AG ISA (NZ) 240

Auditor’s Responsibilities Relating to Fraud in an Annual Audit

At a glance

This standard differs from the underlying standard ISA (NZ) 240 (XRB website) in that:

it clarifies that fraud includes bribery and corruption
you need to check Appendix 1 and the audit brief as part of considering fraud risk factors
you’re expected to suggest improvements, if needed, to fraud controls
you must inform the OAG immediately about suspected or actual fraud
there are points about protected disclosures and law enforcement notification that you need to read.

Introduction

Scope of this Statement (Ref: Para. A1–A12)

This Auditor-General’s Auditing Statement:
1. establishes the Auditor-General’s requirements in relation to ISA (NZ) 240: The auditor’s responsibilities relating to fraud in an audit of financial statements (ISA (NZ) 240)¹; and
2. provides additional guidance to reflect the public sector perspective.
The Auditor-General’s requirements and application material in this Statement specifically refer to fraud. For convenience, this Statement uses the term “fraud” as an umbrella term for the range of possible offences involving dishonesty or deception. For the avoidance of doubt, “fraud” includes bribery or corruption. This Statement adopts the definition of fraud set down in paragraph 12(a) of ISA (NZ) 240, which states:
Fraud is an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage.
The question of whether a criminal offence has been committed may only be finally determined following a decision by a court of law. As a consequence, the Appointed Auditor will normally be concerned with suspected, rather than proven, fraud.

Application

Compliance with this Statement is mandatory for Appointed Auditors who carry out annual audits on behalf of the Auditor-General. This Statement requires compliance with all of the requirements of ISA (NZ) 240 and the additional requirements included in this Statement.
This Statement applies to all annual audits with reporting periods beginning on or after 1 April 2023, although earlier application is encouraged.
This Statement applies to all suspected or actual fraud that the Appointed Auditor becomes aware of, regardless of materiality and irrespective of whether they involve money or other property of the public entity (including intangible resources such as information and intellectual property).

Objectives

The objectives of the Appointed Auditor are to:
1. identify and assess the risks of material misstatement of the financial and performance information due to fraud;
2. obtain sufficient appropriate audit evidence about the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and
3. respond appropriately to fraud or suspected fraud during the annual audit in accordance with this Statement, including:
  - assessing the adequacy of policies and procedures put in place by the public entity to prevent and detect fraud;
  - assessing whether the public entity has responded appropriately to suspected or actual fraud;
  - reporting all instances of suspected or actual fraud to the OAG; and
  - reporting findings, observations and associated matters to the appropriate parties.

Definitions

For the purpose of this Auditor-General’s Auditing Statement, the defined term listed below has the following meaning:

Appointed Auditor: means the person or persons appointed by the Auditor-General to carry out the annual audit or other engagement on behalf of the Auditor-General, and who are supported by other members of the audit team. Where an Auditor-General’s Statement or Standard expressly intends that a requirement be fulfilled by the Appointed Auditor personally, the requirement will indicate that the Appointed Auditor shall personally satisfy the requirement.

Requirements

Evaluation of fraud risk factors

The Appointed Auditor shall identify the presence of fraud risk factors based on the results of procedures carried out in keeping with ISA (NZ) 240. In addition, the Appointed Auditor shall consider if any fraud risk factors identified by the OAG in the audit brief or those identified in Appendix 1 to this Statement are present.
The Appointed Auditor shall, as part of identifying fraud risk factors, assess whether the public entity has proper arrangements for the prevention and detection of fraud and what the public entity would do if a suspected or actual fraud was discovered.
The Appointed Auditor shall report to management and those charged with governance on areas where the prevention and detection of fraud, and the processes for addressing instances of fraud or suspected fraud, could be improved.

Reporting fraud to the OAG (Ref: Para. A13–A19)

For all instances of suspected or actual fraud, the Appointed Auditor shall:
1. inform the OAG immediately that there is an indication that fraud may exist;
2. report to the OAG the details of the suspected fraud or actual fraud so that the OAG can identify any fraud risk factors; and
3. provide the OAG with other relevant information.

Procedures to be followed when there is an indication that fraud may exist

The Appointed Auditor shall immediately inform the OAG, through the fraud notification return in the Audit Management System’s external interface (the OAG Portal), when they become aware of the possible existence of fraud. The contact person in the OAG for all fraud questions is the Assistant Auditor-General – Audit Quality (Ref: Para. A13–A16).
Where the circumstances of the public entity make it impracticable for the Appointed Auditor to immediately inform the OAG of each suspected or actual fraud, the Appointed Auditor shall agree on alternative arrangements with the Assistant Auditor-General – Audit Quality (Ref: Para. A17).
If, as a result of a suspected or actual fraud, the Appointed Auditor encounters exceptional circumstances that bring into question the Appointed Auditor’s ability to continue performing the annual audit, the Appointed Auditor shall immediately advise the OAG.
Where a suspected or actual fraud is detected by the Appointed Auditor during the annual audit, the Appointed Auditor shall not communicate the existence of that suspected or actual fraud detected during the annual audit to the public entity without first informing, and consulting with, the OAG (Ref: Para. A18).
Where the Appointed Auditor becomes aware of a suspected or actual fraud through informants or a third party, the Appointed Auditor shall not communicate to the public entity the existence of that suspected or actual fraud without first informing, and consulting with, the OAG (Ref: Para. A18).
Where the Appointed Auditor is advised of a suspected or actual fraud perpetrated by those charged with governance and/or management of a public entity, the Appointed Auditor shall carry out enquiries and assess if those persons with authority within the public entity, and who are clearly not implicated, are aware of the circumstances and are taking appropriate and prompt action to address the matter. If those persons with authority within the public entity, and who are clearly not implicated, are unaware of the circumstances, or who are not taking appropriate and prompt action to address the matter, the Appointed Auditor shall inform the OAG. (Ref: Para. A18)

The Protected Disclosures Act 2000

If an employee of a public entity approaches the Appointed Auditor to disclose a fraud under the Protected Disclosures Act 2000, the Appointed Auditor shall initially direct the employee to follow the public entity’s internal procedure for protected disclosures, to the extent that the Protected Disclosures Act 2000 requires. If the employee does not follow the public entity’s internal procedure, the employee’s disclosure may not be protected under the Protected Disclosures Act 2000. If the Appointed Auditor is uncertain if the internal procedure should be followed - for instance, where the employee is concerned that the internal procedure may not adequately address the matter, or where the employee is concerned that the internal procedure is likely to damage their employment prospects – then the Appointed Auditor shall seek advice from the OAG (Assistant Auditor-General – Legal, Policy, and Inquiries) (Ref: Para. A19).

Reporting fraud in the audit report

The Appointed Auditor shall obtain approval from the OAG before issuing an audit report that contains a modification, an emphasis of matter paragraph, or an other matter paragraph, as a consequence of a suspected or actual fraud (Ref: Para. A20).

Reporting fraud to third parties

Reporting of any suspected or actual fraud (or any other matters surrounding a fraud) to third parties shall be carried out by the OAG directly (Ref: Para. A21–A22).

Release of information

The Appointed Auditor shall not release information to third parties unless prior written approval is obtained from the OAG. Any enquiries or requests for information (including any audit-related correspondence, audit evidential working papers/files, associated documentation, or management reports) from such agencies as the Police, Serious Fraud Office, Inland Revenue Department, Privacy Commissioner, or Ombudsmen are covered by OAG protocols. Any enquiries or requests for information by these agencies shall be referred to the OAG, which will then advise on the course of action to be taken.

Application and other explanatory material

Scope of this Statement (Ref: Para. 1–3)

A1	This Statement recognises that: the primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management (refer to paragraph 4 of ISA (NZ) 240); and an Appointed Auditor carrying out an annual audit in keeping with the Auditor-General’s Auditing Standards is responsible for obtaining reasonable assurance that the financial and performance information taken as a whole is free from material misstatement, whether caused by fraud or error. However, owing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements of the financial and performance information may not be detected, even though the audit is properly planned and performed in keeping with the Auditor-General’s Auditing Standards.
A2	Fraud, by its nature, always attracts a great deal of interest – irrespective of the scale of the fraud. Invariably, questions are asked about how the fraud took place and whether the controls designed to stop fraudulent activity were operating effectively. In the public sector, the interest in fraud is heightened because public funds are involved and because those individuals entrusted with public funds are expected to exhibit the highest standards of honesty and integrity.
A3	The Auditor-General plays a role in assessing the risk of material fraud and, when a fraud does occur, considering whether appropriate standards of accountability and disclosure are applied by those responsible for public entity resources.
A4	The OAG needs to be kept informed of all frauds involving the resources of public entities. There are a number of reasons for this, including: to ensure that, where appropriate, the proper regulatory or enforcement authorities have been informed; to ensure that the effect of the fraud on the financial and performance information is systematically assessed and that there is appropriate reporting and disclosure of the fraud in the financial and performance information and, if necessary, the audit report; understanding whether management and those charged with governance have given appropriate consideration to preventing further offending; the need to be alerted to any limitations or circumstances that occur that could affect the Appointed Auditor’s professional indemnity insurance over the period of the engagement or circumstances that could lead to a potential claim against the Appointed Auditor or the Auditor-General; and the general expectation that the OAG is informed of frauds committed in the public sector, which can reflect on the reputation of the Auditor-General.
A5	The responsibility for the prevention and detection of fraud rests with public entity management through the implementation and continued operation of adequate internal control systems.
A6	The Auditor-General expects that every public entity should formally address the matter of fraud and formulate an appropriate policy on how to minimise it and, if it occurs, how it will be dealt with.
A7	A fraud policy should include, as a minimum, these key elements: a system for undertaking regular reviews of transactions, activities, or locations that may be susceptible to fraud; specifications for fully documenting what happened in a fraud and how it is to be managed; the means for ensuring that every individual suspected of committing fraud (whether they are an employee or someone external to the entity) is dealt with consistently and fairly; and the principle that recovery of the lost money or other property will be pursued wherever practicable and appropriate.
A8	Management of a public entity needs to be clear about its attitude towards fraud and make its employees and those who transact with the entity aware of that attitude, including an awareness of the consequences of transgressing. The only satisfactory way of communicating that attitude within the entity is by issuing a formal statement of policies and procedures to everyone in the entity and, if necessary, to those who transact with the entity.
A9	Management and those charged with governance must also consider the public sector context when deciding how to respond to a suspected fraud. The perception of how fraud and other types of criminal or corrupt activity are dealt with in the public sector is an important part of maintaining the public’s trust in the public sector.
A10	In the public sector, additional weight also needs to be given to: the need to maintain, and to be seen to maintain, the highest possible standards of honesty and integrity; the fact that the public sector is entrusted with taxpayer and ratepayer funds; the importance of transparency and accountability for the use of public funds; and the risk of a perception that matters are being “swept under the carpet”.
A11	In effect, this means that the threshold for referring a matter to law enforcement agencies is likely to be lower than it might be in other organisations. It may not be sufficient for suspected fraud or other wrongdoing to be resolved through an employment settlement. It is important for an independent and transparent decision to be made on whether prosecution is appropriate.
A12	The Auditor-General’s policy is that the management of public entities should consider carefully whether to refer a suspected fraud to law enforcement agencies in every case, taking into account their public sector context. If management or those charged with governance do not consider reporting a suspected fraud, the Auditor-General will consider doing so.

Reporting fraud to the OAG (Ref: Para. 12–19)

Procedures to be followed when there is an indication that fraud may exist (Ref: Para. 13–18)

A13	When an Appointed Auditor becomes aware of a suspected or actual fraud involving the resources of a public entity, it is imperative that the OAG be notified immediately so that the OAG and the Appointed Auditor can agree on the course of action to be followed to ensure that the matter is appropriately addressed.
A14	In some circumstances, the Appointed Auditor may have no alternative but to inform the entity’s management of a fraud detected during the annual audit before informing and consulting with the OAG. For example, this may be necessary if there is an immediate need to protect accounting records and associated information.
A15	Once the OAG is informed of the possible existence of a fraud, the OAG and the Appointed Auditor (through discussion and mutual agreement) will: onsider the potential effect on the financial and performance information and, if the fraud could have a material effect, plan any appropriate modified or additional audit procedures; establish the means by which the fraud is to be communicated to the public entity’s management (if they are unaware of the fraud) and, if necessary, to any third parties (refer to paragraphs 41 to 44 of ISA (NZ) 240); establish the accounting and disclosure requirements for the financial and performance information; and agree on any additional information to be reported to the OAG.
A16	Once further details of suspected or actual fraud are known, the Appointed Auditor is required to update the fraud notification return in the OAG Portal. The updated return will be used by the OAG to identify any fraud risk factors.
A17	A few public entities experience a significant number of frauds of low monetary value. For example, public entities responsible for the payment of benefits regularly encounter situations where beneficiaries have deliberately misrepresented their circumstances to claim benefits to which they are not entitled. In this situation, it may be impracticable for the Appointed Auditor to inform the OAG each time they become aware of a new fraud. As a result, the OAG and the Appointed Auditor will agree a practical arrangement, so that they are kept informed of frauds, with the management of the public entity. The arrangements will be agreed on a case-by-case basis. (Ref: Para. 14)
A18	If those persons ultimately responsible for the overall direction of the public entity may be implicated in the fraud, the OAG shall determine what reporting action will be taken. If legal advice is required, this will be sought directly by the OAG (refer to paragraph A65 of ISA (NZ) 240). (Ref: Para. 16–18)

The Protected Disclosures Act 2000 (Ref: Para. 19)

A19

If the public entity does not have an internal procedure for protected disclosures, the Appointed Auditor should advise the employee to make the disclosure to the head of the public entity. If the employee believes that the head of the entity is involved in the fraud, that the disclosure of the fraud is urgent, or that other exceptional circumstances exist, the Appointed Auditor should contact the Assistant Auditor-General – Legal, Policy, and Inquiries for advice.

Reporting fraud in the audit report (Ref: Para. 20)

A20

If the Appointed Auditor is unable to confirm or dispel a suspicion that a fraud has occurred, the Appointed Auditor may need to seek legal advice before rendering any opinion on the financial and performance information for annual audit. If legal advice is required, this will be sought directly by the OAG.

Reporting fraud to third parties (Ref: Para. 21)

A21	The public entity should consider whether to report fraud to the appropriate law enforcement agency, although this will not limit the Auditor-General also considering whether to do so for the purpose of protecting the interests of the public.
A22	If a third party requests information on a fraud or a suspected fraud and it is necessary to obtain a legal opinion on whether it is appropriate to release that information, the OAG will obtain that legal opinion (refer to paragraph 44 of ISA (NZ) 240).

Appendix 1 – Examples of fraud risk factors

The fraud risk factors identified in this appendix are examples of such factors that may be faced by the Appointed Auditor in a broad range of situations. The examples below are in addition to the equivalent appendix in ISA (NZ) 240 and take into account public sector considerations.

It is possible that one or more fraud risk factors may be present in any particular public entity.

Further detail on sector-specific fraud risk factors may be summarised in applicable audit briefs.

Fraud may arise where management or those charged with governance use their position to obtain or procure a pecuniary benefit. Management or those charged with governance may override internal controls, particularly where there is little or no segregation of duties or independent checks or authorisations and approvals of transactions. In this situation, there may not be adequate oversight over decision-making processes or full or adequate disclosure of related party transactions. A common example of this is where an entity makes a significant procurement that may involve contracting with related parties and where the related party relationship is deliberately concealed.
Fraud may arise where there is a misuse of information. An example may be a public sector employee who uses their knowledge of a benefits payments system to defeat or suppress internal controls to facilitate payments of fraudulent benefits to themselves or their family or friends.
Fraud may arise where an individual with authority to spend funds also establishes the budget for the activity. This creates the opportunity to make provision for “fraudulent payments” in the budget and, therefore, enable fraudulent payments to be made during the period of the budget without arousing suspicion by way of actual expenditure exceeding the budget.
Fraud may arise where an individual with the authority to spend funds also has the authority to code payments in the accounting system. This creates the opportunity to allocate fraudulent payments to an under-utilised budgetary code and, therefore, reduce the risk of detection.
Fraud may arise where an individual has the authority to commit the public entity to discretionary expenditure, including travel, accommodation, or entertainment, and that discretionary expenditure provides personal benefits to the individual.

1: The ISA (NZ) Auditing Standards are scoped so that they apply to audits of “historical financial information”. However, for the purposes of the Auditor-General’s Auditing Standards and Statements, all references to “historical financial information” should be read as the audit of “historical financial and historical non-financial information”.