Consideration of Fraud in a Financial Statement Audit
1719
AU Section 316
Consideration of Fraud in a Financial
Statement Audit
(Supersedes SAS No. 82.)
Source: SAS No. 99; SAS No. 113.
Effective for audits of financial statements for periods beginning on or after
December 15, 2002, unless otherwise indicated.
Introduction and Overview
.01 Section 110, Responsibilities and Functions of the Independent Audi-
tor, paragraph .02, states, "The auditor has a responsibility to plan and perform
the audit to obtain reasonable assurance about whether the financial state-
ments are free of material misstatement, whether caused by error or fraud.
[footnote omitted]"
1
This section establishes standards and provides guidance
to auditors in fulfilling that responsibility, as it relates to fraud, in an audit of
financial statements conducted in accordance with generally accepted auditing
standards (GAAS).
2
.02 The following is an overview of the organization and content of this
section:
Description and characteristics of fraud. This section describes fraud
and its characteristics. (See paragraphs .05 through .12.)
The importance of exercising professional skepticism. This section dis-
cusses the need for auditors to exercise professional skepticism when
considering the possibility that a material misstatement due to fraud
could be present. (See paragraph .13.)
Discussion among engagement personnel regarding the risks of mate-
rial misstatement due to fraud. This section requires, as part of plan-
ning the audit, that there be a discussion among the audit team mem-
bers to consider how and where the entity's financial statements might
be susceptible to material misstatement due to fraud and to reinforce
the importance of adopting an appropriate mindset of professional
skepticism. (See paragraphs .14 through .18.)
1
The auditor's consideration of illegal acts and responsibility for detecting misstatements result-
ing from illegal acts is defined in section 317, Illegal Acts by Clients. For those illegal acts that are
defined in that section as having a direct and material effect on the determination of financial state-
ment amounts, the auditor's responsibility to detect misstatements resulting from such illegal acts is
the same as that for errors (see section 312, Audit Risk and Materiality in Conducting an Audit,or
fraud).
2
Auditors are sometimes requested to perform other services related to fraud detection and pre-
vention, for example, special investigations to determine the extent of a suspected or detected fraud.
These other services usually include procedures that extend beyond or are different from the proce-
dures ordinarily performed in an audit of financial statements in accordance with generally accepted
auditing standards (GAAS). AT section 101, Attest Engagements, and CS section 100, Consulting Ser-
vices: Definitions and Standards, provide guidance to accountants relating to the performance of such
services.
AU §316.02
1720 The Standards of Field Work
Obtaining the information needed to identify risks of material mis-
statement due to fraud. This section requires the auditor to gather
information necessary to identify risks of material misstatement due
to fraud, by
a. Inquiring of management and others within the entity about the
risks of fraud. (See paragraphs .20 through .27.)
b. Considering the results of the analytical procedures performed in
planning the audit. (See paragraphs .28 through .30.)
c. Considering fraud risk factors. (See paragraphs .31 through .33,
and the Appendix, "Examples of Fraud Risk Factors" [para-
graph .85].)
d. Considering certain other information. (See paragraph .34.)
Identifying risks that may result in a material misstatement due to
fraud. This section requires the auditor to use the information gath-
ered to identify risks that may result in a material misstatement due
to fraud. (See paragraphs .35 through .42.)
Assessing the identified risks after taking into account an evaluation of
the entity's programs and controls. This section requires the auditor to
evaluate the entity's programs and controls that address the identified
risks of material misstatement due to fraud, and to assess the risks
taking into account this evaluation. (See paragraphs .43 through .45.)
Responding to the results of the assessment. This section emphasizes
that the auditor's response to the risks of material misstatement due
to fraud involves the application of professional skepticism when gath-
ering and evaluating audit evidence. (See paragraph .46 through .49.)
The section requires the auditor to respond to the results of the risk
assessment in three ways:
a. A response that has an overall effect on how the audit is con-
ducted, that is, a response involving more general considerations
apart from the specific procedures otherwise planned. (See para-
graph .50.)
b. A response to identified risks that involves the nature, timing,
and extent of the auditing procedures to be performed. (See para-
graphs .51 through .56.)
c. A response involving the performance of certain procedures to
further address the risk of material misstatement due to fraud
involving management override of controls. (See paragraphs .57
through .67.)
Evaluating audit evidence. This section requires the auditor to assess
the risks of material misstatement due to fraud throughout the audit
and to evaluate at the completion of the audit whether the accumu-
lated results of auditing procedures and other observations affect the
assessment. (See paragraphs .68 through .74.) It also requires the au-
ditor to consider whether identified misstatements may be indicative
of fraud and, if so, directs the auditor to evaluate their implications.
(See paragraphs .75 through .78.)
Communicating about fraud to management, those charged with gover-
nance, and others. This section provides guidance regarding the audi-
tor's communications about fraud to management, those charged with
governance, and others. (See paragraphs .79 through .82.)
Documenting the auditor's consideration of fraud. This section de-
scribes related documentation requirements. (See paragraph .83.)
AU §316.02
Consideration of Fraud in a Financial Statement Audit
1721
[Revised, April 2007, to reflect conforming changes necessary due to the is-
suance of Statement on Auditing Standards No. 114.]
.03 The requirements and guidance set forth in this section are intended
to be integrated into an overall audit process, in a logical manner that is consis-
tent with the requirements and guidance provided in other sections, including
section 311, Planning and Supervision; section 312, Audit Risk and Materiality
in Conducting an Audit; section 314, Understanding the Entity and Its Envi-
ronment and Assessing the Risks of Material Misstatement, and section 318
Performing Audit Procedures in Response to Assessed Risks and Evaluating the
Audit Evidence Obtained. Even though some requirements and guidance set
forth in this section are presented in a manner that suggests a sequential audit
process, auditing in fact involves a continuous process of gathering, updating,
and analyzing information throughout the audit. Accordingly the sequence of
the requirements and guidance in this section may be implemented differently
among audit engagements. [Revised, March 2006, to reflect conforming changes
necessary due to the issuance of Statements on Auditing Standards No. 109 and
No. 110.]
.04 Although this section focuses on the auditor's consideration of fraud
in an audit of financial statements, it is management's responsibility to de-
sign and implement programs and controls to prevent, deter, and detect fraud.
3
That responsibility is described in section 110.03, which states, "Management
is responsible for adopting sound accounting policies and for establishing and
maintaining internal control that will, among other things, authorize, record,
process, and report transactions (as well as events and conditions) consistent
with management's assertions embodied in the financial statements." Manage-
ment, along with those charged with governance, should set the proper tone;
create and maintain a culture of honesty and high ethical standards; and estab-
lish appropriate controls to prevent, deter, and detect fraud. When management
and those charged with governance fulfill those responsibilities, the opportu-
nities to commit fraud can be reduced significantly. [Revised, March 2006, to
reflect conforming changes necessary due to the issuance of Statement on Au-
diting Standards No. 106. Revised, April 2007, to reflect conforming changes
necessary due to the issuance of Statement on Auditing Standards No. 114.]
Description and Characteristics of Fraud
.05 Fraud is a broad legal concept and auditors do not make legal deter-
minations of whether fraud has occurred. Rather, the auditor's interest specif-
ically relates to acts that result in a material misstatement of the financial
statements. The primary factor that distinguishes fraud from error is whether
the underlying action that results in the misstatement of the financial state-
ments is intentional or unintentional. For purposes of the section, fraud is an
intentional act that results in a material misstatement in financial statements
that are the subject of an audit.
4
3
In its October 1987 report, the National Commission on Fraudulent Financial Reporting, also
known as the Treadway Commission, noted, "The responsibility for reliable financial reporting resides
first and foremost at the corporate level. Top management, starting with the chief executive officer,
sets the tone and establishes the financial reporting environment. Therefore, reducing the risk of
fraudulent financial reporting must start with the reporting company."
4
Intent is often difficult to determine, particularly in matters involving accounting estimates
and the application of accounting principles. For example, unreasonable accounting estimates may
be unintentional or may be the result of an intentional attempt to misstate the financial statements.
Although an audit is not designed to determine intent, the auditor has a responsibility to plan and
perform the audit to obtain reasonable assurance about whether the financial statements are free of
material misstatement, whether the misstatement is intentional or not.
AU §316.05
1722 The Standards of Field Work
.06 Two types of misstatements are relevant to the auditor's considera-
tion of fraud—misstatements arising from fraudulent financial reporting and
misstatements arising from misappropriation of assets.
Misstatements arising from fraudulent financial reporting are inten-
tional misstatements or omissions of amounts or disclosures in finan-
cial statements designed to deceive financial statement users where
the effect causes the financial statements not to be presented, in all ma-
terial respects, in conformity with generally accepted accounting prin-
ciples (GAAP).
5
Fraudulent financial reporting may be accomplished
by the following:
Manipulation, falsification, or alteration of accounting records or
supporting documents from which financial statements are pre-
pared
Misrepresentation in or intentional omission from the financial
statements of events, transactions, or other significant informa-
tion
Intentional misapplication of accounting principles relating to
amounts, classification, manner of presentation, or disclosure
Fraudulent financial reporting need not be the result of a grand plan
or conspiracy. It may be that management representatives rationalize
the appropriateness of a material misstatement, for example, as an ag-
gressive rather than indefensible interpretation of complex accounting
rules, or as a temporary misstatement of financial statements, includ-
ing interim statements, expected to be corrected later when operational
results improve.
Misstatements arising from misappropriation of assets (sometimes re-
ferred to as theft or defalcation) involve the theft of an entity's assets
where the effect of the theft causes the financial statements not to be
presented, in all material respects, in conformity with GAAP. Misap-
propriation of assets can be accomplished in various ways, including
embezzling receipts, stealing assets, or causing an entity to pay for
goods or services that have not been received. Misappropriation of as-
sets may be accompanied by false or misleading records or documents,
possibly created by circumventing controls. The scope of this section
includes only those misappropriations of assets for which the effect of
the misappropriation causes the financial statements not to be fairly
presented, in all material respects, in conformity with GAAP.
.07 Three conditions generally are present when fraud occurs. First, man-
agement or other employees have an incentive or are under pressure, which
provides a reason to commit fraud. Second, circumstances exist—for example,
the absence of controls, ineffective controls, or the ability of management to
override controls—that provide an opportunity for a fraud to be perpetrated.
Third, those involved are able to rationalize committing a fraudulent act. Some
individuals possess an attitude, character, or set of ethical values that allow
them to knowingly and intentionally commit a dishonest act. However, even
otherwise honest individuals can commit fraud in an environment that im-
poses sufficient pressure on them. The greater the incentive or pressure, the
more likely an individual will be able to rationalize the acceptability of com-
mitting fraud.
5
Reference to generally accepted accounting principles (GAAP) includes, where applicable, a
comprehensive basis of accounting other than GAAP as defined in section 623, Special Reports, para-
graph .04.
AU §316.06
Consideration of Fraud in a Financial Statement Audit
1723
.08 Management has a unique ability to perpetrate fraud because it fre-
quently is in a position to directly or indirectly manipulate accounting records
and present fraudulent financial information. Fraudulent financial reporting
often involves management override of controls that otherwise may appear to be
operating effectively.
6
Management can either direct employees to perpetrate
fraud or solicit their help in carrying it out. In addition, management personnel
at a component of the entity may be in a position to manipulate the accounting
records of the component in a manner that causes a material misstatement
in the consolidated financial statements of the entity. Management override of
controls can occur in unpredictable ways.
.09 Typically, management and employees engaged in fraud will take steps
to conceal the fraud from the auditors and others within and outside the orga-
nization. Fraud may be concealed by withholding evidence or misrepresenting
information in response to inquiries or by falsifying documentation. For exam-
ple, management that engages in fraudulent financial reporting might alter
shipping documents. Employees or members of management who misappro-
priate cash might try to conceal their thefts by forging signatures or falsifying
electronic approvals on disbursement authorizations. An audit conducted in ac-
cordance with GAAS rarely involves the authentication of such documentation,
nor are auditors trained as or expected to be experts in such authentication.
In addition, an auditor may not discover the existence of a modification of doc-
umentation through a side agreement that management or a third party has
not disclosed.
.10 Fraud also may be concealed through collusion among management,
employees, or third parties. Collusion may cause the auditor who has properly
performed the audit to conclude that evidence provided is persuasive when it is,
in fact, false. For example, through collusion, false evidence that controls have
been operating effectively may be presented to the auditor, or consistent mis-
leading explanations may be given to the auditor by more than one individual
within the entity to explain an unexpected result of an analytical procedure.
As another example, the auditor may receive a false confirmation from a third
party that is in collusion with management.
.11 Although fraud usually is concealed and management's intent is diffi-
cult to determine, the presence of certain conditions may suggest to the auditor
the possibility that fraud may exist. For example, an important contract may
be missing, a subsidiary ledger may not be satisfactorily reconciled to its con-
trol account, or the results of an analytical procedure performed during the
audit may not be consistent with expectations. However, these conditions may
be the result of circumstances other than fraud. Documents may legitimately
have been lost or misfiled; the subsidiary ledger may be out of balance with its
control account because of an unintentional accounting error; and unexpected
analytical relationships may be the result of unanticipated changes in underly-
ing economic factors. Even reports of alleged fraud may not always be reliable
because an employee or outsider may be mistaken or may be motivated for
unknown reasons to make a false allegation.
.12 As indicated in paragraph .01, the auditor has a responsibility to plan
and perform the audit to obtain reasonable assurance about whether the finan-
cial statements are free of material misstatement, whether caused by fraud or
6
Frauds have been committed by management override of existing controls using such techniques
as (a) recording fictitious journal entries, particularly those recorded close to the end of an accounting
period to manipulate operating results, (b) intentionally biasing assumptions and judgments used
to estimate account balances, and (c) altering records and terms related to significant and unusual
transactions.
AU §316.12
1724 The Standards of Field Work
error.
7
However, absolute assurance is not attainable and thus even a properly
planned and performed audit may not detect a material misstatement resulting
from fraud. A material misstatement may not be detected because of the na-
ture of audit evidence or because the characteristics of fraud as discussed above
may cause the auditor to rely unknowingly on audit evidence that appears to
be valid, but is, in fact, false and fraudulent. Furthermore, audit procedures
that are effective for detecting an error may be ineffective for detecting fraud.
The Importance of Exercising Professional Skepticism
.13 Due professional care requires the auditor to exercise professional
skepticism. See section 230, Due Professional Care in the Performance of Work,
paragraphs .07 through .09. Because of the characteristics of fraud, the audi-
tor's exercise of professional skepticism is important when considering the risk
of material misstatement due to fraud. Professional skepticism is an attitude
that includes a questioning mind and a critical assessment of audit evidence.
The auditor should conduct the engagement with a mindset that recognizes the
possibility that a material misstatement due to fraud could be present, regard-
less of any past experience with the entity and regardless of the auditor's belief
about management's honesty and integrity. Furthermore, professional skepti-
cism requires an ongoing questioning of whether the information and evidence
obtained suggests that a material misstatement due to fraud has occurred. In
exercising professional skepticism in gathering and evaluating evidence, the
auditor should not be satisfied with less-than-persuasive evidence because of a
belief that management is honest.
Discussion Among Engagement Personnel Regarding
the Risks of Material Misstatement Due to Fraud
.14 Prior to or in conjunction with the information-gathering procedures
described in paragraphs .19 through .34 of this section, members of the audit
team should discuss the potential for material misstatement due to fraud. The
discussion should include:
An exchange of ideas or "brainstorming" among the audit team mem-
bers, including the auditor with final responsibility for the audit, about
how and where they believe the entity's financial statements might be
susceptible to material misstatement due to fraud, how management
could perpetrate and conceal fraudulent financial reporting, and how
assets of the entity could be misappropriated. (See paragraph .15.)
An emphasis on the importance of maintaining the proper state of
mind throughout the audit regarding the potential for material mis-
statement due to fraud. (See paragraph .16.)
.15 The discussion among the audit team members about the susceptibil-
ity of the entity's financial statements to material misstatement due to fraud
should include a consideration of the known external and internal factors af-
fecting the entity that might (a) create incentives/pressures for management
and others to commit fraud, (b) provide the opportunity for fraud to be perpe-
trated, and (c) indicate a culture or environment that enables management to
rationalize committing fraud. The discussion should occur with an attitude that
includes a questioning mind as described in paragraph .16 and, for this purpose,
7
For a further discussion of the concept of reasonable assurance, see section 230, Due Professional
Care in the Performance of Work, paragraphs .10 through .13.
AU §316.13
Consideration of Fraud in a Financial Statement Audit
1725
setting aside any prior beliefs the audit team members may have that manage-
ment is honest and has integrity. In this regard, the discussion should include
a consideration of the risk of management override of controls.
8
Finally, the
discussion should include how the auditor might respond to the susceptibility
of the entity's financial statements to material misstatement due to fraud.
.16 The discussion among the audit team members should emphasize the
need to maintain a questioning mind and to exercise professional skepticism in
gathering and evaluating evidence throughout the audit, as described in para-
graph .13. This should lead the audit team members to continually be alert for
information or other conditions (such as those presented in paragraph .68) that
indicate a material misstatement due to fraud may have occurred. It should also
lead audit team members to thoroughly probe the issues, acquire additional ev-
idence as necessary, and consult with other team members and, if appropriate,
experts in the firm, rather than rationalize or dismiss information or other con-
ditions that indicate a material misstatement due to fraud may have occurred.
.17 Although professional judgment should be used in determining which
audit team members should be included in the discussion, the discussion ordi-
narily should involve the key members of the audit team. A number of factors
will influence the extent of the discussion and how it should occur. For example,
if the audit involves more than one location, there could be multiple discus-
sions with team members in differing locations. Another factor to consider in
planning the discussions is whether to include specialists assigned to the audit
team. For example, if the auditor has determined that a professional possessing
information technology skills is needed on the audit team (see section 311.31),
it may be useful to include that individual in the discussion. [Revised, March
2006, to reflect conforming changes necessary due to the issuance of Statement
on Auditing Standards No. 108.]
.18 Communication among the audit team members about the risks of ma-
terial misstatement due to fraud also should continue throughout the audit—for
example, in evaluating the risks of material misstatement due to fraud at or
near the completion of the field work. (See paragraph .74 and footnote 28.)
Obtaining the Information Needed to Identify the Risks
of Material Misstatement Due to Fraud
.19 Section 314 provides guidance about how the auditor obtains an un-
derstanding of the entity and its environment, including its internal control.
In performing that work, information may come to the auditor's attention that
should be considered in identifying risks of material misstatement due to fraud.
As part of this work, the auditor should perform the following procedures to ob-
tain information that is used (as described in paragraphs .35 through .42) to
identify the risks of material misstatement due to fraud:
a. Make inquiries of management and others within the entity to obtain
their views about the risks of fraud and how they are addressed. (See
paragraphs .20 through .27.)
b. Consider any unusual or unexpected relationships that have been
identified in performing analytical procedures in planning the audit.
(See paragraphs .28 through .30.)
8
See footnote 6.
AU §316.19
1726 The Standards of Field Work
c. Consider whether one or more fraud risk factors exist. (See para-
graphs .31 through .33, and the Appendix [paragraph .85].)
d. Consider other information that may be helpful in the identification of
risks of material misstatement due to fraud. (See paragraph .34.)
[Revised, March 2006, to reflect conforming changes necessary due to the is-
suance of Statement on Auditing Standards No. 109.]
Making Inquiries of Management and Others Within the Entity
About the Risks of Fraud
.20 The auditor should inquire of management about:
9
Whether management has knowledge of any fraud or suspected fraud
affecting the entity
Whether management is aware of allegations of fraud or suspected
fraud affecting the entity, for example, received in communications
from employees, former employees, analysts, regulators, short sellers,
or others
Management's understanding about the risks of fraud in the entity,
including any specific fraud risks the entity has identified or account
balances or classes of transactions for which a risk of fraud may be
likely to exist
Programs and controls
10
the entity has established to mitigate specific
fraud risks the entity has identified, or that otherwise help to prevent,
deter, and detect fraud, and how management monitors those pro-
grams and controls. For examples of programs and controls an entity
may implement to prevent, deter, and detect fraud, see the exhibit ti-
tled "Management Antifraud Programs and Controls" [paragraph .86]
at the end of this section.
For an entity with multiple locations, (a) the nature and extent of mon-
itoring of operating locations or business segments, and (b) whether
there are particular operating locations or business segments for which
a risk of fraud may be more likely to exist
Whether and how management communicates to employees its views
on business practices and ethical behavior
.21 The inquiries of management also should include whether manage-
ment has reported to those charged with governance
[11]
on how the entity's
internal control
12
serves to prevent, deter, or detect material misstatements
due to fraud. [Revised, April 2007, to reflect conforming changes necessary due
to the issuance of Statement on Auditing Standards No. 114.]
.22 The auditor also should inquire directly of those charged with gover-
nance (or the audit committee or at least its chair) regarding their views about
9
In addition to these inquiries, section 333, Management Representations, requires the auditor
to obtain selected written representations from management regarding fraud.
10
Section 314, Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement, paragraph .41, defines internal control and its five interrelated components (the control
environment, risk assessment, control activities, information and communication, and monitoring).
Entity programs and controls intended to address the risks of fraud may be part of any of the five
components discussed in section 314. [Footnote revised, March 2006, to reflect conforming changes
necessary due to the issuance of Statement on Auditing Standards No. 109.]
[11]
[Footnote deleted due to conforming changes necessary due to the issuance of Statement on
Auditing Standards No. 114.]
12
See footnote 10.
AU §316.20
Consideration of Fraud in a Financial Statement Audit
1727
the risks of fraud and whether those charged with governance have knowledge
of any fraud or suspected fraud affecting the entity. An entity's audit commit-
tee sometimes assumes an active role in oversight of the entity's assessment
of the risks of fraud and the programs and controls the entity has established
to mitigate these risks. The auditor should obtain an understanding of how
the audit committee exercises oversight activities in that area. [Revised, April
2007, to reflect conforming changes necessary due to the issuance of Statement
on Auditing Standards No. 114.]
.23 For entities that have an internal audit function, the auditor also
should inquire of appropriate internal audit personnel about their views about
the risks of fraud, whether they have performed any procedures to identify or
detect fraud during the year, whether management has satisfactorily responded
to any findings resulting from these procedures, and whether the internal au-
ditors have knowledge of any fraud or suspected fraud.
.24 In addition to the inquiries outlined in paragraphs .20 through .23,
the auditor should inquire of others within the entity about the existence or
suspicion of fraud. The auditor should use professional judgment to determine
those others within the entity to whom inquiries should be directed and the
extent of such inquiries. In making this determination, the auditor should con-
sider whether others within the entity may be able to provide information that
will be helpful to the auditor in identifying risks of material misstatement due
to fraud—for example, others who may have additional knowledge about or be
able to corroborate risks of fraud identified in the discussions with management
(see paragraph .20) or those charged with governance (see paragraph .22). [Re-
vised, April 2007, to reflect conforming changes necessary due to the issuance
of Statement on Auditing Standards No. 114.]
.25 Examples of others within the entity to whom the auditor may wish to
direct these inquiries include:
Employees with varying levels of authority within the entity, including,
for example, entity personnel with whom the auditor comes into con-
tact during the course of the audit in obtaining (a) an understanding
of the entity's systems and internal control, (b) in observing inventory
or performing cutoff procedures, or (c) in obtaining explanations for
fluctuations noted as a result of analytical procedures
Operating personnel not directly involved in the financial reporting
process
Employees involved in initiating, recording, or processing complex or
unusual transactions—for example, a sales transaction with multiple
elements, or a significant related party transaction
In-house legal counsel
.26 The auditor's inquiries of management and others within the entity
are important because fraud often is uncovered through information received
in response to inquiries. One reason for this is that such inquiries may pro-
vide individuals with an opportunity to convey information to the auditor that
otherwise might not be communicated. Making inquiries of others within the
entity, in addition to management, may be useful in providing the auditor with
a perspective that is different from that of individuals involved in the financial
reporting process. The responses to these other inquiries might serve to cor-
roborate responses received from management, or alternatively, might provide
information regarding the possibility of management override of controls—
for example, a response from an employee indicating an unusual change in
the way transactions have been processed. In addition, the auditor may ob-
tain information from these inquiries regarding how effectively management
AU §316.26
1728 The Standards of Field Work
has communicated standards of ethical behavior to individuals throughout the
organization.
.27 The auditor should be aware when evaluating management's responses
to the inquiries discussed in paragraph .20 that management is often in the best
position to perpetrate fraud. The auditor should use professional judgment in
deciding when it is necessary to corroborate responses to inquiries with other
information. However, when responses are inconsistent among inquiries, the
auditor should obtain additional audit evidence to resolve the inconsistencies.
Considering the Results of the Analytical Procedures Performed
in Planning the Audit
.28 Section 329, Analytical Procedures, paragraphs .04 and .06, requires
that analytical procedures be performed in planning the audit with an objective
of identifying the existence of unusual transactions or events, and amounts, ra-
tios, and trends that might indicate matters that have financial statement and
audit planning implications. In performing analytical procedures in planning
the audit, the auditor develops expectations about plausible relationships that
are reasonably expected to exist, based on the auditor's understanding of the en-
tity and its environment. When comparison of those expectations with recorded
amounts or ratios developed from recorded amounts yields unusual or unex-
pected relationships, the auditor should consider those results in identifying
the risks of material misstatement due to fraud.
.29 In planning the audit, the auditor also should perform analytical pro-
cedures relating to revenue with the objective of identifying unusual or unex-
pected relationships involving revenue accounts that may indicate a material
misstatement due to fraudulent financial reporting. An example of such an an-
alytical procedure that addresses this objective is a comparison of sales volume,
as determined from recorded revenue amounts, with production capacity. An
excess of sales volume over production capacity may be indicative of recording
fictitious sales. As another example, a trend analysis of revenues by month and
sales returns by month during and shortly after the reporting period may in-
dicate the existence of undisclosed side agreements with customers to return
goods that would preclude revenue recognition.
13
.30 Analytical procedures performed during planning may be helpful in
identifying the risks of material misstatement due to fraud. However, because
such analytical procedures generally use data aggregated at a high level, the
results of those analytical procedures provide only a broad initial indication
about whether a material misstatement of the financial statements may exist.
Accordingly, the results of analytical procedures performed during planning
should be considered along with other information gathered by the auditor in
identifying the risks of material misstatement due to fraud.
Considering Fraud Risk Factors
.31 Because fraud is usually concealed, material misstatements due to
fraud are difficult to detect. Nevertheless, the auditor may identify events or
conditions that indicate incentives/pressures to perpetrate fraud, opportunities
to carry out the fraud, or attitudes/rationalizations to justify a fraudulent ac-
tion. Such events or conditions are referred to as "fraud risk factors." Fraud risk
factors do not necessarily indicate the existence of fraud; however, they often
are present in circumstances where fraud exists.
13
See paragraph .70 for a discussion of the need to update these analytical procedures during
the overall review stage of the audit.
AU §316.27
Consideration of Fraud in a Financial Statement Audit
1729
.32 When obtaining information about the entity and its environment, the
auditor should consider whether the information indicates that one or more
fraud risk factors are present. The auditor should use professional judgment
in determining whether a risk factor is present and should be considered in
identifying and assessing the risks of material misstatement due to fraud.
.33 Examples of fraud risk factors related to fraudulent financial reporting
and misappropriation of assets are presented in the Appendix [paragraph .85].
These illustrative risk factors are classified based on the three conditions gen-
erally present when fraud exists: incentive/pressure to perpetrate fraud, an
opportunity to carry out the fraud, and attitude/rationalization to justify the
fraudulent action. Although the risk factors cover a broad range of situations,
they are only examples and, accordingly, the auditor may wish to consider ad-
ditional or different risk factors. Not all of these examples are relevant in all
circumstances, and some may be of greater or lesser significance in entities
of different size or with different ownership characteristics or circumstances.
Also, the order of the examples of risk factors provided is not intended to reflect
their relative importance or frequency of occurrence.
Considering Other Information That May Be Helpful in
Identifying Risks of Material Misstatement Due to Fraud
.34 The auditor should consider other information that may be helpful
in identifying risks of material misstatement due to fraud. Specifically, the
discussion among the engagement team members (see paragraphs .14 through
.18) may provide information helpful in identifying such risks. In addition, the
auditor should consider whether information from the results of (a) procedures
relating to the acceptance and continuance of clients and engagements
14
and
(b) reviews of interim financial statements may be relevant in the identification
of such risks. Finally, as part of the consideration of audit risk at the individual
account balance or class of transaction level (see section 312.17 through .26), the
auditor should consider whether identified inherent risks would provide useful
information in identifying the risks of material misstatement due to fraud (see
paragraph .39). [Revised, March 2006, to reflect conforming changes necessary
due to the issuance of Statement on Auditing Standards No. 107.]
Identifying Risks That May Result in a Material
Misstatement Due to Fraud
15
Using the Information Gathered to Identify Risk of Material
Misstatements Due to Fraud
.35 In identifying risks of material misstatement due to fraud, it is helpful
for the auditor to consider the information that has been gathered (see para-
graphs .19 through .34) in the context of the three conditions present when
a material misstatement due to fraud occurs—that is, incentives/pressures,
14
See paragraphs .27–.36 of QC section 10B, A Firm's System of Quality Control. [Footnote
amended due to issuance of SQCS No. 7, December 2008.]
15
Section 314, Understanding the Entity and its Environment and Assessing the Risks of Mate-
rial Misstatement, requires the auditor to identify and assess the risk of material misstatement at
the financial statement level and at the relevant assertion level related to classes of transactions, ac-
count balances and disclosures. See section 314.102. [Footnote added, effective for audits of financial
statements for periods beginning on or after December 15, 2006, by Statement on Auditing Standards
No. 113.]
AU §316.35
1730 The Standards of Field Work
opportunities, and attitudes/rationalizations (see paragraph .07). However, the
auditor should not assume that all three conditions must be observed or evident
before concluding that there are identified risks. Although the risk of material
misstatement due to fraud may be greatest when all three fraud conditions are
observed or evident, the auditor cannot assume that the inability to observe
one or two of these conditions means there is no risk of material misstatement
due to fraud. In fact, observing that individuals have the requisite attitude to
commit fraud, or identifying factors that indicate a likelihood that management
or other employees will rationalize committing a fraud, is difficult at best.
.36 In addition, the extent to which each of the three conditions referred
to above are present when fraud occurs may vary. In some instances the signifi-
cance of incentives/pressures may result in a risk of material misstatement due
to fraud, apart from the significance of the other two conditions. For example,
an incentive/pressure to achieve an earnings level to preclude a loan default, or
to "trigger" incentive compensation plan awards, may alone result in a risk of
material misstatement due to fraud. In other instances, an easy opportunity to
commit the fraud because of a lack of controls may be the dominant condition
precipitating the risk of fraud, or an individual's attitude or ability to rational-
ize unethical actions may be sufficient to motivate that individual to engage in
fraud, even in the absence of significant incentives/pressures or opportunities.
.37 The auditor's identification of fraud risks also may be influenced by
characteristics such as the size, complexity, and ownership attributes of the
entity. For example, in the case of a larger entity, the auditor ordinarily con-
siders factors that generally constrain improper conduct by management, such
as the effectiveness of the audit committee and the internal audit function,
and the existence and enforcement of a formal code of conduct. In the case of a
smaller entity, some or all of these considerations may be inapplicable or less
important, and management may have developed a culture that emphasizes
the importance of integrity and ethical behavior through oral communication
and management by example. Also, the risks of material misstatement due to
fraud may vary among operating locations or business segments of an entity,
requiring an identification of the risks related to specific geographic areas or
business segments, as well as for the entity as a whole.
16
.38 The auditor should evaluate whether identified risks of material mis-
statement due to fraud can be related to specific financial-statement account
balances or classes of transactions and related assertions, or whether they re-
late more pervasively to the financial statements as a whole. Relating the risks
of material misstatement due to fraud to the individual accounts, classes of
transactions, and assertions will assist the auditor in subsequently designing
appropriate auditing procedures.
.39 Certain accounts, classes of transactions, and assertions that have high
inherent risk because they involve a high degree of management judgment and
subjectivity also may present risks of material misstatement due to fraud be-
cause they are susceptible to manipulation by management. For example, li-
abilities resulting from a restructuring may be deemed to have high inherent
risk because of the high degree of subjectivity and management judgment in-
volved in their estimation. Similarly, revenues for software developers may be
deemed to have high inherent risk because of the complex accounting principles
16
Section 312.16 provides guidance on the auditor's consideration of the extent to which auditing
procedures should be performed at selected locations or components. [Footnote revised, March 2006,
to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards
No. 107. Footnote renumbered by the issuance of Statement on Auditing Standards No. 113, November
2006.]
AU §316.36
Consideration of Fraud in a Financial Statement Audit
1731
applicable to the recognition and measurement of software revenue transac-
tions. Assets resulting from investing activities may be deemed to have high
inherent risk because of the subjectivity and management judgment involved
in estimating fair values of those investments.
.40 In summary, the identification of a risk of material misstatement due
to fraud involves the application of professional judgment and includes the
consideration of the attributes of the risk, including:
The type of risk that may exist, that is, whether it involves fraudulent
financial reporting or misappropriation of assets
The significance of the risk, that is, whether it is of a magnitude that
could lead to result in a possible material misstatement of the financial
statements
The likelihood of the risk, that is, the likelihood that it will result in a
material misstatement in the financial statements
17
The pervasiveness of the risk, that is, whether the potential risk is
pervasive to the financial statements as a whole or specifically related
to a particular assertion, account, or class of transactions.
A Presumption That Improper Revenue Recognition Is a
Fraud Risk
.41 Material misstatements due to fraudulent financial reporting often
result from an overstatement of revenues (for example, through premature
revenue recognition or recording fictitious revenues) or an understatement of
revenues (for example, through improperly shifting revenues to a later period).
Therefore, the auditor should ordinarily presume that there is a risk of material
misstatement due to fraud relating to revenue recognition. (See paragraph .54
for examples of auditing procedures related to the risk of improper revenue
recognition.)
18
A Consideration of the Risk of Management Override of Controls
.42 Even if specific risks of material misstatement due to fraud are not
identified by the auditor, there is a possibility that management override of
controls could occur, and accordingly, the auditor should address that risk (see
paragraph .57) apart from any conclusions regarding the existence of more
specifically identifiable risks.
Assessing the Identified Risks After Taking Into Account
an Evaluation of the Entity’s Programs and Controls
That Address the Risks
.43 Section 314 requires the auditor to obtain an understanding of each of
the five components of internal control sufficient to plan the audit. It also notes
17
The occurrence of material misstatements of financial statements due to fraud is relatively
infrequent in relation to the total population of published financial statements. However, the auditor
should not use this as a basis to conclude that one or more risks of a material misstatement due to
fraud are not present in a particular entity. [Footnote renumbered by the issuance of Statement on
Auditing Standards No. 113, November 2006.]
18
For a discussion of indicators of improper revenue recognition and common techniques for
overstating revenue and illustrative audit procedures, see the AICPA Audit Guide Auditing Revenue
in Certain Industries. [Footnote renumbered by the issuance of Statement on Auditing Standards
No. 113, November 2006.]
AU §316.43
1732 The Standards of Field Work
that such knowledge should be used to identify types of potential misstate-
ments, consider factors that affect the risk of material misstatement, design
tests of controls when applicable, and design substantive tests. Additionally,
section 314 notes that controls, whether manual or automated, can be circum-
vented by collusion of two or more people or inappropriate management over-
ride of internal control. [Revised, March 2006, to reflect conforming changes
necessary due to the issuance of Statement on Auditing Standards No. 109.]
.44 As part of the understanding of internal control sufficient to plan the
audit, the auditor should evaluate whether entity programs and controls that
address identified risks of material misstatement due to fraud have been suit-
ably designed and placed in operation.
19
These programs and controls may
involve (a) specific controls designed to mitigate specific risks of fraud—for ex-
ample, controls to address specific assets susceptible to misappropriation, and
(b) broader programs designed to prevent, deter, and detect fraud—for exam-
ple, programs to promote a culture of honesty and ethical behavior. The auditor
should consider whether such programs and controls mitigate the identified
risks of material misstatement due to fraud or whether specific control defi-
ciencies may exacerbate the risks (see paragraph .80). The exhibit at the end
of this section [paragraph .88] discusses examples of programs and controls an
entity might implement to create a culture of honesty and ethical behavior, and
that help to prevent, deter, and detect fraud.
.45 After the auditor has evaluated whether the entity's programs and
controls that address identified risks of material misstatement due to fraud
have been suitably designed and placed in operation, the auditor should assess
these risks taking into account that evaluation. This assessment should be
considered when developing the auditor's response to the identified risks of
material misstatement due to fraud (see paragraphs .46 through .67).
20
Responding to the Results of the Assessment
21
.46 The auditor's response to the assessment of the risks of material mis-
statement due to fraud involves the application of professional skepticism in
gathering and evaluating audit evidence. As noted in paragraph .13, profes-
sional skepticism is an attitude that includes a critical assessment of the com-
petency and sufficiency of audit evidence. Examples of the application of pro-
fessional skepticism in response to the risks of material misstatement due to
fraud are (a) designing additional or different auditing procedures to obtain
more reliable evidence in support of specified financial statement account bal-
ances, classes of transactions, and related assertions, and (b) obtaining addi-
tional corroboration of management's explanations or representations concern-
ing material matters, such as through third-party confirmation, the use of a
specialist, analytical procedures, examination of documentation from indepen-
dent sources, or inquiries of others within or outside the entity.
19
See footnote 10. [Footnote renumbered by the issuance of Statement on Auditing Standards
No. 113, November 2006.]<