How to Assess Your Organization's Fraud Risks
Auditing standards require external auditors to consider potential fraud risks by watching out for conditions that provide the opportunity to commit fraud. Unfortunately, conditions during the COVID-19 pandemic may have increased your organization's fraud risks. For example, more employees may be working remotely than ever before. And some workers may be experiencing personal financial distress — due to reduced hours, decreased buying power, or the loss of a spouse’s income — that could cause them to engage in dishonest behaviors.
Financial statement auditors must maintain professional skepticism regarding the possibility that a material misstatement due to fraud may be present throughout the audit process. Specifically, Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit, requires auditors to consider potential fraud risks before and during the information-gathering process. Management and board members may find it helpful to understand how this process works.
Doubling down on fraud risks
During planning procedures, auditors must conduct brainstorming sessions about fraud risks. In a financial reporting context, auditors are primarily concerned with two types of fraud:
1. Asset misappropriation. Employees may steal tangible assets, such as cash or inventory, for personal use. The risk of theft may be heightened if internal controls have been relaxed during the pandemic. For example, some organizations have waived the requirement for two signatures on checks, and others have reduced oversight during physical inventory counts.
2. Financial misstatement. Intentional misstatements, including omissions of amounts or disclosures in financial statements, may be used to deceive people who rely on your organization's financial statements. For example, managers who are unable to meet their financial goals may be tempted to book fictitious revenue to preserve their year-end bonuses. Or a CFO may alter fair value estimates to avoid reporting impairment of long-lived assets and other intangibles and triggering a loan covenant violation.
Identifying risk factors
Auditors must obtain an understanding of the entity and its environment, including internal controls, in order to identify the risks of material misstatement due to fraud. They must presume that, if given the opportunity, organizations will improperly recognize revenue and management will attempt to override internal controls.
Examples of fraud risk factors that auditors consider include:
- Large amounts of cash or other valuable inventory items on hand, without adequate security measures in place,
- Employees or board members with conflicts of interest, such as relationships with other employees and financial interests in vendors,
- Unrealistic goals and incentive-based compensation that tempt workers to artificially boost revenue, and
- Weak internal controls.
Auditors also watch for questionable journal entries that dishonest employees could use to hide their impropriety. These entries might, for example, be made on the last day of the accounting period or with limited descriptions. Once fraud risks have been assessed, audit procedures must be planned and performed to obtain reasonable assurance that the financial statements are free from misstatement.
Auditors generally aren’t required to investigate fraud. But they are required to communicate fraud risk findings to the appropriate level of management, who can then take actions to prevent fraud in their organizations. If conditions exist that make it impractical to plan an audit in a way that will adequately address fraud risks, an auditor may even decide to withdraw from the engagement.
For our thoughts on the industries we serve and firm updates, follow us on LinkedIn.
Ready to Connect?
We deliver personalized, expert services. Find out what we can do for you.