The auditor should communicate on a timely basis any evidence that fraud may exist, even if such fraud is inconsequential, to the appropriate level of management. (AU-C 240.39)
The auditor should directly inform those charged with governance about:
Fraud involving management
Fraud involving employees who have significant roles in internal control
Fraud that causes a material misstatement of the financial statements
(AU-C 240.40)
The auditor should reach an understanding with those charged with governance about the nature and extent of communications that need to be made to them about misappropriations committed by lower-level employees.
The auditor should consider whether the following are reportable conditions that should be communicated to senior management and those charged with governance:
Identified risks of material misstatement due to fraud that have continuing control implications (whether or not transactions or adjustments that could result from fraud have been detected)
A lack of, or deficiencies in, programs and controls to mitigate the risk of fraud
The auditor may also want to communicate other identified risks of fraud to those charged with governance, either in the overall communication of business and financial statement risks affecting the entity or in the communication about the quality of the entity’s accounting principles (see Section 260). (AU-C 240.41)
Ordinarily, the auditor is not required to disclose possible fraud to anyone other than the client’s senior management and those charged with governance, and in fact would be prevented by the duty of confidentiality from doing so. However, a duty to disclose to others outside the entity may exist when:
Complying with certain legal and regulatory requirements
Responding to a successor auditor’s inquiries
Responding to a subpoena
Complying with requirements of a funding agency or other specified agency for audits that receive governmental financial assistance
(AU-C 240.A72)
The auditor may wish to consult legal counsel before discussing these matters outside the client to evaluate the auditor’s ethical and legal obligations for client confidentiality. (AU-C 240.A73)
NOTE: The auditor should document these communications to management, the audit committee, and others.
When deciding on how to communicate, the best approach is to decide which of the following three situations governs, and to follow the guidance presented for the applicable situation.
Situation 1
Any Fraud Involving Senior Management for Non-SEC Clients
Auditor should:
Consider the implications for other aspects of the audit.
Reevaluate the assessment of the risk of fraud.
Discuss the matter and the approach to further investigation with the appropriate level of management.4
Obtain additional evidentiary matter, including suggesting that the client consult with legal counsel.
Consider whether any risk factors identified represent reportable conditions (Section 325).
Consider withdrawing from the engagement and communicating the reasons to those charged with governance.
Report the fraud to the audit committee or, in a small business, to the owner-manager.NOTE: If the perpetrator controls the audit committee or board of directors, go directly to client’s legal counsel. If the perpetrator is a general partner acting against the interests of the limited partners, obtain legal advice and consider communicating to the limited partners. If the perpetrator is the owner-manager of a small business, the auditor has little choice but to communicate with the perpetrator and has no obvious course of action but to withdraw. However, first the auditor should consult with his or her legal counsel.
Insist that the financial statements be revised and, if they are not, express a qualified or adverse opinion (if precluded from obtaining needed evidence, disclaim an opinion or withdraw).
Situation 2
Any Fraud Involving Senior Management for SEC Clients
Auditor should:
1 Follow the steps in the Situation 1 checklist plus additional items 2–4 below.
2 Consider Section 10A(b) of the Securities Exchange Act of 1934 (Title III, Private Securities Litigation Reform Act of 1995):Matter is reported to board of directors and it does not take appropriate action.Auditor concludes that failure to take remedial action is expected to cause departure from standard audit report or cause withdrawal.Auditor should report conclusion in item b of this list to board of directors as soon as practicable (e.g., on Monday).Client is required to notify SEC (within one business day) of auditor’s conclusion described in item b (e.g., by Tuesday).Client is required to furnish report to SEC in item d to auditor within one business day (e.g., by Tuesday).If auditor doesn’t receive report in item e, auditor notifies SEC within one business day following failure to receive (e.g., on Wednesday).
3 If the auditor withdraws or resigns from the engagement, the auditor must send a copy of the resignation to the SEC within five business days.
4 Follow SEC requirements for reporting on Form 8-K:Upon auditor’s withdrawal, client must disclose within four business days the following information on a Form 8-K, filed with the SEC, with a copy to the auditor on the same day:Auditor’s resignationAuditor’s conclusion that the information coming to his or her attention has a material impact on the fairness or reliability of the client’s financial statements or audit report and that this matter was not resolved to the auditor’s satisfaction before resignationAuditor must prepare a letter stating agreement or disagreement with client’s statements after reading Form 8-K. If auditor disagrees, he or she must disclose differences of opinion in a letter to client as promptly as possible. Client must then file the letter with the SEC within ten business days after filing the Form 8-K. Notwithstanding the ten-business-day requirement, client has two business days from the date of receipt to file the letter with the SEC.
Situation 3
Any Fraud Not Involving Senior Management for All Clients (Public and Nonpublic)
Auditor should:
Evaluate the implications for other aspects of the audit, especially organizational positions of persons involved.
Bring to the attention of, and discuss with, the appropriate level of management (even if inconsequential).
Communicate the matter to those charged with governance unless the matter is clearly below the communication threshold previously agreed to by the auditor and those charged with governance.
Consider whether any risk factors identified represent reportable conditions (Section 265).
Documentation
The auditor should document:
The engagement team’s discussion, when planning the audit, about the entity’s susceptibility to fraud;