Sharper on Fraud Risks!

Results of the investigation into fraud risk analysis by accounting organizations

Read more

Contents

2

01 Investigation and main findings 3 02 Investigation results 7 2.1 Team discussions and obtaining information 7 2.2 Identifying and evaluating fraud risk factors 9 2.3 Identifying and assessing fraud risks 11 03 Points of attention for the sector 14

Contents

01 Investigation and main findings 3

01 Investigation and main findings

In May 2022, the AFM published the position paper 'Accounting organizations' handling of fraud (risks) in audited companies'.1 In it, we announced that the theme of fraud would be on the supervisory agenda structurally in the coming years. The thematic investigation into the quality of fraud risk analysis is the first in a series of investigations to be carried out in this context.

Fraud is a broad societal problem

Fraud disrupts economic transactions between parties and undermines trust in the integrity of the financial system. Furthermore, fraud can cause broader destabilizing market effects. Such (large) fraud cases are rare, but their impact is significant. There is therefore continuous societal and political attention for this problem nationally and internationally, and specifically for the role of the external auditor.

The auditor plays an important role in detecting fraud

Audited companies are primarily responsible for preventing and tackling fraud. At the same time, the timely detection and follow-up of fraud (risks) by the external auditor in the statutory audit can sometimes prevent significant damage to the stakeholders of the company. Detecting and following up on fraud (risks) in the statutory audit is therefore an important responsibility for the external auditor.

Objective of the investigation: what is the quality of the auditor's fraud risk analysis?

The objective of this investigation is to gain a clear picture of the quality of the fraud risk analysis performed by accountants for statutory audits. With this, we want to hold a mirror up to the sector and provide examples of good practices that we have seen in practice. We tested 32 statutory audits for the financial year 2021 across 13 accounting organizations. The AFM did not investigate whether the external auditor in the statutory audit had obtained sufficient and appropriate audit information.

Both OOB and regular license holders investigated

Four audits were selected from three selected OOB (Offshore/Other Business) accounting organizations, including two OOB audits (including three housing corporations, a bank, and two listed companies). Two statutory audits were selected from each of the 10 regular accounting organizations. We selected statutory audits where a fraud expert was involved and where one was not. We also selected statutory audits with both high and low risk according to the accounting organization. This was to obtain as broad a picture as possible. We also requested and analyzed data from both OOB and regular accounting organizations to support the picture emerging from the qualitative investigation.

Why is a good fraud risk analysis by the auditor so important?

Accurately assessing the risk of a material misstatement, regardless of whether it is caused by fraud or error, is one of the main pillars of a good statutory audit. The Standards indeed prescribe that the auditor must obtain a reasonable level of assurance as the basis for their opinion on whether the financial statements as a whole are free from material misstatement resulting from fraud or error. This is also the core of the accounting profession. Precisely because users of annual reports attach importance to reliable information, and the decisions made on the basis of it...

01 Investigation and main findings 4

27 of the 32 statutory audits had one or more findings (Figure 1). A finding exists if compliance with a NV COS (Dutch Standards on Auditing) standard is not met. Specifically, we tested compliance with the standards as included in COS 240/ COS 2502 (auditor responsibilities regarding fraud/legislation and regulations) and COS 315 (identifying and assessing risks of material misstatement). The findings are included in a specific report per accounting organization.

Despite the fact that we see that accountants are paying more attention to the subject of fraud, there are still steps to be taken. Too often we see that accountants reason why (fraud) risks do not exist, instead of investigating and substantiating how fraud risks can occur. A professionally critical attitude is continuously required, especially for work relating to fraud risks. In only 5 statutory audits did we find no findings. In 27 of the 32 statutory audits, there was one or more findings, and in 22 of the 32 statutory audits, there were even two or more findings (Figure 1).

Figure 1. Number of findings in 32 investigated fraud risk analyses

Number of findings in statutory audits Total: 32 statutory audits

• No findings: 5
• One finding: 5
• Two findings: 10
• More than two findings: 12

2 In cases of legal violations such as corruption (bribery), money laundering, and cartel formation, the fraud characteristics of intent, deception, and illegal benefit almost always play a role.

The choice of fraud risks is decisive for the rest of the audit

An annual report audit takes place in a risk-driven manner. Specific audit procedures are performed based on a risk assessment. If the external auditor misses relevant fraud risks, there is an increased chance that too few or the wrong procedures are performed. As a result, a material misstatement due to fraud may not be discovered.

Investigation results require a sharper fraud risk analysis

We see that in the fraud risk analysis in all investigated statutory audits, the (formally) mandatory steps were followed and accountants paid attention to the subject of fraud. A team discussion took place in all statutory audits, information was obtained, and fraud risk factors and one or more fraud risks were identified.

Accountants state that steps have been taken and, for example, fraud experts are being used more than in the past.

In all 32 fraud risk analyses, the external auditors at least identified the mandatory risk that management overrides internal control measures as a fraud risk. Due to the unpredictability of the manner in which management can override internal control measures, this forms a presumed fraud risk.

In many cases, one or more other fraud risks were also identified. These are usually client-specific and sector-specific fraud risks. It is important here to substantiate how and where the risk can occur, who is (possibly) involved, and what the probability and impact of the risk are.

However, we see that the quality of the steps performed in the majority of the investigated audits needs to be improved. Most fraud risk analyses fall short in various areas and need to be carried out more sharply. Sharper means in this case more professionally critical and in-depth. We also see good examples of parts of the fraud risk analyses, and these are included in so-called good practices.

01 Investigation and main findings 5

Structure of the report follows the auditor's approach to dealing with fraud risks

The external auditor holds a team discussion and makes a first broad inventory of risks prior to the planning and execution of a statutory audit, and also requests information from the company being audited. Subsequently, fraud risk factors are identified and evaluated. Then, the main fraud risks are identified to be taken into account in the audit. This report follows this structure. The concept of fraud risk analysis is explained further in the visual below (Figure 2).

01 Investigation and main findings 6

Figure 2. Auditor's approach to fraud risk analysis

Main lines of the audit process of the external auditor

• Execution

  • Fraud Risk Analysis
    • Team Discussions: Discussions between members of the audit team about fraud.
    • Obtaining Information: Obtaining information from management, the Supervisory Board, and others.
    • Fraud Risk Factors: Identifying and evaluating fraud risk factors.
    • Fraud Risks: Identifying and assessing fraud risks.

• Reporting

• Planning Phase

• No findings

• One or more findings

Number of findings in 32 statutory audits

What are the main points of attention for the external auditor resulting from this investigation?

• Chapter 2.1 Team discussions and obtaining information
  • Remain professionally critical when obtaining information.
  • Pay sufficient attention to the dialogue with management, the supervisory body, and key functionaries about fraud.
• Chapter 2.2 Identifying and evaluating fraud risk factors
  • Identify sufficient (sector-specific) fraud risk factors.
  • Substantiate why fraud risk factors do or do not lead to a fraud risk.
  • Include not only quantitative but also qualitative aspects in the evaluation of fraud risk factors.
• Chapter 2.3 Identifying and assessing fraud risks
  • Identify sufficient (client-specific) fraud risks.
  • Remain critical when assessing presumed fraud risks regarding revenue recognition.
  • Make the fraud risk that management overrides internal control measures specific.

18 209

7

The external auditor gains insight into how persons charged with governance exercise oversight on management and its processes to identify fraud risks in the entity and respond to them. It is important to investigate the competence and integrity of management and to ask what the susceptibility of the company is to, among other things, fraud by management.

What are the important investigation results?

• A team discussion took place in every statutory audit, but the depth and professionally critical discussion must be better.
• In every fraud risk analysis, inquiries were made regarding cases or suspicions of fraud.
• External auditors support companies in identifying fraud risks.
• External auditors must carry out the obtaining of information about fraud more professionally critically.
• External auditors must devote sufficient time and attention to the dialogue about fraud with management, the supervisory body, and others within a company.

A team discussion took place in every statutory audit, but the depth and professionally critical discussion must be better. The discussion between the members of the audit team, focused on the question of how and where the annual report may be susceptible to a material misstatement due to fraud, took place in all statutory audits. However, we see that not all relevant aspects are discussed with sufficient depth. Often it appears that not enough...

02 Investigation results

2.1 Team discussions and obtaining information

The role of the external auditor

At the beginning of the audit, holding a team discussion about fraud and obtaining information are important steps for the external auditor to identify (recognize) fraud risks and fraud risk factors. The external auditor requests information from management regarding:

• Management's own assessment of whether the financial reporting may contain a material misstatement due to fraud.
• Management's procedure for identifying fraud risks in the entity and responding to them.
• The information that management may have communicated to persons charged with governance regarding its processes for identifying fraud risks in the entity and responding to them.
• The information that management may have communicated to its employees regarding its view on business practices and ethical behavior.

The auditor asks various persons within the company if they are aware of actual, suspected, or alleged fraud. Thus, not only management, but also persons charged with governance (such as the supervisory board), internal auditors, and other relevant persons within the company.

Management is often in the best position to commit fraud. Therefore, the external auditor evaluates the obtained information with a professionally critical attitude, and it may be necessary to corroborate the answers provided by management with other information.

02 Investigation results

8

...tant not, as required, speak with management about fraud, but only or mainly with the CFO and those below (controller, bookkeeper). In addition to the management of the company, the auditor must also check if there are other key functionaries from whom information must be requested, for example, a purchasing or sales director who is evaluated on achieved results. In one-third of the investigated audits, it was not identified who the relevant management and others (e.g., division director or branch director) actually are for obtaining information for the fraud risk analysis.

Good practices

Good practice 1 - Obtaining information – exit interviews

During the financial year, the CFO and two commissioners leave the company. The external auditor held exit interviews with them to determine the impact on the statutory audit. This may also yield new insights for the fraud risk analysis.

Good practice 2 - Obtaining information – questionnaire

An accounting organization finds that management and bodies charged with governance of audit clients themselves do not always pay sufficient attention to fraud risks and do not have their own (formalized) fraud risk analysis. The identification and control of fraud risks in these companies often takes place informally. The accounting organization uses videos to draw attention to fraud risks. The accounting organization has also developed a tool (questionnaire) for audit clients to systematically identify fraud risks. This allows the external auditor to easily conduct the conversation with management and stimulates conducting the conversation about fraud risks with sufficient depth.

02 Investigation results

...which fraud risk factors are applicable and how the discussed factors relate to the elements of the fraud triangle. Also, the final conclusion on whether the fraud risk factors actually constitute a fraud risk is insufficiently substantiated. Because the team discussion did take place and the external auditors provided explanations, we only have a single finding on this subject.

In every fraud risk analysis, inquiries were made regarding cases or suspicions of fraud. In all 32 fraud risk analyses, the external auditors obtained information regarding cases or suspicions of fraud. Often, the subject of fraud is discussed as part of the audit plan, the management letter, and/or the auditor's report. It is important that the subject of fraud is discussed with sufficient depth in those cases (see good practice 1).

External auditors support companies in identifying fraud risks. Companies are themselves responsible for adequate fraud risk control. Accountants regularly note that an internal fraud risk analysis is missing and support management with questionnaires, thereby helping them create their own fraud risk analysis and identify fraud risks (see good practice 2).

External auditors must carry out the obtaining of information about fraud more professionally critically. Often, obtaining information focuses mainly on the question of whether cases of fraud have occurred, and not on identifying and controlling fraud risks and responding to them. The subject of fraud is often only discussed with members of management and the supervisory board as part of the audit plan, the management letter, and/or the auditor's report. This can lead to the subject of fraud receiving insufficient attention and not being discussed with sufficient professional criticality. It is notable that an extensive discussion report and/or minutes is regularly missing, which would show the depth of the conversations and whether a professionally critical attitude was adopted.

External auditors must devote sufficient time and attention to the dialogue with management, the supervisory body, and others within a company about fraud. Obtaining information does not always take place with the right persons. For example, we see examples where the external auditor...

9

What are the important investigation results?

• External auditors use objective sources, such as the CPI index, when identifying and evaluating fraud risk factors.
• We see good examples of the use of fraud experts.
• Fraud risk factors were identified in all audits.
• In 18 of the 32 statutory audits, one or more findings were noted regarding the identification and evaluation of fraud risk factors.
• External auditors must substantiate why fraud risk factors do or do not lead to a fraud risk.
• External auditors must include not only quantitative aspects, but precisely also qualitative aspects in the evaluation of fraud risk factors.

External auditors use objective sources, such as the CPI index, when identifying and evaluating fraud risk factors. In audits of companies with international activities, we see the use of the CPI index3 at the sales and purchasing sides. This CPI index can help in identifying fraud risk factors (and/or fraud risks), for example, transactions with high-risk countries.

We see good examples of the use of fraud experts. The data requested shows that at the market level, a fraud expert was engaged in approximately 5% of statutory audits. The use of a fraud expert in the discussion between members of the audit team increases the attention for fraud risks and provides a fresh perspective from outside the audit team. From the qualitative investigation, we get the impression that this use contributed positively to the fraud risk analysis (see good practice 3). The data received shows that OOB accounting organizations use fraud experts more often than regular license holders.

Fraud risk factors were identified in all audits. Most external auditors are familiar with the concept of fraud risk factors that are evaluated and may lead to a fraud risk. In all statutory audits, the external auditor identified one or more fraud risk factors.

3 Corruption Perceptions Index: 2022 Corruption Perceptions Index: Explore the… - Transparency.org.

02 Investigation results

2.2 Identifying and evaluating fraud risk factors

The role of the external auditor

In the planning phase of an audit, an accountant performs risk assessment procedures. Such as obtaining information, becoming familiar with the environment of the audit client, and reviewing minutes of meetings and important correspondence. The accountant also performs a first numerical analysis and becomes familiar with internal regulations, such as a whistleblowing policy. The accountant evaluates whether the information obtained from these procedures indicates the existence of one or more fraud risk factors. These fraud risk factors do not automatically indicate the existence of fraud, but these factors often occur in cases of actual fraud. Therefore, they are an indication for the accountant of a risk of a material misstatement due to fraud. The accountant looks specifically at fraud risk factors that point to:

Figure 3. Fraud Triangle

• Opportunity
  • Example: shortcomings in internal control.
• Rationalization
  • Example: dissatisfied employees or the behavior or lifestyle of the CEO.
• Incentive/Pressure
  • Example: a shareholder demanding yield or a planned sale of the company.

Fraud Risk

Subsequently, the external auditor evaluates and substantiates why fraud risk factors do or do not lead to a fraud risk.

02 Investigation results 10

Good practices

Good practice 3 – Added value of using a fraud expert

The statutory audit of a wholesaler involves an increased client and engagement risk. Among other things, due to trade with risky countries and a pending criminal investigation regarding possible non-compliance with legislation and regulations. For the external auditor, this is a reason to pay attention to the risk of (material) shortcomings due to fraud with increased alertness and depth. The external auditor therefore engaged an external fraud expert for this audit.

The fraud expert challenged the fraud risk analysis of the audit team and discussed observations with the audit team. The use of the fraud expert contributed positively to the fraud risk analysis and led to the identification of new and different fraud risk factors and fraud risks for the audit of this company, such as the risk that a debtor payment takes place from a different (unknown) bank account number (third-party payments).

In 18 of the 32 statutory audits, one or more findings were noted regarding the identification and evaluation of fraud risk factors.

An example of this is that obvious fraud risk factors were not identified and/or insufficiently evaluated. This includes, among other things, sector-specific fraud risk factors in purchases and tenders, sales of real estate or land, and anti-money laundering for financial service providers. Examples of fraud risk factors here are the engagement of business intermediaries for which there seems to be no clear business reason, or high turnover among senior management, legal advisors, or persons charged with governance. Other factors could be that management fails to correct known significant shortcomings in internal control in a timely manner, as well as large amounts of cash in the vault or large cash transactions.

External auditors must substantiate why fraud risk factors do or do not lead to a fraud risk.

External auditors must include not only quantitative aspects, but precisely also qualitative aspects in the evaluation of fraud risk factors.

External auditors must identify sufficient (client-specific) fraud risks.

External auditors must remain critical when assessing presumed fraud risks regarding revenue recognition.

External auditors must make the fraud risk that management overrides internal control measures specific.

External auditors must identify sufficient (sector-specific) fraud risk factors.

External auditors must substantiate why fraud risk factors do or do not lead to a fraud risk.

External auditors must include not only quantitative aspects, but precisely also qualitative aspects in the evaluation of fraud risk factors.

External auditors must remain professionally critical when obtaining information.

External auditors must pay sufficient attention to the dialogue with management, the supervisory body, and key functionaries about fraud.