by Alex Movchan
We recently conducted another interview with Olga Lukashenko who is an Audit Director at Reanda Netherlands. The first interview that was conducted with this special woman can be found on our platform under related items, which was about planning and executing audit engagements during the Covid-19 crisis. This particular talk with Olga covers the topic of conducting audit engagements in regions with a high level of exposure to fraud and corruption.
Hello Olga, you have great professional experience with knowledge of client specifics across Europe and Asia, but also specific business risks that your clients from different regions face. I know that you are working closely not only with clients from the Netherlands and Western Europe, but also specialised on Eastern Europe and Central Asia. Could you please share your views on major differences in risk profiles that should be considered by Chief Audit Executives creating audit programs covering operations in Western, Eastern Europe, but also Central Asia regions ?
Olga Lukashenko : “Hello Alex, thank you for the interview invitation. Indeed, I am specialised on clients with activities based in Eastern Europe and Central Asia. Often, we consider these clients as high risk, but we have measures in place to mitigate these risks, including knowledge of the local business culture and local language skills. Sometimes I fill myself like a translator, but not from a different language. Sometimes I have to translate due to a different backgrounds and / or mentality. Just to give a recent example of misunderstanding: we were requested to provide with a fee quote to an international company who delivers some applications, which are popular in Eastern Europe. Only its name gave me sufficient information about the prospective client, its activities and business processes needed to prepare a proposal.
And it was funny to realise that my colleagues that focus more on projects in Western Europe had no idea what kind of company it was or what the circumstances are that need to be taken into account while designing the audit approach. We do have a number of standard risks prescribed by ISA for every audit engagement. The difference for different locations would be related to the way we prepare responses to those risks. The auditor evaluates the information obtained from the risk assessment procedures on the existence of one or more fraud risk factors.
After identifying risks of fraud, the auditor then assesses the probability of the risk of fraud occurring and its impact on the financial statements. The outcome of the fraud risk analysis is a list of identified and estimated fraud risks at the level of the financial statements and of statements regarding transaction flows, account balances and disclosures. The auditor should assume that there are fraud risks in the revenue recognition (unless these risks are rebuttable). Obtaining evidences regarding the goods movement should be an essential part of the audit.
The risk that management breaks through internal control (risk of management override) is always present. This is partly due to the unpredictable nature of this risk, there is a fraud risk. The auditor should identify and assess risks of management override, including the risk of management override in the financial reporting process.”
Some regions where you have in depth experience are marked in the Transparency International Corruption Perception 2019 report as those with rather high risk of corruption and fraud. What additional or specific audit procedures would you advise to include in audit programs for our internal and also external audit colleagues performing engagements in these regions?
Olga Lukashenko : “This is such a great question. We could hear it on a daily basis. We are struggling with this topic during each and every individual audit. Risk of corruption and fraud must be discussed with:
- Management prior to the client acceptance and at the final stage of the audit;
- Compliance Officer at the client’s acceptance stage;
- Audit committee;
- Audit team during the pre-audit meeting;
- Client’s representatives while executing the audit procedures;
- Quality controller;
- Forensic review team.
The engagement team must pay attention to fraud, corruption, non-compliance with laws and regulations, money laundering and terrorist financing during the audit engagement. It is prescribed by a number of different laws and regulations, such as the Money Laundering and Terrorist Financing (Prevention) Act (Wwft), the Audit Firms Supervision Act (Wta), the Audit Firms Supervision Act Decree (Bta, including the explanatory memorandum), the Detailed Provisions for Auditing and Other Standards (NV COS) and NBA Practice Note 1137 Corruption: procedures for auditors. In professional laws and legislation, these terms are defined as follows:
Fraud: an intentional act by one or more individuals among management, those charged with governance, employees or third parties, involving the use of deception to obtain an unjust or illegal advantage.
Corruption: acts related to the offering of a gift or a making promise in order to persuade the other party to do something or refrain from doing something.
Non-compliance with laws and regulations: the intentional or unintentional performance or non-performance of activities that are in violation of any applicable laws or regulations, by the entity, or by those charged with governance, by the management or any other persons working for or under supervision of the entity.
Money laundering: executing transactions that have the aim of providing criminal proceeds with an ostensibly legitimate provenance.
Terrorist financing: the ultimate purpose of which is to provide the material resources to make terrorist activities possible.
A number of specific questions should be considered prior to the client’s acceptance procedures according to Wwft legislation:
- Do we suspect that the client is involved in money laundering and terrorist financing?
- Is the industry, where the (potential) client is active, could be treated as a reason not to accept or continue the client?
- Is there a direct contact with the (potential) client at the start of the relationship and afterwards when this would be obvious?;
- Is there an uncertainty about the group structure; has the ownership been confirmed?;
- Is there an uncertainty about the activities of the company?;
- Are there frequent changes in the legal (ownership) structure?;
- Is there an unnecessarily complex legal (ownership) structure?;
- Is there a lot of cash?;
- The choice of (name audit firm) is not obvious based on size, location, specialisation of (name audit firm);
- The fee of audit firm is not reasonably determined;
- The (potential) client is reluctant or reluctant to provide relevant information;
- There are transactions that do not fit in with the normal activities of the company;
- Funds are received and / or paid from / to unknown or unrelated third parties;
- (Inter) national structures have been set up that conceal property / economic interest;
- Is it possible to identify potential (integrity) risks from transactions with related parties that are not expected to be mitigated?; And
- What assessment has the engagement team made with regard to the integrity risk associated with the possible involvement in evasion or avoidance of tax regulations, and on the basis of which considerations has the engagement team arrived at this assessment?
We are lucky to be supported by NBA (The Royal Netherlands Institute of Chartered Accountants) and AFM (The Dutch Authority for the Financial Markets). NBA issued “Practice Note 1137 Corruption: procedures for auditors”. The audit procedures should be designed appropriate and effective in order to be linked to transaction flows, account balances, disclosures and assertions and the causes of risks. I would recommend to consider regarding corruption risks:
- Does the engagement team expect that management or employees bribe others or does the team expect client to be an aggrieved party as a result of corruption?
- In what way does the engagement team expect that management or employees may be involved in corruption?
- Which transaction flows, account balances or notes to the financial statements are affected by this risk?
It is very important not only to discuss fraud and corruption in a very detailed way, but also to properly record minutes of these discussions. The auditor shall document discussions of significant matters with management, those charged with governance, and others, including the nature of the significant matters discussed and when and with whom the discussions took place. Discussions within the team should result in documenting the corruption risk factors and the identified corruption risk factors. For each corruption risk identified, we should distinguish between the risk factors: incentive/pressure, opportunities and attitude/justification.
Irrespective of the auditor’s assessment of these risks, the engagement team should at least perform audit procedures that address the risk of management override in the financial reporting process. These mainly relate to:
- making adjustments to recorded journal entries or other adjustments during the preparation of the financial statements;
- the tendencies for reporting fraud related to accounting items; and
- significant transactions outside the ordinary course of business or transactions that appear otherwise unusual.
Of course, understanding and knowledge on where to focus attention during audit engagement not to miss significant risks including fraud risks comes with experience, but it is definitely a good starting point. Regardless of the level of experience one might have, is ‘Report to the Nations on occupational fraud and abuse’ issued by the Association of Certified Fraud Examiners. It is a good source of information to get an understanding of the most frequent ways of how fraud risks materialise. This report also gives valuable insights on red flags that could help to identify fraud as well.”
The author, Alex Movchan CIA CICA CFE is the President of the Institute for Internal Controls (Ukraine and Belarus chapter). He is also currently the Head of Internal Controls in a global medical company.