Fraud Risk Resources
This page highlights important PCAOB and SEC resources regarding the auditor’s consideration of fraud in an audit, including:
Tips, referrals, and other information from the public are important sources for PCAOB enforcement and inspections staff and can help identify violations of law or PCAOB rules.
This page is designed to highlight certain important resources, not to replace requirements of PCAOB standards. Please refer to the resources highlighted on this page for more detailed information on fraud risks.
Consideration of Fraud – Overview of the Auditor’s Responsibilities Under PCAOB Standards
General Responsibilities
Under PCAOB standards, the auditor is required to plan and perform the audit of the financial statements to obtain reasonable assurance, which is a high level of assurance, about whether the financial statements are materially misstated due to error or fraud. As this wording suggests, the auditor responsibilities are focused on fraud that results in material inaccuracies in, or omissions from, the financial statements. PCAOB standards describe two categories of financial statement fraud:
- Fraudulent financial reporting, and
- Misappropriation of assets
PCAOB standards require the auditor to use due professional care, including applying professional skepticism, in performing the audit. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence.
Consideration of Fraud is an Integral Part of the Audit
The auditor's responsibilities with respect to the consideration of financial statement fraud (or simply “fraud” for purposes of this overview) are an integral part of the audit. PCAOB standards require the auditor to consider fraud throughout the course of the audit.
The auditor’s consideration of fraud begins at the earliest stages of engagement acceptance or retention, audit planning and risk assessment. It then continues throughout the auditor’s response to the identified and assessed risks, all the way to evaluating audit results and forming the opinion to be expressed in the auditor’s report.
Engagement Acceptance and Retention
Under PCAOB standards, auditors are directed to consider risks related to fraud even before commencing an audit. PCAOB quality control standards state that firms should establish policies and procedures for deciding whether to accept or continue a relationship with a company and whether to perform a specific engagement for that company. Such policies and procedures should provide the firm with reasonable assurance that the likelihood of association with a company whose management lacks integrity is minimized. The auditor should evaluate whether information obtained from the acceptance and retention evaluation process is relevant to identifying risks of material misstatement. This evaluation includes information that could raise concerns about management’s integrity.
Audit Planning
Planning the audit encompasses such matters as establishing the strategy for the audit and determining the audit procedures to be performed. As part of audit planning, the auditor is required to evaluate certain matters, including the auditor's preliminary judgments about risks, which include fraud risks.
Risk Assessment
PCAOB standards require auditors to perform risk assessment procedures that are sufficient to provide a reasonable basis for assessing the risks of material misstatement, whether due to error or fraud, and designing further audit procedures. The risk assessment procedures required by PCAOB standards are intended to direct the auditor to identify external and company-specific factors that affect risks due to error or fraud, such as, fraud risk factors, for example, factors that create pressures to manipulate the financial statements.
Some required risk assessment procedures and procedures performed when identifying and assessing risks are directed specifically at risks of material misstatement due to fraud (“fraud risks”), such as:
- Conducting a discussion among the engagement team members of the potential for material misstatement due to fraud;
- Inquiring of the audit committee, management, internal auditors, and others about fraud risks;
- Performing analytical procedures relating to revenue for the purpose of identifying unusual or unexpected relationships involving revenue accounts that might indicate a material misstatement, including material misstatement due to fraud;
- Considering factors relevant to identifying fraud risks, including in particular, fraud risks related to improper revenue recognition, management override of controls, and risk that fraud could be perpetrated or concealed through omission of disclosures or presentation of incomplete or inaccurate disclosures; and
- Evaluating the design of controls that address fraud risks.
A substantial number of the other required risk assessment procedures also can provide information that is relevant to the auditor’s consideration of fraud.
Responding to Risks of Material Misstatement
Auditors are required to design and implement audit responses that address the risks of material misstatement, including fraud risks. PCAOB standards establish requirements for two types of responses – overall responses that have an overall effect on how the audit is conducted, and responses involving the performance of audit procedures.
Overall Audit Responses. Two required overall audit responses are especially relevant to addressing fraud risks:
- Incorporating an element of unpredictability in the selection of audit procedures to be performed, such as, selecting items for testing that are outside customary selection parameters or performing procedures on an unannounced basis; and
- Evaluating whether the company’s selection and application of significant accounting principles, particularly those related to subjective measurements and complex transactions, are indicative of bias that could lead to material misstatement of the financial statements.
Importantly, the auditor’s responses to the assessed risks of material misstatement, particularly fraud risks, should involve the application of professional skepticism in gathering and evaluating audit evidence. Examples of the application of professional skepticism in response to assessed fraud risks are:
- Modifying the planned audit procedures to obtain more reliable evidence regarding relevant assertions and
- Obtaining sufficient appropriate evidence to corroborate management’s explanations or representations concerning important matters, such as through third-party confirmation, use of a specialist engaged or employed by the auditor, or examination of documentation from independent sources.
Audit Procedures. PCAOB standards require auditors to perform substantive procedures, including tests of details, that are specifically responsive to the identified fraud risks. PCAOB standards provide examples of ways to modify audit procedures and respond to specific types of fraud risks. In addition, auditors are required to perform the following procedures to specifically address the risk of management override of controls:
- Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud;
- Reviewing accounting estimates for biases that could result in material misstatement due to fraud; and
- Evaluating whether the business purpose for significant unusual transactions indicates that the transactions may have been entered into to engage in fraud.
Several PCAOB standards include requirements regarding audit procedures that are relevant to addressing fraud risks. Examples of such audit procedures include:
- Confirmation of accounts receivable;
- Observation of inventories; and
- Evaluating a company’s identification of, accounting for, and disclosure of its relationships and transactions with related parties.
Evaluating Audit Results
In forming an opinion on whether the financial statements are presented fairly, in all material respects, in conformity with the applicable financial reporting framework, PCAOB standards require the auditor to take into account all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the financial statements. The procedures the auditor is required to perform in evaluating the results of the audit include procedures that relate to the auditor’s consideration of fraud, such as:
- In the overall review of the financial statements, evaluating whether unusual or unexpected transactions, events, amounts, or relationships indicate fraud risks that were not identified previously;
- Evaluating whether identified misstatements might be indicative of fraud and performing additional procedures as necessary;
- Evaluating potential management bias in the amounts and disclosures in the financial statements; and
- Evaluating whether the accumulated results of auditing procedures and other observations affect the assessment of the fraud risks made throughout the audit and whether the audit procedures need to be modified to respond to those risks.
Additional Fraud Considerations in Audits of Internal Control Over Financial Reporting
PCAOB standards require the auditor to take into account the results of his or her fraud risk assessments when planning and performing the audit of internal control over financial reporting. As part of identifying and testing entity-level controls and selecting other controls to test, the auditor should evaluate whether the company's controls sufficiently address identified fraud risks and controls intended to address the risk of management override of other controls. Controls that might address these risks include:
- Controls over significant unusual transactions, particularly those that result in late or unusual journal entries;
- Controls over journal entries and adjustments made in the period-end financial reporting process;
- Controls over related party transactions;
- Controls related to significant management estimates; and
- Controls that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results.
If the auditor identifies deficiencies in controls designed to prevent or detect fraud during the audit of internal control over financial reporting, the auditor should take into account those deficiencies when developing his or her response to risks of material misstatement during the financial statement audit.
PCAOB and SEC Staff Guidance
PCAOB
- PCAOB Staff Audit Practice Alert No. 15, Matters Related to Auditing Revenue from Contracts with Customers (Oct. 5, 2017)
- PCAOB Staff Audit Practice Alert No. 12, Matters Related to Auditing Revenue in an Audit of Financial Statements (September 9, 2014)
- PCAOB Staff Audit Practice Alert No. 10, Maintaining and Applying Professional Skepticism in Audits (December 4, 2012)
- PCAOB Staff Audit Practice Alert No. 9, Assessing and Responding to Risk in the Current Economic Environment (December 6, 2011)
- PCAOB Staff Audit Practice Alert No. 8, Audit Risks in Certain Emerging Markets (October 3, 2011)
- PCAOB Staff Audit Practice Alert No. 5, Auditor Considerations Regarding Significant Unusual Transactions (April 10, 2010)
- PCAOB Staff Audit Practice Alert No. 2, Matters Related to Auditing Fair Value Measurements of Financial Instruments and the Use of Specialists (December 10, 2007)
- PCAOB Staff Audit Practice Alert No. 1, Matters Related to Timing and Accounting For Option Grants (July 28, 2006)
- PCAOB Staff Guidance for Auditors of SEC-Registered Brokers and Dealers (June 26, 2014)
SEC
PCAOB Inspection Spotlights
- Spotlight: Inspection Observations Related to Public Company Audit Involving Crypto Assets
- Spotlight: Observations From the Target Team’s 2022 Inspections
- Spotlight: Staff Update and Preview of 2022 Inspection Observations
- Spotlight: Observations From the Target Team’s 2021 Inspections
Relevant PCAOB and SEC Enforcement Actions since June 30, 2022
PCAOB
- Order Instituting Disciplinary Proceedings, Making Findings, and Imposing Sanctions: In the Matter of PricewaterhouseCoopers Auditing Company SA, Respondent, PCAOB Release No. 105-2023-027, (Nov. 14, 2023)
- Order Instituting Disciplinary Proceedings, Making Findings, and Imposing Sanctions: In the Matter of Eddie Wong, CPA, and Neil W. Ehrenkrantz, CPA, Respondents, PCAOB Release No. 105-2023-006, (Jun. 22, 2023)
SEC
- In the Matter of Crowe U.K. LLP, Nigel D. Bostock, FCA, and Matthew C. Stallabrass, FCA, SEC AAER No. 4438, (August 14, 2023)
- In the Matter of RSM US LLP, SEC AAER No. 4346 (September 30, 2022)
- In the Matter of Berkower LLC; Michael G. Mullen, CPA; and Maurice Berkower, CPA, SEC AAER No. 4350 (September 30, 2022)
- In the Matter of CohnReznick LLP, SEC AAER 4309 (June 8, 2022)
Standard-Setting Project on Fraud Risk
The PCAOB has a standard-setting project to consider how AS 2401, Consideration of Fraud in a Financial Statement Audit, should be revised to better align an auditor’s responsibilities for addressing intentional acts that result in material misstatements in financial statements with the auditor’s risk assessment, including addressing matters that may arise from developments in the use of technology.