I. Introduction
The moment we talk about auditing, we tend to explain it as checklists to be filled, reports to be prepared, and numbers to be verified to see whether they are reflected properly in the financial statements. But it is important to understand that before arriving at those numbers, and before certifying a true and fair view, there lies professional scepticism that goes beyond the standard checklists kept in place.
The Standards on Auditing do not define everything that can be known directly, or in a straightforward manner, from a client’s documents. One such area is fraud risk assessment.
Can fraud be identified directly by applying statistical mechanisms? Or is it something that surfaces from within an organisation’s environment? It may not be, and it goes deeper into human behaviour, into everyone’s pressures and motives.
In this blog, let us explore the depths from which fraud is born and how the responsibilities of statutory auditors are framed within the Indian audit framework.
II. Understanding the Human Side of Fraud
A simple question to understand the root cause of fraud would be,
“Why do humans feel like committing fraud?”
Multiple factors answer this “why”, but they are simplified well by the Fraud Triangle Concept, which consists of
• Pressure
• Opportunity
• Rationalisation
These three elements, forming a triangle, can motivate fraud to be born. The modern world, and the shift in how morality is defined, has, of course, given a new version to each of these.
1. Pressure
It is no longer only “the unpaid-bills scenario” that creates pressure. There are shifts in how pressure can arise today. The Fear of Missing Out (FOMO), the pressure of keeping up with a social status dramatised by social media, fancy imaginations of living a stable life, mental burnouts, and the evolving nature of performance cultures within organisations, all contribute to the “pressures” felt by human beings. This drops one of the seeds from which the intention to commit fraud can grow, as a way to come out of that pressure.
2. Opportunity
The pressure is then joined by the opportunities that pave the way further towards fraud. The kinds of opportunities that open up are far greater in the current working environment. Digital working modes and hybrid models create vulnerable boundaries that lead to blurred ethics. With these reshaped opportunities in place, in quiet moments far away from the office and from supervision, “what I feel like doing right now” begins to override “what is right to do”. What starts as “just this once” in such quiet moments grows bigger until it reaches the world of “materiality”.
3. Rationalisation
This can be termed as the most dangerous of the three, pushing the pressure and opportunity already created to move further. It completes the triangle by building justifications around why it is “okay” to commit fraud.
The justifications can be as simple as
• “no one bothers to notice”,
• “it’s okay to do this once in a while”,
• “everyone probably does it, so what’s wrong if I do it just once”,
• “this is a small amount for the organisation, so it should be fine”.
What is assumed not to be a crime ends up becoming a routine pattern over a period of time and turns into a “white-collar crime”.
Now, if you correlate this to the world around us, numerous scenarios can grow into substantial stories. Until these storylines are undermined by building a strong foundation of ethics, they will continue, wrapped in numerous layers of justifications.
III. The Regulatory Framework Governing Fraud Risk Assessment in India
For statutory audits in India, fraud is not handled on instinct. It is governed by a layered framework comprising
• Standards on Auditing (SAs) – guides detection and response
• The Companies Act, 2013 – covers how fraud is to be reported further
• The ICAI Code of Ethics – governs the conduct of audit professionals
Together, these frameworks govern the auditor’s responsibilities relating to fraud identification, risk assessment, reporting obligations, and professional conduct.
A. An Overview of the Regulatory Framework
Note: These consequences are for failing to detect or report. An auditor who acts fraudulently or colludes in a fraud faces a graver outcome. A liability under Section 447 and a five-year debarment under Section 140(5) of the Companies Act, 2013, which survives even with resignation.
B. SA 240: The Principal Standard Governing Fraud Risk Assessment
SA 240 is the principal standard guiding auditors in handling fraud and error. It begins by explaining how the fraud triangle comprising pressure, opportunity and rationalisation come together.
It states the auditor’s objective, which is to obtain reasonable assurance that the financial statements are free from material misstatement. While it acknowledges the inherent limitations of this assurance, fraud being an intentional act that involves concealment through forgery, collusion or misrepresentation, it lays down guidance, through the performance of audit procedures such as risk assessments and analytical procedures, on how an auditor can work towards ensuring that the statements are free from material misstatement and on how to act when the auditor has reason to believe that a fraud has been or is being committed.
In practice, the key takeaways for an auditor from this Standard are as follows:
1. Professional Scepticism
Auditors are required to maintain a questioning mindset throughout the audit, regardless of the experience of management’s honesty.
2. Engagement Team Discussions
Before commencing fieldwork, the team should discuss where the entity’s statements are susceptible to fraud, making the risk specific to the client rather than planning it in an abstract manner.
3. Risk Assessment Procedures
Inquire of management, those charged with governance and internal audit (wherever applicable), perform analytical procedures, and weigh fraud risk factors. Though Standards on Internal Audit (SIA) 11 (Consideration of Fraud in an Internal Audit) is not directly applicable for statutory auditors, internal audit work may be relied upon under SA 610 (Using the Work of Internal Auditors) where the function exists.
4. Presumed Fraud Risks
Revenue recognition is presumed to be a fraud risk, rebuttable only with documented reasons.
Further, management override of controls is a significant risk in every audit and can never be rebutted. Hence, the auditor must, in every audit, test journal entries, review estimates for management bias, and evaluate the rationale behind significant unusual transactions.
5. Audit Responses and Evidence
The auditor designs responses to the assessed risks as per SA 330 (The Auditor’s Responses to Assessed Risks) and gathers sufficient appropriate evidence to address them, evaluating whether what is found points to fraud.
6. Management’s Representations and Explanations
Corroborate management’s responses and written representations against other evidence, treating inconsistent or evasive answers as matters to pursue further.
7. Communication and Reporting
Report fraud or suspected fraud to management and those charged with governance, and where law requires, to authorities outside the entity, recognising that confidentiality may be overridden by law in such cases (as highlighted by the SA).
C. Allied Frameworks Enforcing SA 240
Section 143(12) of the Companies Act, 2013, read with Rule 13 of the Companies (Audit and Auditors) Rules, 2014, is the specific channel that SA 240 directs towards. It requires auditors to report fraud committed by a company’s officers or employees to the Central Government in Form ADT-4, where the amount of fraud, or the likely amount, is equal to or greater than ₹1 crore.
Where the amount is less than ₹1 crore, it is to be reported to the Audit Committee and is covered in the Board’s report.
The ICAI’s Guidance Note explains this application in detail, and NFRA’s (National Financial Reporting Authority) circular dated 26th June 2023 further clarifies that the auditor must report even when they are not the first to detect the fraud.
Both SA 240 and the NFRA circular reiterate that, although withdrawal from an engagement is permitted in exceptional circumstances, the auditor cannot escape from the duty of reporting fraud.
Beneath all of these, the ICAI Code of Ethics forms the foundational layer that binds all members with its five fundamental principles: integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour. It adds a further layer through NOCLAR (Non-Compliance with Laws and Regulations), under which Sections 260 and 360 of Volume I of the Code of Ethics carry a public-interest right to disclose non-compliance (For the CA in service after internal escalation fails, and for the auditor after management’s response proves inadequate).
This is distinct from, and wider in scope than, Section 143(12)’s fixed channel of reporting fraud to the Central Government. Under NOCLAR, the disclosure may be made to any appropriate authority. This is an exception to confidentiality that the other frameworks do not grant.
IV. Conclusion
Though fraud involves psychological factors and runs deep, the regulatory frameworks in India seek to protect the interests of stakeholders in the best possible manner, through these layers of protection.
As an audit professional, it becomes important to dive into these layers and grasp the crux of them, so that they can be implemented in the true spirit and intention of the regulatory frameworks.
This is where professional scepticism and judgement matter the most, and this is how auditing goes beyond standard checklists.
Contributors
CA N Srilatha Bhat https://www.linkedin.com/in/srilatha-bhat-n-72804b1ab
Kuldeep Sarma https://www.linkedin.com/in/kuldeep-sarma-00788a122
Poonam Vernekar https://www.linkedin.com/in/poonam-vernekar
blog_upadhya
