• Investment World
• eWorld
• Catalyst
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest

D. Murali

CHENNAI, Nov. 14

TWO new auditing standards are on the anvil. These are from the Auditing and Assurance Standards Board (AASB) of the Institute of Chartered Accountants of India (ICAI). One is about auditing in a computer information systems environment, and the other takes a re-look at an earlier standard on an ever-hot topic, `fraud and error'. The abbreviation AASB rhymes with FASB of the US and is the new name of the Auditing Practices Committee (APC), something that would remind old-timers of a headache pill.

Computers have become too ubiquitous and there is no escape for auditors and so there is the proposed standard for auditing what is called the CIS, not the mutant USSR, but computer information systems. For the purposes of this AAS, a CIS environment exists "when one or more computer(s) of any type or size is (are) involved in the processing of financial information, including quantitative data, of significance to the audit, whether those computers are operated by the entity or by a third party." In bold letters, it mandates that the auditor should have "sufficient knowledge of the CIS to plan, direct, supervise, control and review the work performed". No escape, therefore.

The inherent risks and control risks in a CIS environment may have both a pervasive effect and an account-specific effect on the likelihood of material misstatements, warns the ICAI. "The risks may result from deficiencies in pervasive CIS activities such as programme development and maintenance, system software support, operations, physical CIS security, and control over access to special-privilege utility programs. And the risks may increase the potential for errors or fraudulent activities in specific applications, in specific databases or master files, or in specific processing activities." More worryingly for CAs, as new CIS technologies emerge, overall sophistication of CIS increases as also the complexity of the specific applications that they affect. "As a result, they may increase risk and require further consideration." Which means less sleep for auditors. The fraud and error pronouncement, as it stands in the rulebook is SAP 4 establishes standards on the auditor's responsibility to consider fraud and error in an audit of financial statements. The proposed revision is a detailed document as compared to the existing SAP, states the ICAI press note, and deals extensively with important aspects such as: responsibility of those charged with governance regarding frauds; types of frauds; duties of the auditor as also the procedures to be employed by him; discussions with the management and those charged with governance; inherent and control risk vis-à-vis fraud situations; audit procedures in case of suspected frauds; evaluating possible fraud indications; effect of frauds on auditor's report and so on.

What is fraud? It is an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Fraud is a `broad legal concept' and the auditor is concerned with fraudulent acts that cause a material misstatement in the financial statements. Contrary to popular expectation, auditors do not make legal determinations of whether fraud has actually occurred.

Frauds come in all shapes and sizes. Those involving one or more members of management or those charged with governance are "management frauds"; and fraud involving only employees of the entity is referred to as "employee fraud". In either case, there may be collusion with third parties outside the entity. In some cases, management itself may be a fraud, as in the case of a fly-by-night operator.

What differentiates fraud from error is "whether the underlying action that results in the misstatement in the financial statements is intentional or unintentional". Unlike error, fraud is intentional and usually involves deliberate concealment of the facts. "While the auditor may be able to identify potential opportunities for fraud to be perpetrated, it is difficult, if not impossible, for the auditor to determine intent, particularly in matters involving management judgment, such as accounting estimates and the appropriate application of accounting principles." The auditor is not a mind reader, that is.

Beware; an auditor cannot obtain absolute assurance that material misstatements in the financial statements will be detected. "Owing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements of the financial statements will not be detected, even though the audit is properly planned and performed in accordance with SAPs. An audit does not guarantee that all material misstatements will be detected because of such factors as the use of judgment, the use of testing, the inherent limitations of internal control and the fact that much of the evidence available to the auditor is persuasive rather than conclusive in nature. For these reasons, the auditor is able to obtain only a reasonable assurance." The operative word is `reasonable'. And the audit report is not a guarantee card.

The appendices to the exposure draft (ED) contain examples of risk factors relating to misstatements resulting from frauds, modifications of procedures in response to the assessment of fraud risk factors, and circumstances that indicate the possibility of fraud or error. The EDs are open for comments from the members of the Institute as well as the public, at large, till December 10, 2002.

Send this article to Friends by E-Mail
Comment on this article to BLFeedback@thehindu.co.in

Stories in this Section
Ferguson `cleared' of shredding charges

Copyright © 2002, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line