Globally the COVID-19 crisis is causing huge financial implications for many organizations, as well as exposing them to a variety of other emerging risks related to virtual operations, cybersecurity, and changes in relationships with customers and suppliers that put pressure on operations and service delivery. This new environment creates a heightened risk of fraud and improper financial reporting, as new opportunities and pressures can arise for both internal employees and external parties.
In response to the current crisis, many organizations have had to quickly change working practices and protocols to enable remote working, which presents an increased risk of fraud if internal controls can be bypassed as a result. Incentives to commit fraud may also be heightened with organizations and individuals facing unprecedented economic challenges. In desperate times, individuals under significant work-related or personal pressures can exhibit and rationalize uncharacteristic behaviors such as enhanced risk-taking and unethical decision-making. They may also deliberately present a rosier picture of current reality through financial statement and disclosure manipulation.
During the current crisis and its aftermath, the public interest obligation and professional judgment of professional accountants will be under greater scrutiny. This will particularly be the case for those who are board directors or in management roles given they have ultimate responsibility for the prevention and detection of fraud in an organization.
But in the coming weeks, months and years, it will also be critical for other professional accountants working across roles, including in finance functions, internal audit and external audit to be more alert than ever to the risk of fraud and manipulation of accounting and reporting. Information cannot be taken at face value without an appropriate level of challenge.
For external auditors, an expectation gap often exists between what the general public expect from them in detecting and reporting fraud, and their actual responsibilities under standards. Under ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, auditors are responsible for obtaining reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error. The International Auditing and Assurance Standards Board (IAASB) highlight in their COVID-19 staff alert, the need for auditors to have heightened awareness of the possibility of fraud or error, with the importance of the exercise of professional skepticism top of mind when performing audit procedures.
Professional accountants will need to be alert to the pressure exerted on them or by them on others. The IESBA’s International Code of Ethics for Professional Accountants, including International Independence Standards (the Code), which establishes the standard of behavior expected of a professional accountant, specifically addresses pressure on accountants that might lead to a breach of the five fundamental principles of the Code (integrity, objectivity, professional competence and due care, confidentiality, and professional behavior). The IESBA staff is also developing a publication to highlight aspects of the Code that might be relevant to accountants in navigating the current crisis, and identifies potential COVID-19 related pressures.
Regulators and oversight bodies are also reminding companies to exercise their professional judgement and pay close attention to accounting standards, the financial reporting implications of COVID-19, and emerging risks. For example, the Securities and Exchange Commission and Public Company Accounting Oversight Board in the US released a statement highlighting the risks and exposures of companies based, or with significant operations, in emerging markets where there may be substantially greater risk that disclosures will be incomplete or misleading.
Key considerations in relation to reporting and fraud risk for professional accountants:
Tone at the Top Needs to be Clear
As in the best of times, what is said and acted upon at the top of the organization sets the tone for behavior throughout the organization. Employees are the first line of defense. Boards and management need to send a clear message to employees that the organization will be judged on how it handles the current crisis, and therefore its values and ethics are paramount.
This extends to their reporting and accounting as well as to their concern for the interests of their stakeholders and how their reputation is perceived.
An effective ethics and compliance program is underpinned by a positive culture, strong values and transparency.
In a recent blog on COVID-19, the National Association of Corporate Directors (NACD) point out that while boards are responsible overall for overseeing the tone at the top, audit committees also play a key role:
“Their challenge is to discern whether the tone that management communicates to the committee is really the tone that permeates the entire company. This is particularly important now that work is being done virtually—employees may feel isolated and disconnected, and messages can be misunderstood. Feedback from past employee sentiment surveys is unlikely to be indicative of the current environment.”
The Center for Audit Quality (CAQ) also emphasizes the importance of corporate culture in navigating through, and emerging from, a crisis.
Maintaining an Effective Control Environment
Changes in working practices and remote working may impact the internal controls that are the foundation to the reliability of the financial reporting process and the credibility of reporting and disclosures. The control implications and challenges of any changes will vary by organization and may depend to an extent on whether controls were predominantly manual or automated before the crisis.
Boards and their audit committees, and management need to assess and continue to monitor a changed control environment, including key controls such as segregation of duties or systems access that may be weakened in a virtual work environment or due to work force displacement and disjointed processes.
Deloitte has identified the following areas in internal control over financial reporting that may need additional attention:
- Scoping and risk assessment conclusions may need to be revisited to verify that they are appropriately responsive to the changes in the organization that have occurred since the outbreak of COVID-19
- The design of controls may need to be adjusted
- Evaluation of the operating effectiveness of controls may need to include a plan for increased levels of remote testing
- Changes in workforce and remote working in the business as a result of COVID-19 may increase control deficiencies
- Typical communication plans with senior management and board members may need to be revisited so that they are given the information they need on a timely basis.
A Re-assessment of Fraud and Reporting Risk Focused on Material Areas
Guidance from Deloitte, Forensic Focus on COVID-19 Financial Statement Fraud outlines examples of financial statement fraud risks that organizations should be conscious of, such as overstatement of revenue, understatement of allowances and reserves, manipulation of valuations and impairments, capitalization of expenses, and margin manipulation.
In response to these financial statement fraud risks, the audit committee, which often has delegated responsibility for oversight of an organization’s financial reporting process, needs to consider a number of key issues, for example:
- The nature of adjustments, including why the adjustments might be viewed as immaterial
- Uncorrected misstatements, i.e., waived accounting adjustments
- Accounting policies, practices, and estimates - are they defensible? Have any changed in light of the crisis, and if so, why and are the changes justified?
- The use of alternative performance (non-IFRS or non-GAAP measures) such as EBITDA and whether these might mislead
- Whether internal audit priorities have been, or should be redirected in response to COVID-19 related fraud and reporting risks (A poll by the Institute of Internal Auditors (IIA) on the impact of COVID-19 on internal audit found that three quarters of internal audit functions have updated their audit plans and over half have updated their risk assessment. 40% of respondents also reported increases in effort related to fraud.)
- How to ensure the operational soundness of the organization’s whistleblowing systems, which may become more critical than ever. Following-up on suspicions of fraud or inappropriate practices will be critical, and using them as learning opportunities to enhance processes and procedures
- Any other key areas of fraud risk e.g., bank transfer fraud.
Where there are different views between the audit committee and management, there needs to be dialogue and robust challenge on the differences, for example the credibility of the estimates, valuations and forecasts in relation to management’s views.
Professional accountants need to be proactive as well as pragmatic given how quickly events change and the uncertainties that arise. It is will be incumbent on all professional accountants to ensure they are alert to how their professional training and responsibilities will be needed as companies deal with and emerge from COVID-19.
Key References Available on the IFAC COVID-19 Webpage
- CAQ: COVID-19 Resource: Key Auditor and Audit Committee Considerations
- CIPFA: COVID-19: protecting the local government sector supply chain from fraud
- Deloitte: COVID-19: Control environment considerations
- EY: What audit committees need to consider in the face of uncertainty
- EY: COVID-19 enterprise resilience checklist
- FEI: Going Concerned: Key Considerations for Financial Statement Preparers During this Pandemic
- Grant Thornton: How to define and respond to fraud risk during COVID-19
- KPMG: COVID-19: the perfect fraud and corruption storm
- OECD: Public Integrity for an Effective COVID-19 Response and Recovery