Draft Guidance Note – FAIS 120: Fraud Risk

Guidance Note For Forensic Accounting And Investigation Standard No. 120 On Fraud Risk outlines the manner in which the Professional prepares and executes work procedures for implementing the requirements of the Standard during the course of a FAI engagement.

Digital Accounting Assurance Board
The Institute of Chartered Accountants of India
1st June, 2023

GUIDANCE NOTE FOR FORENSIC ACCOUNTING AND INVESTIGATION STANDARD NO. 120 ON FRAUD RISK

EXPOSURE DRAFT Approved by DAAB (On 1 June’23)

This Guidance Note provides technical clarifications and implementation guidance on how to prepare for and conduct work procedures on Forensic Accounting and Investigation Standard Number 120, on “Fraud Risk,” issued by the Institute of Chartered Accountants of India (ICAI) and should be read in conjunction with all the Standards relevant to the topic. The contents of this Guidance Note are recommendatory in nature and do not represent the official position of the ICAI. The reader is advised to apply his best Professional judgement in the application of this Guidance Note considering the relevant context and prevailing circumstances.

1.0 Introduction

1.1  FAIS 120 on “Fraud Risk” expects the Professional to understand the fraud risk concepts and apply these in a Forensic Accounting and Investigation (FAI) engagement. The requirements of the Standard are expected to be implemented through:

(a) A preliminary fraud risk understanding of the areas relevant to the subject matter of the engagement.

(b) Identification of fraud risk indicators.

(c) Prioritisation of work procedures and reporting in the areas most vulnerable to fraud.

2.0 Objectives

2.1 This Guidance Note (GN) outlines the manner in which the Professional prepares and executes work procedures for implementing the requirements of the Standard during the course of a FAI engagement.

2.2 The objective of the GN is to assist the Professional in scoping and planning the engagement in order to:

(a) Identify areas most vulnerable to fraud insofar as they are relevant to the scope and objectives of the engagement.

(b) Perform a preliminary fraud risk understanding of these fraud risk areas.

(c)  Identify and prepare a list of fraud risk indicators and categorise them in level of importance (High/Medium/Low).

(d) Prioritise the work procedures and allocate them to those with available skills and expertise.

2.3 The GN also provides examples and illustrations to help the Professional apply the fraud risk concepts which can be directed towards the areas of importance and which can help to keep the focus on priority areas of the engagement.

3.0 Procedures

3.1 In order for the Professional to apply the fraud risk concepts in an effective manner, there is a need to understand how the risk, in general, is quantified. Since risk is a function of two key variables of Impact and Probability, a rating out of say 5 or 10 can be assigned to each of the two variables to get an overall quantification, out of 25 (5×5) or 100 (10×10).

For example, there is a risk of duplicate payments and the impact of any one such payments are INR 1.0 million (i.e., any payments above this amount goes through a more rigorous process, including checking for duplicate payments). A rating of 4 out of 5 may be assigned to Impact due to the large amount. Let’s assume the probability of this event happening is average, or 50%. Hence, a rating of 3 out of 5 may be assigned to Probability. Therefore, the overall risk rating would be 12 (4 x 3) out of 25, and this would be considered when we compare the duplicate payment risk with some other risks such as the risk of unapproved payments (which may be rate 16 (4×4), or of payment for goods not received (which may have another rating), making the comparison between them easy due to the numerical quantifications.

3.2 The fraud risk identification process requires an understanding of all the possible areas where a fraud could be perpetrated and accordingly estimating the likelihood of the risk being materialised. To understand the possible avenues of fraud, the Professional may review relevant policies and procedures and even consider a brief walkthrough of certain fraud vulnerable processes to get an appreciation of the control environment.

3.3 The Professional may consider certain high-level organisational factors that influence the engagement fraud risk areas, some of which are as follows (indicative list):

(a) The nature of the business and industry of the organisation.

(b) The business environment and stakeholders of the organisation.

(c) The Corporate Governance and entity level control framework.

(d) The effectiveness of its anti-fraud programs.

(e) Risk management and Compliance culture.

3.4 The Professional, in order to understand the financial impact of the fraud risk, may attempt to quantify it using financial information such as the Independent Auditor’s Report, the Internal Audit reports, the Companies (Auditors Report) Order (CARO) report, the Internal Controls over Financial Reporting (ICFR) and consider a general financial analysis to note any particular areas which may point towards a need for deeper data analytics.

For example, long outstanding debtors or a sharp increase in Debtor Turnover Ratio may indicate cash flow issues and a risk of timely loan repayments.

3.5 The Professional may also consider various internal non-financial sources of risk information such as employee complaints, whistle blower complaints, or past incidents of legal violations and penalties etc.

3.6 Since frauds usually involve a high degree of human intervention, the Professional may consider gathering relevant information from the public domain and external sources (such as social media, industry news, criminal, civil and regulatory complaints). Level of interaction of company officials with Government officials, may also be of some relevance in this regard.

3.7 The Professional may consider both the qualitative and quantitative factors when assessing the significance of fraud risk to the engagement. However, the quantified list of risks would only be a starting point, but a more comprehensive evaluation would be possible only by incorporating other non-financial information and other qualitative inputs.

For example, a risk of inventory pilferage may be considered not very material due to its low financial impact, but due to the sensitive nature of the risk (pointing towards possible integrity issue), the management may choose to rate the impact much higher considering its brand and reputation implications.

3.8 Once all the fraud risks have been assessed with a combination of quantitative and qualitative measures, they can be classified as either High, Medium or Low and accordingly allotted a level of priority for consideration.

For example, in an engagement of inventory pilferage, the list of fraud risk indicators may include various possible reasons, but the risk quantification of each will help the Professional to decide how much time and attention to be given to each fraud indicator. So, Gate security measures, or poor quality of raw materials, or operational in efficiencies, or inventory record keeping are all fraud risk indicators for inventory pilferage, each having a different risk rating, and therefore, each with a different priority for consideration.

4.0 Explanations with Examples

4.1 The Professional may consider the following fraud risk indicators (also called red flags and early warning signs), in assessing the significance of fraud risk:

• Unusual financial statement and performance indicators such as:

(a) A pattern of similar audit adjustments proposed year after year.

(b) Persistent cash flow problems, even when the organisation has regularly reported profits.

(c) Outstanding results when the rest of the industry has suffered a downturn.

(d) Transactions in the books that are not recorded in a complete or timely manner or are improperly recorded as to amount, accounting period, classification, or entity policy.

(e) Unreconciled subsidiary & General Ledger accounts.

• Unusual financial condition of the organisation such as:

(a) Unusual financial ratios when compared to competitors.

(b) Significantly outpacing competitors in the industry.

(c) An organisation doing quite well suddenly makes huge losses.

• Unusual close association with vendors or customers.
• Employee unwilling to share duties.
• Hierarchy structure in the organisation not followed in decision making.
• Inconsistent, vague, or implausible responses from management or employees arising from inquiries or analytical procedures.
• No written policies and/or procedures.
• Lack of Internal Controls or casual approach to reported internal control lapses.
• Significance to the operations, brand value and reputation.
• Whether employees suffered any financial damages.
• Whether any financial damage have been caused to third parties.
• Criminal, civil and regulatory liabilities.
• Reputation damage among stakeholders.

4.2 The Professional may review the qualitative aspects of the transactions, such as the parties involved, the individual signatories, any possible connection between the parties. These connections may be in the form of:

• Connections or relationship between the parties and individuals involved in the transaction in terms of relations not covered as per the various statutes, old friendships or associations and other possible connections.
• Significant financial interests in form of loans or other transactions between the parties and individuals involved in the transaction.
• Personal guarantees or securities for loan facilities provided amongst the parties and individuals involved in the transaction.

4.3 The Professional may also review the electronically stored information (Refer

FAIS 420 on “Evidence gathering in Digital Domain” for further details) in relation to employees involved in specific transactions to evaluate fraud risk.

4.4 Risks in relation to revenue (Indicative list):

• Unexplained variations between budgeted revenues and actual revenues.
• Revenue booked during the period ends.
• Revenue reversals at the beginning of the period.
• Sudden spike in revenue without corresponding increase in profit and cash balance.
• Revenue or Sales not supported with proof of delivery or service.

4.5 Risks in relation to expenses and vendor onboarding (Indicative list):

• Siphoning of funds through fictitious or inflated expenses in the books of accounts, personal profiteering and kickbacks through vendor-employee conflicts are some of the common instances of fraud.
• Analysing the major spends booked, should be commensurate with the size of business and nature of operations of the organization.
• Budgeted spends in comparison with actuals to identify reasons for deviations especially those that are indicative of any unusual pattern(s).
• Expenses booked towards the end of accounting period as adjustment entries.
• Sudden spikes in business volumes to vendor and whether the vendor was onboarded through the organisation’s regular onboarding procedures.

4.6 Risks in relation to loans (Indicative list):

• Acquiring loans from banks and siphoning the funds out of the business cycle by management or employees has seen notable frauds in recent times.
• Transactions immediately before and after the receipt of loan funds to understand the flow of funds or any potential instances of unauthorized application of loan funds.
• Specific elements in relation to security involved with the loan transactions, such as whether the security is owned by a third party, if so, what is the nature of relationship between them; or any undisclosed lien already created on the security offered for a particular loan, which may hamper the security coverage for either of the loans.
• Whether the loans are being serviced on time and enquire into the reason for default, if any.

5.0 Annexures

5.1 The Annexure includes reference from Auditing Standard on Fraud Risk.

5.2 The fraud risk factors identified here are examples of such factors that may be faced by the Professional in a broad range of situations. Presented here are examples relating to two types of frauds relevant to consideration, i.e., fraudulent financial reporting and misappropriation of assets. For each of these types of fraud, the risk factors are further classified based on the three conditions generally present when material misstatements due to fraud occur: (a) incentives/pressures, (b) opportunities, and (c) attitudes/rationalizations.

5.3 Although the risk factors cover a broad range of situations, they are only examples and, accordingly, the Professional may identify additional or different risk factors.

I. Risk factors relating to misstatements arising from fraudulent financial reporting.

Incentives/Pressures  

Financial stability or profitability is threatened by economic, industry, or entity operating conditions, such as (indicative list):

• High degree of competition or market saturation, accompanied by declining margins.
• High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates.
• Significant declines in customer demand and increasing business failures in either the industry or overall economy.
• Operating losses making the threat of bankruptcy, foreclosure, or hostile takeover imminent.
• Recurring negative cash flows from operations or an inability to generate cash flows from operations while reporting earnings and earnings growth.
• Rapid growth or unusual profitability especially compared to that of other companies in the same industry.
• New accounting, statutory, or regulatory requirements.
• Excessive pressure exists for management to meet the requirements or expectations of third parties due to the following:
• Profitability or trend level expectations of investment analysts, institutional investors, significant creditors, or other external parties (particularly expectations that are unduly aggressive or unrealistic), including expectations created by management in, for example, overly optimistic press releases or annual report messages.
• Need to obtain additional debt or equity financing to stay competitive— including financing of major research and development or capital expenditures.
• Marginal ability to meet exchange listing requirements or debt repayment or other debt covenant requirements.
• Perceived or real adverse effects of reporting poor financial results on significant pending transactions, such as business combinations or contract awards.

Information available indicates that the personal financial situation of management or those charged with governance is threatened by the entity’s financial performance arising from the following:

• Significant financial interests in the entity.
• Significant portions of their compensation (for example, bonuses, stock options, and earn-out arrangements) being contingent upon achieving aggressive targets for stock price, operating results, financial position, or cash flow.
• There is excessive pressure on management or operating personnel to meet financial targets established by those charged with governance, including sales or profitability incentive goals.

Opportunities  

The nature of the industry or the entity’s operations provides opportunities to engage in fraudulent financial reporting that can arise from the following:

• Significant related-party transactions not in the ordinary course of business or with related entities not audited or audited by another firm.
• A strong financial presence or ability to dominate a certain industry sector that allows the entity to dictate terms or conditions to suppliers or customers that may result in inappropriate or non-arm’s-length transactions.
• Assets, liabilities, revenues, or expenses based on significant estimates that involve subjective judgments or uncertainties that are difficult to corroborate.
• Significant, unusual, or highly complex transactions, especially those close to period end that pose difficult “substance over form” questions
• Significant operations located or conducted across international borders in jurisdictions where differing business environments and cultures exist.
• Use of business intermediaries for which there appears to be no clear business justification Significant bank accounts or subsidiary or branch operations in tax-haven jurisdictions for which there appears to be no clear business justification.

The monitoring of management is not effective as a result of the following:

• Domination of management by a single person or small group (in a non-owner managed business) without compensating controls.
• Oversight by those charged with governance over the financial reporting process and internal control is not effective.

There is a complex or unstable organizational structure, as evidenced by the following:

• Difficulty in determining the organization or individuals that have controlling interest in the entity.
• Overly complex organizational structure involving unusual legal entities or managerial lines of authority.
• High turnover of senior management, legal counsel, or those charged with governance.

Internal control components are deficient as a result of the following:

• Inadequate monitoring of controls, including automated controls and controls over interim financial reporting (where external reporting is required).
• High turnover rates or employment of accounting, internal audit, or information technology staff that are not effective.
• Accounting and information systems that are not effective, including situations involving significant deficiencies in internal control.

Attitudes/Rationalizations

• Communication, implementation, support, or enforcement of the entity’s values or ethical standards by management, or the communication of inappropriate values or ethical standards, that are not effective.
• Non-financial management’s excessive participation in or preoccupation with the selection of accounting policies or the determination of significant estimates.
• Known history of violations of securities laws or other laws and regulations, or claims against the entity, its senior management, or those charged with governance alleging fraud or violations of laws and regulations.
• Excessive interest by management in maintaining or increasing the entity’s stock price or earnings trend.
• The practice by management of committing to analysts, creditors, and other third parties to achieve aggressive or unrealistic forecasts.
• Management failing to remedy known significant deficiencies in internal control on a timely basis.
• An interest by management in employing inappropriate means to minimize reported earnings for tax-motivated reasons.
• Low morale among senior management.
• The owner-manager makes no distinction between personal and business transactions.
• Dispute between shareholders in a closely held entity.
• Recurring attempts by management to justify marginal or inappropriate accounting on the basis of materiality.
• The relationship between management and the current or predecessor statutory auditor is strained, as exhibited by the following:

— Frequent disputes with the current or predecessor statutory auditor on accounting, auditing, or reporting matters.

— Unreasonable demands on the statutory auditor, such as unrealistic time constraints regarding the completion of the statutory audit or the issuance of the statutory auditor’s report.

— Restrictions on the statutory auditor that inappropriately limit access to people or information or the ability to communicate effectively with those charged with governance.

—  Domineering management behaviour in dealing with the statutory auditor, especially involving attempts to influence the scope of the statutory auditor’s work or the selection or continuance of personnel assigned to or consulted on the audit engagement.

II. Examples of risk factors arising from misstatements arising from misappropriation of assets  Incentives/Pressures

Personal financial obligations may create pressure on management or employees with access to cash or other assets susceptible to theft to misappropriate those assets.

Adverse relationships between the entity and employees with access to cash or other assets susceptible to theft may motivate those employees to misappropriate those assets. For example, adverse relationships may be created by the following:

• Known or anticipated future employee layoffs.
• Recent or anticipated changes to employee compensation or benefit plans
• Promotions, compensation, or other rewards inconsistent with expectations.

Opportunities

Certain characteristics or circumstances may increase the susceptibility of assets to misappropriation. For example, opportunities to misappropriate assets increase when there are the following:

• Large amounts of cash on hand or processed.
• Inventory items that are small in size, of high value, or in high demand.
• Easily convertible assets, such as bearer bonds, diamonds, or computer chips.
• Fixed assets which are small in size, marketable, or lacking observable identification of ownership.

Inadequate internal control over assets may increase the susceptibility of misappropriation of those assets. For example, misappropriation of assets may occur because there is the following:

• Inadequate segregation of duties or independent checks.
• Inadequate oversight of senior management expenditures, such as travel and other reimbursements.
• Inadequate management oversight of employees responsible for assets, for example, inadequate supervision or monitoring of remote locations.
• Inadequate job applicant screening of employees with access to assets.
• Inadequate record keeping with respect to assets.
• Inadequate system of authorization and approval of transactions (for example, in purchasing).
• Inadequate physical safeguards over cash, investments, inventory, or fixed assets.
• Lack of complete and timely reconciliations of assets.
• Lack of timely and appropriate documentation of transactions, for example, credits for merchandise returns.
• Lack of mandatory vacations for employees performing key control functions.
• Inadequate management understanding of information technology, which enables information technology employees to perpetrate a misappropriation.
• Inadequate access controls over automated records, including controls over and review of computer systems event logs.

Attitudes/Rationalizations  

• Disregard for the need for monitoring or reducing risks related to misappropriations of assets.
• Disregard for internal control over misappropriation of assets by overriding existing controls or by failing to take appropriate remedial action on known deficiencies in internal control.
• Behaviour indicating displeasure or dissatisfaction with the entity or its treatment of the employee.
• Changes in behaviour or lifestyle that may indicate assets have been misappropriated.
• Tolerance of petty theft.

5.4  The Annexure includes reference from RBI’s Master Circular on Fraud.

As per RBI “Master Circular on Frauds – Classification and Reporting” vide notification RBI/2015-16/75, Some Early Warning signals are highlighted which should alert about some wrongdoings in the loan accounts which may turn out to be fraudulent:

• Default in payment to the banks/ sundry debtors and other statutory bodies, etc., bouncing of the high value cheques.
• Frequent change in the scope of the project to be undertaken by the borrower.
• Costing of the project which is in wide variance with standard cost of installation of the project.
• Foreign bills remaining outstanding for a long time and tendency for bills to remain overdue
• Frequent invocation of BGs and devolvement of LCs.
• Large number of transactions with inter-connected companies and large outstanding from such companies.
• Substantial increase in unbilled revenue year after year.
• Significant increase in working capital borrowing as percentage of turnover.
• Frequent change in accounting period and/or accounting policies.
• Movement of an account from one bank to another.
• Heavy cash withdrawal in loan accounts.
• High value RTGS payment to unrelated parties.