The following is the text of the Auditing and Assurance Standard (AAS) 4 (Revised), "The Auditor's Responsibility to Consider Fraud and Error in an Audit of Financial Statements" issued by the Council of the Institute of Chartered Accountants of India. This Standard should be read in conjunction with the "Preface to the Statements on Standard Auditing Practices" issued by the Institute.¹ From the date this AAS becomes effective, Statement on Standard Auditing Practices (SAP) 4, "Fraud and Error" ² shall stand withdrawn.

The purpose of this Statement on Standard Auditing Practices (SAP) is to establish standards on the auditor's responsibility to consider fraud and error in an audit of financial statements. While this SAP focuses on the auditor's responsibilities with respect to fraud and error, the primary responsibility for the prevention and detection of fraud and error rests with both those charged with governance and the management of an entity. In this Standard, the term 'financial information' encompasses 'financial statements'. In some circumstances, specific legislations and regulations may require the auditor to undertake procedures additional to those set out in this AAS. ³

When planning and performing audit procedures and evaluating and reporting the results thereof, the auditor should consider the risk of material misstatements in the financial statements resulting from fraud or error.

Misstatements in the financial statements can arise from fraud or error. The term "error" refers to an unintentional misstatement in the financial statements, including the omission of an amount or a disclosure, such as:

• A mistake in gathering or processing data from which financial statements are prepared.
  
   

• An incorrect accounting estimate arising from oversight or misinterpretation of facts.
  
   

• A mistake in the application of accounting principles relating to measurement, recognition, classification, presentation, or disclosure.
  
   

The term "fraud" refers to an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Although fraud is a broad legal concept, the auditor is concerned with fraudulent acts that cause a material misstatement in the financial statements. Misstatement of the financial statements may not be the objective of some frauds. Auditors do not make legal determinations of whether fraud has actually occurred. Fraud involving one or more members of management or those charged with governance is referred to as "management fraud"; fraud involving only employees of the entity is referred to as "employee fraud". In either case, there may be collusion with third parties outside the entity.

Two types of intentional misstatements are relevant to the auditor's consideration of fraud-misstatements resulting from fraudulent financial reporting and misstatements resulting from misappropriation of assets.

Fraudulent financial reporting involves intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. Fraudulent financial reporting may involve:

• Deception such as manipulation, falsification, or alteration of accounting records or supporting documents from which the financial statements are prepared.
  
   

• Misrepresentation in, or intentional omission from, the financial statements of events, transactions or other significant information.
  
   

• Intentional misapplication of accounting principles relating to measurement, recognition, classification, presentation, or disclosure.

Misappropriation of assets involves the theft of an entity's assets. Misappropriation of assets can be accomplished in a variety of ways (including embezzling receipts, stealing physical or intangible assets, or causing an entity to pay for goods and services not received); it is often accompanied by false or misleading records or documents in order to conceal the fact that the assets are missing.

Fraud involves motivation to commit fraud and a perceived opportunity to do so. Individuals might be motivated to misappropriate assets, for example, because the individuals are living beyond their means. Fraudulent financial reporting may be committed because management is under pressure, from sources outside or inside the entity, to achieve an expected (and perhaps unrealistic) earnings target particularly when the consequences to management of failing to meet financial goals can be significant. A perceived opportunity for fraudulent financial reporting or misappropriation of assets may exist when an individual believes internal control could be circumvented, for example, because the individual is in a position of trust or has knowledge of specific weaknesses in the internal control system.

The distinguishing factor between fraud and error is whether the underlying action that results in the misstatement in the financial statements is intentional or unintentional. Unlike error, fraud is intentional and usually involves deliberate concealment of the facts. While the auditor may be able to identify potential opportunities for fraud to be perpetrated, it is difficult, if not impossible, for the auditor to determine intent, particularly in matters involving management judgment, such as accounting estimates and the appropriate application of accounting principles.

The primary responsibility for the prevention and detection of fraud and error rests with both those charged with the governance and the management of an entity. The respective responsibilities of those charged with governance and management may vary from entity to entity. Management, with the oversight of those charged with governance, needs to set the proper tone, create and maintain a culture of honesty and high ethics, and establish appropriate controls to prevent and detect fraud and error within the entity.

It is the responsibility of those charged with governance of an entity to ensure, through oversight of management, the integrity of an entity's accounting and financial reporting systems and that appropriate controls are in place, including those for monitoring risk, financial control and compliance with the laws and regulations.

It is the responsibility of the management of an entity to establish a control environment and maintain policies and procedures to assist in achieving the objective of ensuring, as far as possible, the orderly and efficient conduct of the entity's business. This responsibility includes implementing and ensuring the continued operation of accounting and internal control systems, which are designed to prevent and detect fraud and error. Such systems reduce but do not eliminate the risk of misstatements, whether caused by fraud or error. Accordingly, management assumes responsibility for any remaining risk.

As described in AAS 2, ⁴ "Objective and Scope of the Audit of Financial Statements", the objective of an audit of financial statements, prepared within a framework of recognised accounting policies and practices and relevant statutory requirements, if any, is to enable an auditor to express an opinion on such financial statements. An audit conducted in accordance with the auditing standards generally accepted in India ⁵ is designed to provide reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error. The fact that an audit is carried out may act as a deterrent, but the auditor is not and cannot be held responsible for the prevention of fraud and error.

An auditor cannot obtain absolute assurance that material misstatements in the financial statements will be detected. Owing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements of the financial statements will not be detected, even though the audit is properly planned and performed in accordance with the auditing standards generally accepted in India. An audit does not guarantee that all material misstatements will be detected because of such factors as the use of judgment, the use of testing, the inherent limitations of internal control and the fact that much of the evidence available to the auditor is persuasive rather than conclusive in nature. For these reasons, the auditor is able to obtain only a reasonable assurance that material misstatements in the financial statements will be detected.

The risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting a material misstatement resulting from error because fraud, generally, involves sophisticated and carefully organized schemes designed to conceal it, such as forgery, deliberate failure to record transactions, or intentional misrepresentations being made to the auditor. Such attempts at concealment may be even more difficult to detect when accompanied by collusion. Collusion may cause the auditor to believe that evidence is persuasive when it is, in fact, false. The auditor's ability to detect a fraud depends on factors such as the skillfulness of the perpetrator, the frequency and extent of manipulation, the degree of collusion involved, the relative size of individual amounts manipulated, and the seniority of those involved. Audit procedures that are effective for detecting an error may be ineffective for detecting fraud.

Furthermore, the risk of the auditor not detecting a material misstatement resulting from management fraud is greater than for employee fraud, because those charged with governance and management are often in a position that assumes their integrity and enables them to override the formally established control procedures. Certain levels of management may be in a position to override control procedures designed to prevent similar frauds by other employees, for example, by directing subordinates to record transactions incorrectly or to conceal them. Given its position of authority within an entity, management has the ability to either direct employees to do something or solicit their help to assist management in carrying out a fraud, with or without the employees' knowledge.

The auditor's opinion on the financial statements is based on the concept of obtaining reasonable assurance; hence, in an audit, the auditor does not guarantee that material misstatements, whether from fraud or error, will be detected. Therefore, the subsequent discovery of a material misstatement of the financial statements resulting from fraud or error does not, in and of itself, indicate:

1. failure to obtain reasonable assurance,
   
    

2. inadequate planning, performance or judgment,
   
    

3. absence of professional competence and due care, or,
   
    

4. failure to comply with auditing standards generally accepted in India.

This is particularly the case for certain kinds of intentional misstatements, since auditing procedures may be ineffective for detecting an intentional misstatement that is concealed through collusion between or among one or more individuals among management, those charged with governance, employees, or third parties, or involves falsified documentation. Whether the auditor has performed an audit in accordance with auditing standards generally accepted in India is determined by the adequacy of the audit procedures performed in the circumstances and the suitability of the auditor's report based on the result of these procedures.

The auditor plans and performs an audit with an attitude of professional skepticism. Such an attitude is necessary for the auditor to identify and properly evaluate, for example:

• Matters that increase the risk of a material misstatement in the financial statements resulting from fraud or error (for instance, management's characteristics and influence over the control environment, industry conditions, and operating characteristics and financial stability).
  
   

• Circumstances that make the auditor suspect that the financial statements are materially misstated.
  
   

• Evidence obtained (including the auditor's knowledge from previous audits) that brings into question the reliability of management representations.

However, unless the audit reveals evidence to the contrary, the auditor is entitled to accept records and documents as genuine. Accordingly, an audit performed in accordance with auditing standards generally accepted in India rarely contemplate authentication of documentation, nor are auditors trained as, or expected to be, experts in such authentication.

In planning the audit, the auditor should discuss with other members of the audit team, the susceptibility of the entity to material misstatements in the financial statements resulting from fraud or error.

Such discussions would involve considering, for example, in the context of the particular entity, where errors may be more likely to occur or how fraud might be perpetrated. Based on these discussions, members of the audit team may gain a better understanding of the potential for material misstatements in the financial statements resulting from fraud or error in the specific areas of the audit assigned to them, and how the results of the audit procedures that they perform may affect other aspects of the audit. Decisions may also be made as to which members of the audit team will conduct certain inquiries or audit procedures, and how the results of those inquiries and procedures will be shared.

When planning the audit, the auditor should make inquiries of management:

The auditor supplements his own knowledge of the entity's business by making inquiries of management regarding management's own assessment of the risk of fraud and the systems in place to prevent and detect it. In addition, the auditor makes inquiries of management regarding the accounting and internal control systems in place to prevent and detect error. Since management is responsible for the entity's accounting and internal control systems and for the preparation of the financial statements, it is appropriate for the auditor to inquire of management how it is discharging these responsibilities. Matters that might be discussed as part of these inquiries include:

1. whether there are particular subsidiary locations, business segments, types of transactions, account balances or financial statement categories where the possibility of error may be high, or where fraud risk factors may exist, and how they are being addressed by management;
   
    

2. the work of the entity's internal audit function and whether internal audit has identified fraud or any serious weaknesses in the system of internal control; and
   
    

3. how management communicates to employees its view on responsible business practices and ethical behavior, such as through ethics policies or codes of conduct.

The nature, extent and frequency of management's assessment of such systems and risk vary from entity to entity. In some entities, management may make detailed assessments on an annual basis or as part of continuous monitoring. In other entities, management's assessment may be less formal and less frequent. The nature, extent and frequency of management's assessment are relevant to the auditor's understanding of the entity's control environment. For example, the fact that management has not made an assessment of the risk of fraud may be indicative of the lack of importance that management places on internal control.

It is also important that the auditor obtains an understanding of the design of the accounting and internal control systems within the entity. In designing such systems, management makes informed judgments on the nature and extent of the control procedures it chooses to implement and the nature and extent of the risks it chooses to assume. As a result of making these inquiries of management, the auditor may learn, for example, that management has consciously chosen to accept the risk associated with a lack of segregation of duties. Information from these inquiries may also be useful in identifying fraud risk factors that may affect the auditor's assessment of the risk that the financial statements may contain material misstatements caused by fraud.

It is also important for the auditor to inquire about management's knowledge of frauds that have affected the entity, suspected frauds that are being investigated, and material errors that have been discovered. Such inquiries might indicate possible weaknesses in control procedures if, for example, a number of errors have been found in certain areas. Alternatively, such inquiries might indicate that control procedures are operating effectively because anomalies are being identified and investigated promptly.

Although the auditor's inquiries of management may provide useful information concerning the risk of material misstatements in the financial statements resulting from employee fraud, such inquiries are unlikely to provide useful information regarding the risk of material misstatements in the financial statements resulting from management fraud. Accordingly, the auditor's follow-up of fraud risk factors, as discussed in paragraph 39, is of particular relevance in relation to management fraud.

Those charged with governance of an entity have oversight responsibility for systems for monitoring risk, financial control and compliance with the law. In case of clients whose corporate governance practices are well developed and those charged with governance play an active role in oversight of how management has discharged its responsibilities, auditors are encouraged to seek the views of those charged with governance on the adequacy of accounting and internal control systems in place to prevent and detect fraud and error, the risk of fraud and error, and the competence and integrity of management. Such inquiries may, for example, provide insights regarding the susceptibility of the entity to management fraud. The auditor may have an opportunity to seek the views of those charged with governance during, for example, a meeting with the audit committee to discuss the general approach and overall scope of the audit and eliciting views of independent directors. This discussion may also provide those charged with governance with the opportunity to bring matters of concern to the auditor's attention.

Since the responsibilities of those charged with governance and management may vary by entity, it is important that the auditor understands the nature of these responsibilities within an entity to ensure that the inquiries and communications described above are directed to the appropriate individuals. ⁶

In addition, following the inquiries of management described in paragraphs 22-27, the auditor considers whether there are any matters of governance interest to be discussed with those charged with governance of the entity ⁷. Such matters may include for example:

• Concerns about the nature, extent and frequency of management's assessments of the accounting and control systems in place to prevent and detect fraud and error, and of the risk that the financial statements may be misstated.
  
   

• A failure by management to address appropriately material weaknesses in internal control identified during the prior period's audit.
  
   

• The auditor's evaluation of the entity's control environment, including questions regarding management's competence and integrity.
  
   

• The effect of any matters, such as those above, on the general approach and overall scope of the audit, including additional procedures that the auditor may need to perform.

SAP ⁸ 6 (Revised), "Risk Assessments and Internal Control," paragraph 3, states that "audit risk" is the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated. Such misstatements can result from either fraud or error. AAS 6 (Revised) identifies the three components of audit risk i.e., inherent risk, control risk and detection risk, and also provides guidance on how to assess these risks.

When assessing inherent risk and control risk in accordance with AAS 6 (Revised), "Risk Assessments and Internal Control", the auditor should consider how the financial statements might be materially misstated as a result of fraud or error. In considering the risk of material misstatement resulting from fraud, the auditor should consider whether fraud risk factors are present that indicate the possibility of either fraudulent financial reporting or misappropriation of assets.

AAS 6 (Revised), "Risk Assessments and Internal Control", describes the auditor's assessment of inherent risk and control risk, and how those assessments affect the nature, timing and extent of the audit procedures. In making those assessments, the auditor considers how the financial statements might be materially misstated as a result of fraud or error.

The fact that fraud is usually concealed can make it very difficult to detect. Nevertheless, using the auditor's knowledge of the business, the auditor may identify events or conditions that provide an opportunity, a motive or a means to commit fraud, or indicate that fraud may already have occurred. Such events or conditions are referred to as "fraud risk factors". For example, a document may be missing, a general ledger may be out of balance, or an analytical procedure may not make sense. However, these conditions may be the result of circumstances other than fraud. Therefore, fraud risk factors do not necessarily indicate the existence of fraud, however, they often have been present in circumstances where frauds have occurred. The presence of fraud risk factors may affect the auditor's assessment of inherent risk or control risk. Examples of fraud risk factors are set out in Appendix 1 to this AAS.

Fraud risk factors cannot easily be ranked in order of importance or combined into effective predictive models. The significance of fraud risk factors varies widely. Some of these factors will be present in entities where the specific conditions do not present a risk of material misstatement. Accordingly, the auditor exercises professional judgment when considering fraud risk factors individually or in combination and whether there are specific controls that mitigate the risk.

Although the fraud risk factors described in Appendix 1 cover a broad range of situations typically faced by auditors, they are only examples. Moreover, not all of these examples are relevant in all circumstances, and some may be of greater or lesser significance in entities of different size, with different ownership characteristics, in different industries, or because of other differing characteristics or circumstances. Accordingly, the auditor uses professional judgment when assessing the significance and relevance of fraud risk factors and determining the appropriate audit response.

The size, complexity, and ownership characteristics of the entity have a significant influence on the consideration of relevant fraud risk factors. For example, in the case of a large entity, the auditor ordinarily considers factors that generally constrain improper conduct by management, such as the effectiveness of those charged with governance, and the internal audit function. The auditor also considers what steps have been taken to enforce a formal code of conduct, and the effectiveness of the budgeting system. In the case of a small entity, some or all of these considerations may be inapplicable or less important. For example, a smaller entity might not have a written code of conduct but, instead, may have developed a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example. Domination of management by a single individual in a small entity does not generally, in and of itself, indicate a failure by management to display and communicate an appropriate attitude regarding internal control and the financial reporting process. Furthermore, fraud risk factors considered at a business segment operating level may provide different insights than the consideration thereof at an entity-wide level.

The presence of fraud risk factors may indicate that the auditor will be unable to assess control risk at less than high for certain financial statement assertions. On the other hand, the auditor may be able to identify internal controls designed to mitigate those fraud risk factors that the auditor can test to support a control risk assessment below high.

Based on the auditor's assessment of inherent and control risks (including the results of any tests of controls), the auditor should design substantive procedures to reduce to an acceptably low level the risk that misstatements resulting from fraud and error that are material to the financial statements taken as a whole will not be detected. In designing the substantive procedures, the auditor should address the fraud risk factors that the auditor has identified as being present.

AAS 6 (Revised) "Risk Assessments and Internal Control", explains that the auditor's control risk assessment, together with the inherent risk assessment, influences the nature, timing and extent of substantive procedures to be performed to reduce detection risk to an acceptably low level. In designing substantive procedures, the auditor addresses fraud risk factors that the auditor has identified as being present. The auditor's response to those factors is influenced by their nature and significance. In some cases, even though fraud risk factors have been identified as being present, the auditor's judgment may be that the audit procedures, including both tests of control, and substantive procedures, already planned, are sufficient to respond to the fraud risk factors.

In other circumstances, the auditor may conclude that there is a need to modify the nature, timing and extent of substantive procedures to address fraud risk factors present. In these circumstances, the auditor considers whether the assessment of the risk of material misstatement calls for an overall response, a response that is specific to a particular account balance, class of transactions or assertion, or both types of response. The auditor considers whether changing the nature of audit procedures, rather than the extent of them, may be more effective in responding to identified fraud risk factors. Examples of response procedures are set out in Appendix 2 to this AAS, including examples of responses to the auditor's assessment of the risk of material misstatement resulting from both fraudulent financial reporting and misappropriation of assets.

When the auditor encounters circumstances that may indicate that there is a material misstatement in the financial statements resulting from fraud or error, the auditor should perform procedures to determine whether the financial statements are materially misstated.

During the course of the audit, the auditor may encounter circumstances that indicate that the financial statements may contain a material misstatement resulting from fraud or error. Examples of such circumstances that, individually or in combination, may make the auditor suspect that such a misstatement exists are set out in Appendix 3 to this AAS.

When the auditor encounters such circumstances, the nature, timing and extent of the procedures to be performed depends on the auditor's judgment as to the type of fraud or error indicated, the likelihood of its occurrence, and the likelihood that a particular type of fraud or error could have a material effect on the financial statements. Ordinarily, the auditor is able to perform sufficient procedures to confirm or dispel a suspicion that the financial statements are materially misstated resulting from fraud or error. If not, the auditor considers the effect on the auditor's report, as discussed in paragraph 48.

The auditor cannot assume that an instance of fraud or error is an isolated occurrence and therefore, before the conclusion of the audit, the auditor considers whether the assessment of the components of audit risk made during the planning of the audit may need to be revised and whether the nature, timing and extent of the auditor's other procedures may need to be reconsidered. {See AAS 6 (Revised), "Risk Assessments and Internal Control," paragraphs 40 and 47} For example, the auditor would consider:

• The nature, timing and extent of substantive procedures.
  
   

• The assessment of the effectiveness of internal controls if control risk was assessed below high.
  
   

• The assignment of audit team members that may be appropriate in the circumstances.

When the auditor identifies a misstatement, the auditor should consider whether such a misstatement may be indicative of fraud and if there is such an indication, the auditor should consider the implications of the misstatement in relation to other aspects of the audit, particularly the reliability of management representations.

If the auditor has determined that a misstatement is, or may be, the result of fraud, the auditor evaluates the implications, especially those dealing with the organizational position of the person or persons involved. For example, fraud involving misappropriations of cash from a small petty cash fund is ordinarily of little significance to the auditor in assessing the risk of material misstatement due to fraud. This is because both the manner of operating the fund and its size tend to establish a limit on the amount of potential loss, and the custodianship of such funds is ordinarily entrusted to an employee with a low level of authority. Conversely, when the matter involves management with a higher level of authority, even though the amount itself is not material to the financial statement, it may be indicative of a more pervasive problem. In such circumstances, the auditor reconsiders the reliability of evidence previously obtained since there may be doubts about the completeness and truthfulness of representations made and about the genuineness of accounting records and documentation. The auditor also considers the possibility of collusion involving employees, management or third parties when reconsidering the reliability of evidence. If management, particularly at the highest level, is involved in fraud, the auditor may not be able to obtain the evidence necessary to complete the audit and report on the financial statements.

When the auditor confirms that, or is unable to conclude whether, the financial statements are materially misstated as a result of fraud or error, the auditor should consider the implications for the audit. AAS⁹ 13, "Audit Materiality," paragraphs 12-16, and AAS 28, "The Auditor's Report on Financial Statements", paragraphs 37-47, provide guidance on the evaluation and disposition of misstatements and the effect on the auditor's report. Where a significant fraud has occurred or the fraud is committed by those charged with governance, the auditor should consider the necessity for a disclosure of the fraud in the financial statements. If adequate disclosure is not made the auditor should consider the necessity for a suitable disclosure in his report.

The auditor should document fraud risk factors identified as being present during the auditor's assessment process (see paragraph 32) and document the auditor's response to any such factors (see paragraph 39). If during the performance of the audit, fraud risk factors are identified that cause the auditor to believe that additional audit procedures are necessary, the auditor should document the presence of such risk factors and the auditor's response to them.

The auditor must document matters which are important in providing evidence to support the audit opinion, and the working papers must include the auditor's reasoning on all significant matters which require the auditor's judgment, together with the auditor's conclusion thereon. Because of the importance of fraud risk factors in the assessment of the inherent or control risk of material misstatement, the auditor documents fraud risk factors identified and the response considered appropriate by the auditor. (Reference may also be had to AAS ¹⁰ 3, "Documentation").

The auditor should obtain written representations from management that:

1. it acknowledges its responsibility for the implementation and operation of accounting and internal control systems that are designed to prevent and detect fraud and error;
   
    

2. it believes the effects of those uncorrected financial statement misstatements aggregated by the auditor during the audit are immaterial, both individually and in the aggregate, to the financial statements taken as a whole. A summary of such items should be included in or attached to the written representation;
   
    

3. it has disclosed to the auditor all significant facts relating to any frauds or suspected frauds known to management that may have affected the entity; and
   
    

4. it has disclosed to the auditor the results of its assessment of the risk that the financial statements may be materially misstated as a result of fraud.

AAS¹¹ 11, "Representations by Management" provides guidance on obtaining appropriate representations from management in the audit. In addition to acknowledging its responsibility for the financial statements, it is important that management acknowledges its responsibility for the accounting and internal control systems designed to prevent and detect fraud and error.

Because management is responsible for adjusting the financial statements to correct material misstatements, it is important that the auditor obtains written representation from management that any uncorrected misstatements resulting from either fraud or error are, in management's opinion, immaterial, both individually and in the aggregate. Such representations are not a substitute for obtaining sufficient appropriate audit evidence. In some circumstances, management may not believe that certain of the uncorrected financial statement misstatements aggregated by the auditor during the audit are misstatements. For that reason, management may want to add to their written representation words such as, "We do not agree that items .. and ... constitute misstatements because [description of reasons]."

The auditor may designate an amount below which misstatements need not be accumulated because the auditor expects that the accumulation of such amounts clearly would not have a material effect on the financial statements. In so doing, the auditor considers the fact that the determination of materiality involves qualitative as well as quantitative considerations and that misstatements of a relatively small amount could nevertheless have a material effect on the financial statements. The summary of uncorrected misstatements included in or attached to the written representation need not include such misstatements.

Because of the nature of fraud and the difficulties encountered by auditors in detecting material misstatements in the financial statements resulting from fraud, it is important that the auditor obtains a written representation from management confirming that it has disclosed to the auditor all facts relating to any frauds or suspected frauds that it is aware of that may have affected the entity, and that management has disclosed to the auditor the results of management's assessment of the risk that the financial statements may be materially misstated as a result of fraud.

When the auditor identifies a misstatement resulting from fraud, or a suspected fraud, or error, the auditor should consider the auditor's responsibility to communicate that information to management, those charged with governance and, in some circumstances, when so required by the laws and regulations, to regulatory and enforcement authorities also.

Communication of a misstatement resulting from fraud, or a suspected fraud, or error to the appropriate level of management on a timely basis is important because it enables management to take necessary action. The determination of which level of management is the appropriate one is a matter of professional judgment and is affected by such factors as the nature, magnitude and frequency of the misstatement or suspected fraud. Ordinarily, the appropriate level of management is at least one level above the persons who appear to be involved with the misstatement or suspected fraud.

The determination of which matters are to be communicated by the auditor to those charged with governance is a matter of professional judgment and is also affected by any understanding between the parties as to which matters are to be communicated. Ordinarily, such matters include:

• Questions regarding management competence and integrity.
  
   

• Fraud involving management.
  
   

• Other frauds which result in a material misstatement of the financial statements.
  
   

• Material misstatements resulting from error.
  
   

• Misstatements that indicate material weaknesses in internal control, including the design or operation of the entity's financial reporting process.
  
   

• Misstatements that may cause future financial statements to be materially misstated.

If the auditor has identified a material misstatement resulting from error, the auditor should communicate the misstatement to the appropriate level of management on a timely basis, and consider the need to report it to those charged with governance.

The auditor should inform those charged with governance of those uncorrected misstatements aggregated by the auditor during the audit that were determined by management to be immaterial, both individually and in the aggregate, to the financial statements taken as a whole.

As noted in paragraph 55, the uncorrected misstatements communicated to those charged with governance need not include the misstatements below a designated amount.

If the auditor has:

the auditor should communicate these matters to the appropriate level of management on a timely basis, and consider the need to report such matters to those charged with governance.

When the auditor has obtained evidence that fraud exists or may exist, it is important that the matter is brought to the attention of an appropriate level of management. This is so even if the matter might be considered inconsequential (for example, a minor defalcation by an employee at a low level in the entity's organization). The determination of which level of management is the appropriate one is also affected in these circumstances by the likelihood of collusion or the involvement of a member of management.

If the auditor has determined that the misstatement is, or may be, the result of fraud, and either has determined that the effect could be material to the financial statements or has been unable to evaluate whether the effect is material, the auditor:

1. discusses the matter and the approach to further investigation with an appropriate level of management that is at least one level above those involved, and with management at the highest level; and
   
    

2. if appropriate, suggests that management consult legal counsel.

The auditor should communicate to management any material weaknesses in internal control related to the prevention or detection of fraud and error, which have come to the auditor's attention as a result of the performance of the audit. The auditor should also be satisfied that those charged with governance have been informed of any material weaknesses in internal control related to the prevention and detection of fraud that either have been brought to the auditor's attention by management or have been identified by the auditor during the audit.

When the auditor has identified any material weaknesses in internal control related to the prevention or detection of fraud or error, the auditor communicates these material weaknesses in internal control to management. Because of the serious implications of material weaknesses in internal control related to the prevention and detection of fraud, it is also important that such deficiencies be brought to the attention of those charged with governance.

If the integrity or honesty of management or those charged with governance are doubted, the auditor ordinarily considers seeking legal advice to assist in the determination of the appropriate course of action.

The auditor's professional duty to maintain the confidentiality of client information ordinarily precludes reporting fraud and error to a party outside the client entity. However, the auditor's legal responsibilities may vary and in certain circumstances, statute, the law or courts of law may override the duty of confidentiality. For example, under the regulatory framework for Non-Banking Financial Companies, an obligation is cast upon the auditor to report to the Reserve Bank of India any adverse or unfavourable remarks in his report. In such circumstances, the auditor may consider seeking legal advice.

If the auditor concludes that it is not possible to continue performing the audit as a result of a misstatement resulting from fraud or suspected fraud, the auditor should:

The auditor may encounter exceptional circumstances that bring into question the auditor's ability to continue performing the audit, for example, in circumstances where:

1. the entity does not take the remedial action regarding fraud that the auditor considers necessary in the circumstances, even when the fraud is not material to the financial statements;
   
    

2. the auditor's consideration of the risk of material misstatement resulting from fraud and the results of audit tests indicate a significant risk of material and pervasive fraud; or
   
    

3. the auditor has significant concern about the competence or integrity of management or those charged with governance.

Because of the variety of the circumstances that may arise, it is not possible to describe definitively when withdrawal from an engagement is appropriate. Factors that affect the auditor's conclusion include the implications of the involvement of a member of management or of those charged with governance (which may affect the reliability of management representations) and the effects on the auditor of continuing association with the entity.

The auditor has professional and legal responsibilities in such circumstances and these responsibilities may vary in different circumstances. For example, the auditor may be entitled to, or required to, make a statement or report to the person or persons who made the audit appointment or, in some cases, to regulatory authorities. Given the exceptional nature of the circumstances and the need to consider the legal requirements, the auditor considers seeking legal advice when deciding whether to withdraw from an engagement and in determining an appropriate course of action.

Clause 8 of Part I of the First Schedule to the Chartered Accountants Act 1949 lays down that a Chartered Accountant in practice would be guilty of professional misconduct if he accepts a position as an auditor, previously held by another chartered accountant without first communicating to him in writing. On receipt of an inquiry from a incoming auditor, the existing auditor should advise whether there are any professional reasons why the incoming auditor should not accept the appointment. If the client denies the existing auditor permission to discuss its affairs with the incoming auditor or limits what the existing auditor may say, that fact should be disclosed to the incoming auditor.

The auditor may be contacted by an incoming auditor inquiring whether there are any professional reasons why the incoming auditor should not accept the appointment. The responsibilities of existing and incoming auditor are set out in the Code of Ethics, issued by the Institute of Chartered Accountants of India.

The extent to which an existing auditor can discuss the affairs of a client with an incoming auditor will depend on whether the existing auditor has obtained the client's permission to do so, and on the professional and legal responsibilities relating to such disclosure. Subject to any constraints arising from these responsibilities, the existing auditor advises the incoming auditor whether there are any professional reasons not to accept the appointment, providing details of the information and discussing freely with the incoming auditor all matters relevant to the appointment. If fraud or suspected fraud was a factor in the existing auditor's withdrawal from the engagement, it is important that the existing auditor take care to state only the facts (not his or her conclusions) relating to these matters.

This AAS becomes operative for all audits relating to accounting periods commencing on or after 1st April 2003.

The auditing standards established in this Auditing and Assurance Standard are generally consistent in all material respects with those set out in International Standard on Auditing (ISA) 240 on The Auditor's Responsibility to Consider Fraud and Error in an Audit of Financial Statements.

[Next]