In his 2019 report on audit quality and effectiveness, Sir Donald Brydon, the former chairman of the London Stock Exchange Group, described the question of fraud as “the most complex and misunderstood in relation to the auditor’s duties.”
The prevention and detection of fraud within a company is primarily the responsibility of the management under the oversight of those charged with governance. Auditors, along with other members of the corporate governance and reporting ecosystem, also have an important role.
Currently, auditors are responsible for providing reasonable assurance to shareholders that the financial statements are free from material misstatement, whether caused by fraud or error. Data analytics is being used to identify unusual transactions and patterns of transactions that might indicate fraud.
Public opinion, however, suggests that auditors are increasingly expected to play a role that extends beyond providing this reasonable assurance. Recent changes to ASA 315 in relation to material misstatement support this new approach. A collaborative approach to the prevention and detection of fraud is required.
Potential actions for auditors and those responsible for governance may include:
- Mandating the use of data analytics for fraud testing in audits
- Using additional internal and external data and information to enable faster responses to external risk indicators, such as short sellers and whistle-blowers
- Using electronic confirmations for audit evidence wherever possible
- Developing a fraud risk assessment framework for use with audit committees and those charged with governance
- Mandating annual fraud training for all audit professionals
- Requiring the use of forensic specialists in the audit on a targeted-risk basis
A key area of focus in preventing and detecting fraud is business email compromise and associated payment scams. Business email compromise occurs when criminals use email to scam organisations out of money or goods. Criminals can impersonate business managers or associates using similar names, domains and/or fraudulent logos as a legitimate organisation or by using compromised email accounts and pretending to be a trusted co-worker.
The evolving external environment, increasingly complex business models and the sophistication of fraudsters requires a re-examination of how traditional audit procedures approach the risk of fraud. Whilst most businesses are aware of the risks associated with email compromise, many still do not have appropriate systems and processes in place to prevent scams.
All external auditors should be aware of the potential risks their clients face in relation to payment scams. Key actions to be considered include:
- Establish ongoing cybersecurity training of employees:
Employees should have clear guidance to verify account details, to think critically before actioning unusual requests, and have a reporting process to report threatening demands for immediate action, pressure for secrecy or requests to circumvent protective business processes.
As a first step, management should establish a clear and consistent business process for workers to verify and validate requests for payment and sensitive information. These processes should involve training of employees to be aware of warning signals including:
- an unexpected change of bank details
- an urgent payment request or threats of serious consequences if payment isn’t made
- unexpected payment requests from someone in a position of authority, particularly if payment requests are unusual from this person
- an email address that doesn’t look quite right, such as the domain name not exactly matching the supplier’s company name.
- Implement strong network security controls:
Management should develop and maintain controls to prevent their network being exploited, specifically in relation to hardware and software utilised by finance, human resources and senior executive teams. Multi-factor authentication should be used wherever there is a risk, even small, of unauthorised access to proprietary information.
- Develop a business email compromise incident response plan.
The business should know how to respond if the ‘unthinkable’ occurs. It’s imperative to have a consistent incident response plan in place. Time is of the essence and every passing moment reduces the likelihood of the funds being recovered.
- Establish formal external reporting processes:
Most importantly, businesses that have been the victim of business email compromise should report the incident to the ACSC and any relevant banking institutions. Passwords should be changed and anyone affected should be notified, including suppliers and customers.
- Consider the risk of insider threat
Lastly, whilst such a scam may bear the hallmarks of an external business email compromise attack, any investigation should be conscious of the ‘Insider Threat’. There are examples where an attack has involved collusion or been entirely perpetrated by a staff member or vendor.
It’s not expected that either management or external auditor will have the expertise to identify and address all risks associated with unauthorised access to emails or other communication platforms. Cybersecurity experts should be engaged to identify potential issues and put in place ongoing monitoring procedures.
ASA 315 has recently been updated to include guidance on the consideration of risks associated with IT hardware, software and security systems (refer to Appendix 4 and Appendix 6 of the standard). Whilst the new standard is effective from financial reporting periods commencing 15 December 2021, it’s important that external auditors now engage in discussions with their clients surrounding these risks.
If you’d like further information on how these risks affect your firm, contact the team at National Audits Group.
James Song | SMSF Audit Manager | National Audits Group