Audit procedures for fraud risks are insufficient

SUPERVISORY VISUAL SUMMARY JANUARY 2025 Audit procedures for fraud risks are insufficient In brief Auditors perform audit procedures to address fraud risks. The AFM investigated the quality of these procedures and concludes that the performed procedures are often insufficiently specific and insufficiently in-depth. This is, for example, because auditors only plan and perform standard procedures, without adapting the nature, timing, and extent to the fraud risk. As a result, the performed audit procedures are often 'too short'. The professional-critical attitude and the fundamental attitude of auditors must improve. The AFM expects auditors (organizations) to take responsibility for the subject of fraud.

Audit procedures for fraud risks are insufficient 2 SUPERVISORY REPORT

1. Introduction and main findings 1 Simultaneously with the position paper of the AFM, the NBA published comparable observations in June 2022 in the report 'Exploratory cause analysis of fraud: Fraud requires a more critical fundamental attitude'. 2 Pressure and counter-pressure: Final report of the quarter makers for the future of accounting | Report | Rijksoverheid.nl. 3 Audit information must be 'sufficient' and also 'suitable'. These two qualifications are related to each other. The aspect 'sufficient' is the standard for the quantity of audit information. The aspect 'suitable' is the standard for the quality of the audit information. Suitable means that the audit information is relevant and reliable, so that this information forms a basis for the opinion of the external auditor. 4 The Additional regulations for audit and other standards (NV COS). The AFM published the position paper 'Handling of fraud (risks) by audit firms in audited companies' in May 2022.1 In it, we announced that the theme of fraud would be on the supervisory agenda structurally in the following years. That position paper contains the hypothesis that auditors are not fulfilling their responsibility regarding the detection and follow-up of fraud (risks) sufficiently. The research published in 2023 into the quality of the fraud risk analysis and the current research (this report) into the quality of the audit procedures confirm this picture. Follow-up to previous research on fraud risk analysis In 2023, we conducted research for the first time on the theme of audit and fraud, namely the quality of the fraud risk analysis. On June 8, 2023, we published the results in the report Sharper on fraud risks!. Our call for more practical tools has been taken up by the NBA, which issued Guidance 1153 Fraud Risk Analysis (for consultation) in July 2024. The report you are now reading contains the results of our next research on the theme of fraud. The auditor has an important role in detecting and following up on fraud Audited companies are primarily responsible for preventing and tackling fraud. The timely detection and follow-up of fraud (risks) by the auditor in the statutory audit can prevent great damage to the stakeholders of the company. Detecting and following up on fraud (risks) in the statutory audit therefore form an important responsibility of the auditor. Nationally and internationally, there is continuous social and political attention for fraud and for the role of the external auditor. The quarter makers also endorse the importance of auditors' attention for fraud in their final report.2 Objective of this research: objective picture of the quality of the audit procedures on fraud risks by the auditor The objective of this research is to obtain an objective picture of the quality of the audit procedures that auditors perform to address fraud risks and to share good practices. We tested a total of 32 statutory audits for the financial years 2022 and 2023 at 13 audit firms. We investigated whether the external auditor in the statutory audit obtained sufficient and suitable audit information3 with the performed audit procedures that address the assessed risks of a material misstatement due to fraud (NV COS 240.31).4 We investigated both OOB and RV audit firms At three audit firms with a license for performing statutory audits of Organizations of Public Interest (OOB audit firms), we selected four audits, of which two OOB audits. At the ten audit firms with a regular license (RV audit firms), we selected two statutory audits each.

Audit procedures for fraud risks are insufficient 3 SUPERVISORY REPORT to obtain as broad a picture as possible, we chose statutory audits where multiple different fraud risks were identified, as explained by the auditor in the fraud paragraph in the audit report. In addition, we selected a number of group audits. For each statutory audit, we selected at least two fraud risks. In the research, we focused on the risk that management overrides internal control measures5 , including testing journal entries, and on at least one additional (client-specific) fraud risk (Figure 1). Figure 1. Overview of selected client-specific fraud risks Other fraud risks are, for example, fraud risks regarding VAT (carousel fraud) and performance agreements with suppliers. In-depth audit procedures for fraud risks are crucial Following up on fraud risks is one of the main pillars of a good statutory audit. The Standards prescribe that the auditor must obtain a reasonable degree of assurance as a basis for his opinion on whether the financial statements as a whole are free from a material misstatement resulting from fraud or error. It is thus the core of the auditing profession. Precisely because of the importance that users of financial statements attach to reliable information, and the decisions made on the basis of that information. 5 Management override of controls; breaking internal control measures by management. 6 See in this context also Sector in view 2024 and the NBA report: Analysis of Reporting on fraud in audit reports 2022 – OOBs and non-OOBs: https://www.nba.nl/siteassets/documenten/bijlagen-nieuwsberichten/rapportering-over-fraude-in-de-controleverklaring-2022.pdf. Fraud risks are an important part of the financial statement audit. Specific audit procedures are planned and executed for this. The auditor then reports on fraud (procedures) in the audit report. If the auditor performs too few audit procedures or does not do so in sufficient depth, a material misstatement due to fraud may remain undetected. There is a risk that this will result in an incorrect opinion being given or that the audit report is insufficiently substantiated. This can result in unjustified trust among users of the financial statements. There is attention for fraud, but research results require more in-depth audit procedures for fraud risks We see in all 32 statutory audits investigated that time and attention were paid to fraud risks and related procedures, but these procedures are too often insufficiently specific and insufficiently in-depth. For 23 of the 32 audits, we noted that the auditor did not obtain sufficient and suitable audit information to address one or more fraud risks (Figure 2). In addition, in many cases there is one or more other findings, for example regarding the fraud paragraph in the audit report or the inclusion of an element of unpredictability. There is a finding if an NV COS standard is not met. At RV audit firms, we noted one or more findings in the execution of audit procedures addressing assessed fraud risks in 17 of the 20 statutory audits. At the 3 OOB audit firms investigated, we noted one or more findings in 6 of the 12 statutory audits. The number of statutory audits with findings varies between the 3 OOB audit firms. Improvement is necessary regarding, among other things, the depth of audit procedures. In addition, we again ask for attention for the quality of the fraud risk analysis. It is important here that auditors identify sufficient and the correct (client-specific) fraud risks.6

Audit procedures for fraud risks are insufficient 4 SUPERVISORY REPORT In only 9 statutory audits did we note no findings. In 23 of the 32 statutory audits, there is one or more findings, and in 15 of the 32 statutory audits, there is more than two findings. (Figure 2). In the research, we also saw good examples of addressing fraud risks. In Chapter 2, we share the good examples we saw in this research. Figure 2. Number of findings in 32 investigated statutory audits The audit procedures for fraud risks are insufficiently specific and insufficiently in-depth Given the importance and special nature of fraud risks, these risks require extra attention in the audit. The auditor must adapt the nature, timing, and extent of the audit procedures to address these risks. In many cases, we see that auditors plan and perform standard procedures on identified fraud risks and do not or insufficiently adapt the nature, timing, and extent to check fraud risks. In addition, we saw in 10 statutory audits that the fraud paragraph in the audit report was incorrect or incomplete, thereby painting too rosy a picture of the performed procedures. Professional-critical attitude and fundamental attitude must improve In the research, we noted an insufficient professional-critical attitude in 6 statutory audits. This is the case if there are multiple findings noted in audit procedures addressing a fraud risk AND insufficient follow-up was given to contra-indications or special circumstances in the audit. Auditors (organizations) must take responsibility for fraud The auditors (organizations) are at stake and must take responsibility for the subject of fraud. The Fraud Working Group of the NBA prepared a 'Exploratory cause analysis of fraud: Fraud requires a more critical fundamental attitude' in 2022. This analysis largely aligns with the AFM's analysis from May 2022. Briefly summarized, the most important factors for the still insufficient recognition and follow-up of fraud risks are: (i) Knowledge, skills, and expertise are not always sufficiently present. (ii) Role perception, attitude, and mindset can fall short regarding the detection of fraud (risks). (iii) The internal culture of audit firms can be obstructive. Given the results of this research and the NBA's cause analysis, next steps are necessary. The AFM expects auditors (organizations) to take note of the results of this research, reflect on them, and (if necessary) take concrete improvement measures to increase the quality of the audit procedures that address fraud risks. Here, we explicitly ask for attention for a critical fundamental attitude and sufficient attention for the audit of fraud risks. The AFM will discuss this with the sector in the coming period.

Audit procedures for fraud risks are insufficient 5 SUPERVISORY REPORT The results of the research are also useful for audit committees Audit committees play an essential role in ensuring the quality of financial reporting. In addition, audit committees are responsible for supervising the processes followed by management to identify fraud risks in the entity and to address them. We urge audit committees to use the results of this research when discussing the audit plan with the external auditor. Specifically, audit committees can speak with the external auditor about audit procedures that address client-specific fraud risks, audit procedures that address the assessment of the (mandatory) risk that management overrides internal control measures, and the manner in which fraud can occur in revenue recognition.

Audit procedures for fraud risks are insufficient 6 SUPERVISORY REPORT 2. Research results 2.1 Auditors perform insufficient audit procedures to address client-specific fraud risks The role of the auditor The auditor plans audit procedures that address identified fraud risks. The auditor must consider these risks as significant risks. In addition, he must assess the design and existence of internal control measures that address these risks. When planning and performing these audit procedures, the auditor must take into account the nature, timing, and extent of these further audit procedures. The auditor must also take into account the fact that audit procedures that are effective in detecting errors may not be effective in detecting fraud. Furthermore, the auditor must take into account the knowledge, skills, and competencies of the team members involved in these audit procedures. The auditor can address the identified risks of a material misstatement resulting from fraud, for example, by assigning additional persons with more experience or specific expertise and knowledge, such as fraud experts and IT experts. Furthermore, the auditor builds an element of unpredictability into determining the nature, timing, and extent of the audit procedures to be performed. The auditor also evaluates the choice and application of the bases for financial reporting and determines whether they may indicate fraudulent financial reporting as a result of management's attempts to manipulate profit. When the approach to a significant (fraud) risk consists only of data-oriented controls, the procedures must, among other things, consist of detailed tests. Audit procedures addressing client-specific fraud risks Examples of client-specific fraud risks are fraud risks in revenue recognition (e.g., cutoff or completeness), corruption (including bribery), payment organization, valuation of work in progress or transactions with related parties. For these fraud risks, the auditor plans and performs specific (and additional) audit procedures. Characteristic of these audit procedures is that the nature, timing, and extent address the assessed fraud risks at the assertion level. The auditor can determine that it is necessary to change the nature of the audit procedures to be performed to obtain more reliable and relevant audit information or additional supporting information. This can be done, for example, by on-site observation or inspection of assets (inventory count), using audit software applications, and obtaining external confirmations regarding the details of sales agreements such as return conditions and delivery conditions. The auditor can determine that it is necessary to adjust the timing of data-oriented procedures, for example, on or against the balance sheet date or, depending on the assessed risks of intentional misstatement or manipulation, to test transactions that took place during the reporting period. The auditor can also choose to observe the inventory count at certain locations unannounced or to perform the inventory count at all locations on the same date. The auditor can increase the extent of the performed procedures, for example, by expanding the sample size or by performing more detailed numerical analyses. The use of data analysis can be helpful here.

Audit procedures for fraud risks are insufficient 7 SUPERVISORY REPORT Planned procedures are insufficient in nature and extent to address the assessed fraud risk For client-specific fraud risks, the auditor must set up specific audit procedures to address the assessed fraud risk. We see in several statutory audits that the auditor has not planned sufficient procedures to address the fraud risk assessed by him. We see, for example, that auditors - in addition to standard audit procedures - do not plan specific audit procedures to address the fraud risk. The nature and extent of the planned procedures are thus incorrectly not adapted by the auditor. We also see in many cases that it was not considered to adjust the timing of procedures. As a result, we note shortcomings in the nature, extent, and depth of the performed procedures in the actually performed audit procedures. Good practice example We share below a good practice example of involving a fraud expert in all phases of the audit. Use of fraud expert throughout the entire audit The auditor involved fraud experts in both the planning and execution phases of the statutory audit. The involvement of these fraud experts made a positive contribution to the quality and depth of the performed audit procedures regarding the risk of fraud and violation of laws and regulations. 7 Corruption Perceptions Index: https://www.transparency.org/en/cpi/2023. In 23 statutory audits, we noted one or more findings in the performed audit procedures on fraud risks In 23 statutory audits, we noted one or more findings. These findings mainly concern the nature and extent of the performed audit procedures AND the depth of the audit procedures. We saw few concrete examples where the timing of the audit procedures was adjusted to address the assessed fraud risk. The nature and extent of performed audit procedures fall short For client-specific fraud risks, the auditor must perform specific audit procedures to address the assessed fraud risk. In several statutory audits, we note that the nature and extent of the performed audit procedures fall short. For example, in some cases, the auditor did not perform detailed tests, although this is required if the approach to a significant (fraud) risk consists only of data-oriented audit procedures. In fraud risks regarding corruption, we see, for example, that auditors obtain an overview in which invoices for agent commissions are included, but subsequently perform insufficient procedures on this because contracts with agents were not assessed and it was not established whether there is a counter-performance. Another example is an analysis of outgoing payments to countries with a low CPI index7 to establish the business purpose of transactions, but subsequently, the business purpose was not established for several transactions on the basis of source documentation. These procedures were relevant because the auditor, based on the fraud risk, had selected these entries for further verification. The nature of the entries (country, beneficiary, description) also gave rise to further verification via source documentation. Striking in the audit of the corruption risk is that agent payments and other expenses are considered immaterial, without relating them to the usually evidently material revenue value of, for example, projects obtained via the agent. In practice, the direct transaction flows are often quantitatively immaterial, but the derived transaction flows, such as balance sheet positions or disclosures, are material.8 Auditors also do not always include qualitative aspects when performing audit procedures. For example, an auditor failed to further verify a special payment with source documentation because the auditor did not consider this entry to be material. Good practice example We share below a good practice example of consulting within and outside the audit firm regarding a corruption and money laundering risk. Consulting within and outside the audit firm (corruption and money laundering risk) The auditor identified a corruption and money laundering risk. The auditor consulted internally with the technical bureau regarding the procedures to be performed to address this fraud risk. Additionally, the auditor consulted outside the audit firm (at a service organization) and received a number of comments. He followed these up in his audit by obtaining additional information and, where necessary, obtaining additional audit information. In fraud risks regarding revenue recognition, we see that sometimes only standard audit procedures are performed. Standard procedures are procedures that an auditor performs for material items or flows, regardless of the risk assessment. We also see that no specific audit procedures were performed on the specific assertion on which the fraud risk (according to the auditor) focuses. 8 NBA guidance 1137: Corruption: auditor's procedures. In fraud risks regarding the payment organization, we see, for example, that auditors do not perform planned procedures, limit themselves to the largest suppliers or one bank account, or do not establish that the supplier exists and that the service or performance as stated on the invoice was actually delivered. A recurring finding is that auditors do not go back to source documentation sufficiently when performing tests. Precisely in the case of fraud risks, it is important to perform audit procedures with sufficient depth. In group audits, we see that the group auditor, in recurring cases, does not sufficiently follow up on special circumstances reported by a component auditor or does not follow up if the component auditor did not report on fraud risks and/or related audit procedures. We also see that the group auditor sometimes pays no attention at all to fraud risks and audit procedures thereon in his audit instructions. Finally, we have seen that a group auditor has not performed sufficient review work on the (by the component auditor) performed audit procedures that address fraud risks. For example, regarding the procedures concerning journal entries or specific fraud risks in revenue recognition.