Global menu

Our global pages

Close

Restoring Trust in Audit and Corporate Governance – The role of directors and auditors in tackling fraud

  • United Kingdom
  • Corporate
  • Financial services disputes and investigations
  • Litigation and dispute management
  • Financial services

14-04-2021

In his report on the quality and effectiveness of audit, published in December 2019 (“the Brydon Review”), Sir Donald Brydon examined the challenge of fraud in the context of corporate reporting. He concluded that reform was needed to increase the prospect of fraud detection and improve confidence in auditors in this area. While things have moved on from the once often quoted phrase that auditors are watchdogs and not bloodhounds, the role of audit in fraud detection has not kept up with society’s expectations. The Brydon Review recommendations sought to address this through proposed reform of relevant auditing standards, increased training in fraud detection for auditors and further explanation in the annual report from directors and auditors concerning controls around fraud.

The implementation of the wide ranging reforms proposed by the Brydon Review has been much slower than many anticipated, but some progress has been made in respect of fraud reforms including the Financial Reporting Council (“FRC”)’s proposed revised ISA (UK) 240 “The Auditor’s responsibilities Relating to Fraud in an Audit of Financial Statements” (“the Revised Standard”), expected to be finalised and issued before the end of May 2021. The Revised Standard will have effect in respect of audits of financial statements for periods commencing on or after 15 December 2021 (although it may be used in respect of audits prior to then).

In addition, the UK Department for Business, Energy and Industrial Strategy (“BEIS”) consultation “Restoring trust in audit and corporate governance” (“the BEIS Paper”) has largely embraced the Brydon Review recommendations in respect of fraud, although the Government’s proposals are subject to consultation and will not come into effect until 2023 at the earliest.

While the application of mandatory requirements is therefore still some way off, directors and auditors will want to consider carefully what aspects of the proposals they want to adopt now, particularly given the expectation that fraud will have been on the increase during the pandemic.

The Revised Standard

What has changed?

To eliminate the lack of clarity over the auditor’s role in detecting fraud, the Revised Standard makes explicit the requirement on auditors to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement due to fraud. As the Revised Standard notes, “reasonable assurance” means “a high but not absolute level of assurance”.

What are auditors’ responsibilities in relation to detecting and preventing fraud?

The steps mandated by the Revised Standard are practical ones. In essence, they require those leading audit engagements to make time for discussions about fraud risk, structure teams and engagements appropriately based upon identified risks and to respond decisively where actual or suspected fraud is identified.

In practice, this will mean taking steps including:

  • making sure that all members of engagement teams contribute to discussions and exchange ideas about fraud risk and investigation, and in the group audit context what discussions need to be had with component auditors;
  • ensuring that there is consideration throughout engagements of the risk that the financial statements may have been affected by fraud;
  • putting in place appropriate mechanisms to investigate and respond to allegations of fraud emerging during audits;
  • building discussions into the later stages of audits to consider instances of identified fraud and risk factors; and
  • giving consideration at the outset and throughout engagements to which specialists may be required (including considering whether a forensic expert is required to investigate further if an auditor identifies a material misstatement due to suspected fraud).

The Revised Standard makes clear that auditors must clearly evidence how these steps have been taken throughout engagements and that, where risks of material misstatement due to fraud are identified, sufficient and appropriate audit evidence should be obtained in relation to identified risks.

The FRC has declined to go as far as requiring auditors to approach audits with “suspicion” (as suggested in the Brydon Review). Instead, the Revised Standard gives more granular guidance about what “professional scepticism” means in the context of detecting and preventing fraud. Specifically, the Revised Standard sets out that auditors should:

  • undertake risk assessment procedures and perform audits in a way not biased towards either obtaining corroborative audit evidence or excluding contradictory evidence;
  • be alert to indications that documents or records are not authentic; and
  • investigate further where responses provided by anyone within an organisation “appear implausible” (a change from the previous requirement to investigate “inconsistent” responses from management or those responsible for governance).

It is a constant theme from the FRC’s enforcement team that failings that lead to enforcement action often stem from a lack of audit scepticism. However, in relation to what can be complex frauds, auditors need appropriate training on what to look out for – as highlighted in the Brydon Review and the BEIS Paper.

The Revised Standard also makes clear that auditors have specific responsibilities to:

  • make enquiries of members of management, or others within the organisation, responsible for dealing with allegations of fraud raised by employees and others;
  • identify and consider the implications of differences in responses provided by members of management and those responsible for governance;
  • obtain written representations from management (and, if appropriate, those within the organisation responsible for governance) that they believe they have adequately fulfilled their responsibilities for internal controls to prevent and detect fraud; and
  • include details in the auditor’s report about the extent to which the audit is considered capable of detecting fraud (which should be appropriately specific to the organisation concerned).

What are auditors required to do if they identify actual or suspected fraud?

The Revised Standard imposes obligations on auditors conducting audits of Public Interest Entities (“PIEs”) to inform the entity concerned where they suspect or have reasonable grounds to suspect irregularities (including fraud in relation to financial statements) and to invite the entity to take appropriate measures. Where PIEs do not appropriately investigate matters brought to their attention by auditors, there is a requirement on auditors to inform authorities responsible for investigating such irregularities.

There is an exception to this requirement to inform entities where auditors are “prohibited by law or regulation”. This acknowledges the potential tension between this obligation and the anti-money laundering (“AML”) reporting obligations of auditors. Since auditors carry on business in the “regulated sector” for AML purposes, these obligations are triggered by actual knowledge or suspicion or reasonable grounds to suspect that another person is “engaged in money laundering” (which includes any act(s) enabling an individual or an entity to acquire, retain or use “criminal property”). These concepts are defined broadly, but not every “irregularity” required to be brought to the attention of the entity concerned will necessarily also amount to “money laundering”.

Auditors’ mandatory reporting obligations under AML legislation are not new. However, the introduction of requirements to take a more enquiring approach to fraud may more frequently place auditors in a position where these obligations are engaged. Careful planning and consideration will be required to ensure that in situations where auditors receive information about alleged irregularities, the right questions are asked (including not only about accounting irregularities but also about underlying conduct), any reports required to be made to UK AML authorities are made at the appropriate time and that, where any reports are made, tipping off provisions are not infringed.

(How) have the responsibilities of entities’ management changed?

The Revised Standard does not diminish the responsibility of management and those responsible for governance within entities for detecting and preventing fraud. The requirements on auditors to ask questions and obtain written representations relating to fraud should also focus the minds of those responsible for anti-fraud measures within entities on the adequacy of those measures.

The adequacy of responses provided to auditors by management and others about anti-fraud measures and/or suspected instances of fraud are likely to be of significant interest to relevant regulators when they are investigating and deciding if an entity and its management have behaved appropriately and, if not, whether any enforcement action can and should be taken.

In serious cases, the Serious Fraud Office and other law enforcement agencies will be similarly interested not only in whether responses provided to auditors indicate that fraud, bribery or money laundering offences may have been committed by the entity or individuals, but also in whether deficiencies in responses to questions asked by auditors may form the basis of prosecution for the separate offence of providing false or misleading information to an auditor.

The BEIS Paper

One of the most significant of the UK Government’s proposals is its plan to legislate to require directors of PIEs to report on the steps they have taken to prevent and detect material fraud. This is supported by a proposal for further legislation to require auditors of PIEs, as part of statutory audits, to report on the work they performed to conclude whether the proposed directors’ statement regarding actions taken to prevent and detect material fraud is factually accurate. The Government also intends to take forward the Brydon Review recommendation that auditors be required to report on the steps they have taken to detect material fraud and assess the effectiveness of relevant controls.

The BEIS Paper also proposes elevating the importance of fraud awareness and forensic accounting in the formal training required to be completed by auditors, more frequent and up to date training on fraud by audit firms and the development of a case study register of corporate frauds to enable auditors to learn from past cases.

The details of the proposed reforms and their timing is still to be fleshed out, but implementation will not be before 2023. In the meantime, fraud risk is likely to be a key consideration for many boards and auditors in the wake of the pandemic and something regulators and investors will expect to have been addressed appropriately.

For more information, please contact: