and assessing. Information technology (IT) functions have their own internal controls that include their own benefits and risks.
Arens, A.A., Elder, R.J., & Beasley, M.S. (2014). Auditing and Assurance Services: An Integrated Approach (15th ed.). Retrieved from The University of Phoenix eBook Collection database.