Learning Outcomes
This article explains how fraud and error differ, the responsibilities of auditors and management for prevention and detection, and the procedures applied under ISA 240. You will learn to identify auditor duties in response to suspected fraud, recognize governance structures that impact fraud risk, and appreciate the practical limits of audit assurance. By the end, you should be able to explain and apply the correct responses to fraud or error scenarios in the ACCA exam.
ACCA Audit and Assurance (AA) Syllabus
For ACCA Audit and Assurance (AA), you are required to understand the distinction between fraud and error, and the auditor’s related responsibilities under standards such as ISA 240. Focus your revision on:
- Explaining the overall objectives and attitude required of auditors concerning potential fraud and error in financial statements.
- Differentiating between fraud and error, and explaining their impact on audit strategy and procedures.
- Outlining management’s and auditors’ responsibilities for prevention and detection of fraud and error.
- Describing the procedures for assessing fraud risk, responding to identified risks, and reporting actual or suspected fraud.
- Explaining auditor responsibilities for compliance with laws and regulations as they intersect with fraud.
- Recognizing the practical limitations of audit in providing assurance that all fraud and error will be detected.
Test Your Knowledge
Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.
-
Which of the following best describes the auditor’s responsibility regarding fraud during an audit?
- Detect and report all instances of fraud
- Provide absolute assurance financial statements are free from fraud
- Obtain reasonable assurance the statements are free from material misstatement due to fraud or error
- None—it is management’s responsibility alone
-
List two main types of fraud considered by auditors under ISA 240.
-
Identify two procedures auditors perform to address the risk of management override of controls.
-
True or false? Error is always unintentional, while fraud involves deliberate deception.
Introduction
Fraud and error are distinct ideas with different implications for audit. Audit standards require the auditor to obtain reasonable assurance that financial statements are free from material misstatement, whether the result of fraud or error. However, both the prevention of fraud and responsibility for detecting it start with management and those charged with governance. Understanding governance structure, control environment, and auditor duties is essential to providing assurance and discharging professional responsibilities under ISA 240.
Key Term: Fraud
An intentional act, including deception, committed to obtain an unjust or illegal advantage. Fraud may involve manipulation of accounting records (fraudulent financial reporting) or theft/misappropriation of assets.Key Term: Error
An unintentional misstatement in financial statements, such as mathematical mistakes or oversight, not involving deliberate intent.Key Term: Management Override
Circumstances where management bypasses prescribed internal controls, posing a significant risk of material misstatement due to fraud, even in well-controlled environments.
AUDITOR AND MANAGEMENT RESPONSIBILITIES
Responsibilities of Management and Governance
Management bears primary responsibility for preventing and detecting both fraud and error. This is achieved by:
- Implementing an effective system of internal control
- Creating a culture of honesty and ethical behavior
- Regularly assessing fraud risk
Those charged with governance, such as the board and audit committee, must oversee these controls and review management’s assessment of fraud risk.
Key Term: Governance
Systems, processes, and structures for overseeing the organization, ensuring accountability, integrity, and the protection of stakeholder interests.
Auditor Responsibilities (ISA 240)
ISA 240 states that auditors must obtain reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error. This includes:
- Maintaining professional scepticism throughout the audit
- Recognizing risks of material misstatement due to fraud—even in entities judged honest in past audits
- Assessing the risk of material misstatement due to fraud as a fundamental part of audit planning
However, auditors do not guarantee detection of all fraud. Collusion, skillful concealment, or management override can render some frauds very difficult to uncover.
FRAUD VERSUS ERROR
The distinction between fraud and error is essential for appropriate audit response:
- Fraud involves intentional deception or misrepresentation with the aim to mislead users of financial statements or misappropriate assets.
- Error involves unintentional misstatements or omissions—these are not deliberate or calculated.
Fraud is subdivided into:
- Fraudulent financial reporting – deliberate misstatement or omission of amounts or disclosures to deceive users.
- Misappropriation of assets – theft of company assets, often concealed through falsified records.
Key Term: Fraudulent Financial Reporting
Intentional misstatement or omission in financial statements designed to deceive users.Key Term: Misappropriation of Assets
Theft or embezzlement of an entity’s assets by management, employees, or third parties, often concealed through falsification of accounting records.
FRAUD RISK ASSESSMENT AND RESPONSE
Fraud Risk Assessment Procedures
Auditors are required to perform specific procedures to identify and assess the risk of material misstatement due to fraud:
- Hold discussions among the audit team regarding potential fraud risks and how they might occur
- Make enquiries of management, internal audit, and those charged with governance regarding their assessment of fraud risk, awareness of actual or suspected fraud, and processes for identifying it
- Consider risk factors such as incentive/pressure, opportunity, and rationalization for fraud
- Use analytical procedures to identify unexpected relationships or unusual transactions
- Remain alert for transactions outside normal business operations
Where significant fraud risks are identified (especially management override), auditors must tailor their response:
- Test the appropriateness of journal entries, especially those at period-end
- Review accounting estimates for signs of bias
- Evaluate the business rationale for significant or unusual transactions
Key Term: Professional Scepticism
The auditor’s mindset of questioning and critically assessing evidence—remaining alert to conditions indicative of possible misstatement due to fraud or error.
Worked Example 1.1
A retail company’s management receives performance bonuses for meeting profit targets. Near year-end, large manual journal entries are posted to increase revenue. As audit senior, what should you do?
Answer:
Treat this as a significant fraud risk due to the incentive for management bias. Test journal entries, particularly those posted late in the period, investigate the legitimacy and supporting evidence, and consider whether the entries have a valid business purpose.
LIMITATIONS OF AUDIT—THE EXPECTATION GAP
Although auditors must obtain reasonable assurance, the audit process has inherent limitations:
- Audit is conducted on a sample basis and not all transactions are examined
- Collusion among employees or management can circumvent controls and disguise fraud
- Judgement is required in estimates; deliberate bias may not always be identifiable
- Management override can defeat even robust controls
- Audit evidence is persuasive, not conclusive
This means that even the most diligent audit may not detect all material fraud. Users must understand that reasonable assurance is not the same as a guarantee.
Key Term: Expectation Gap
The difference between what users believe auditors are responsible for and what audit standards actually require.
Exam Warning
Do not state that the auditor is required to detect all instances of fraud or guarantee accuracy. The standard is reasonable assurance, not certainty.
PRACTICAL PROCEDURES FOR FRAUD DETECTION
Audit Procedures to Respond to Fraud Risks
- Incorporate an element of unpredictability into tests (e.g., surprise procedures)
- Test unusual or significant journal entries, including period-end and manual entries
- Evaluate whether judgments in estimates demonstrate potential management bias
- Investigate significant transactions outside ordinary business activities
- Review accounting policies for changes not justified by the business
If fraud is suspected or identified:
- Communicate promptly to an appropriate level of management or those charged with governance
- For fraud involving management, report to those charged with governance
- Where required by law, such as for money laundering, report to authorities
Worked Example 1.2
An auditor identifies that the finance director has approved supplier payments to a business controlled by a relative, with inflated prices. What is the audit response?
Answer:
Communicate the suspected fraud to those charged with governance, perform additional procedures to quantify the impact, and consider the need to expand audit testing. Depending on local laws, consider whether external reporting is required.
GOVERNANCE STRUCTURES IMPACTING FRAUD RISK
Entities with strong governance—including independent audit committees, robust internal controls, and ethical cultures—tend to have a lower risk of fraud. The absence of segregation of duties, lack of independent oversight, and weak internal controls increase vulnerability.
Audit committees, where present, should:
- Oversee financial reporting and internal controls
- Review whistleblowing arrangements
- Monitor management’s response to identified fraud risks
Key Term: Audit Committee
A subcommittee of non-executive directors tasked with oversight of financial reporting, internal control, and external/internal audit.
Worked Example 1.3
A company lacks an independent audit committee and critical financial decisions are made solely by executive directors. How does this affect audit risk relating to fraud?
Answer:
The absence of independent oversight increases inherent and control risks for fraudulent financial reporting and misappropriation of assets. Auditors may need to adjust their audit strategy, plan more substantive testing, and increase focus on management override risks.
AUDITOR REPORTING WHEN FRAUD IS DISCOVERED
When fraud (or suspected fraud) causes or could cause material misstatement:
- Discuss findings with management or those charged with governance as appropriate
- Consider the effect on the audit opinion—lack of adequate disclosure may require a modified opinion
- Where required, report to external parties (e.g., regulators) according to local law
If management refuses to address risks or fails to correct material misstatements, the auditor must consider withdrawal or issue a qualified or adverse opinion.
Key Point Checklist
This article has covered the following key knowledge points:
- Distinguish between fraud (intentional) and error (unintentional) misstatements.
- Outline management’s primary responsibility for preventing and detecting fraud and error, and the supporting role of those charged with governance.
- State the auditor’s responsibilities under ISA 240 for obtaining reasonable assurance, not absolute, about fraud and error.
- Describe the procedures for fraud risk assessment and appropriate audit responses, including journal entry testing and reviewing accounting estimates.
- Discuss the limits of audit in detecting all fraud due to inherent limitations and management override.
- Explain required communication and reporting actions if fraud is identified or suspected.
- Recognize how governance structures such as audit committees support fraud risk mitigation.
Key Terms and Concepts
- Fraud
- Error
- Management Override
- Governance
- Fraudulent Financial Reporting
- Misappropriation of Assets
- Professional Scepticism
- Expectation Gap
- Audit Committee