Revisions to the UK Auditing Standard on Fraud (ISA (UK) 240)

On 27 May 2021 the Financial Reporting Council (FRC) issued a revision of its UK auditing standard on the responsibilities of auditors relating to fraud (ISA (UK) 240). The revisions are consistent with the government’s proposed changes within their white paper “Restoring trust in audit and corporate governance” and aim to bring clarity in relation to auditors’ obligations in tackling fraudulent misstatements in company accounts. Practitioners must be alert to the amendments which introduce several tougher rules particularly around risk assessment.  The new standards will be effective for audits of financial statements for periods commencing on or after 15 December 2021.

The updated version of the audit standard will require auditors to obtain “reasonable assurance” about whether a company’s financial statements are free from material misstatement due to fraud. The revisions highlight that the risk of not detecting a misstatement due to fraud may be higher than the risk related to error.

The update provides that “reasonable assurance is a high, but not absolute, level of assurance”. Practically this means that auditors will not be expected to spot every fraud and question every piece of information they are provided with, so long as they have carried out appropriate checks and carry out their duties with “professional scepticism”. As the requirement for “professional scepticism” effectively goes to the mindset of the auditor, unsurprisingly there is no ‘tick box’ direction as to how this is to be achieved.  However, guidance within the updated standard states that auditors should remain alert to:

• Both corroborative and contradictory audit evidence
• Conditions that indicate a record or document may not be authentic

The revisions stress that auditors must remain unbiased and not let their past experience or opinion of a management team’s integrity effect the treatment of the audit.

In addition to the above, the FRC provides supplemental guidance in relation to the auditor’s performance of the risk assessment procedures. The FRC stress that a clear understanding of fraud risk factors is required. If indicators of fraud are found, auditors must consider what specialist knowledge and expertise they need to carry out an effective risk assessment. The revisions also include a new requirement for the auditor’s report to explain to what extent the audit was considered capable of detecting irregularities, including fraud, and how the auditor planned and performed its procedures to identify and assess the risk of material misstatement.

Whilst the audit standard revisions do not alter the fact that the primary responsibility for the prevention and detection of fraud rests with the entity’s management, they do emphasise that UK auditors will be expected to challenge the management’s assessment and audit evidence more robustly.

The FRC are clearly trying to change the mindset of the auditor. The problem with stance is that it is difficult to enshrine such a concept in any clear guidance for auditors and this is evidenced by the broad nature of the wording used. It is possible that the tougher stance, coupled with the loose guidance, will result in more auditors facing enforcement action by the FRC. Whether the new tougher rules will make any significant difference in an auditor’s chance of finding fraud (which is of course often incredibly difficult to identify) will be interesting to see, particularly as we emerge from the Covid 19 pandemic. During the pandemic, many billions of pounds of taxpayers’ money is thought to have been fraudulently claimed from the government’s business support schemes, which will no doubt exasperate the challenges faced by auditors going forward.