The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:
- No human verification has been conducted of the converted content.
- While we strive for accuracy errors or omissions may exist.
- This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
- For the official and verified version of the publication, refer to the original PDF document.
If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].
Snapshot 6 - Fraud and other irregularities
Snapshot 6: Fraud and other irregularities
Since 2016, UK auditing standards have required the auditor's report for public interest entities to explain to what extent the audit was considered capable of detecting irregularities, including fraud. This has recently been extended to apply to all entities.
This snapshot sets out the approaches that auditors have adopted in responding to this requirement, exploring how auditors have approached these disclosures, the risks that have been identified, and the procedures adopted in response to these risks. Auditor's reports typically discussed risks arising from fraud and non-compliance with laws and regulations (NOCLAR), and this snapshot explores reporting on both.
The sample for this snapshot consists of 243 auditor's reports selected from the 396 reports used by the other snapshots. Of these, 74 were issued for FTSE 100 companies, 101 were for FTSE 250 companies, and 68 were for AIM companies. A total of 188 reports were issued by Big 4 firms, while the remaining 55 were issued by Challenger firms.
1. How auditors communicate fraud and NOCLAR risks
Audit firms adopted different strategies for disclosing how the audit responded to the risks for fraud and NOCLAR within the auditor's report. The length of disclosures varied considerably between different firms and different market segments. The firms also adopted a range of different approaches on how these disclosures were integrated with the rest of the auditor's report.
Figure 1 shows how the length of fraud and NOCLAR disclosures varied. Overall, the average length of disclosure was 617 words. Disclosures were on average longer for FTSE 100 auditor's reports (711 words), and shortest for those issued for large AIM companies (541 words). Disclosures by the Big 4 (657 words) were also longer than those issued by Challenger firms (481 words). Some of this difference may be a consequence of the more complex legal and regulatory requirements faced by large FTSE 100 companies. However, a significant proportion of the overall difference is also due to the greater brevity shown by Challenger firms in making these disclosures.
Fig. 1: Average length of fraud and NOCLAR disclosures
A bar chart showing the average number of words in fraud and NOCLAR disclosures by category.
Average number of words:
- FTSE 100: ~711 words
- FTSE 250: ~650 words
- AIM: ~541 words
- Big 4: ~657 words
- Challenger: ~481 words
The chart illustrates that FTSE 100 disclosures are the longest, while Challenger firm disclosures are the shortest.
Audit firms also adopted a range of approaches to how the disclosures were set out and integrated with the rest of the auditor's report. A depiction of the positions at either end of this range is set out in Figure 2. The 'Simple' approach was to treat the disclosures on fraud and NOCLAR as an extension of the auditor's responsibilities for a financial statement audit. The disclosures still included a discussion of identified risks of fraud and NOCLAR, an identification of the most important legal and regulatory frameworks for the company, and the audit procedures performed in response to these risks. However, there was limited integration with the rest of the auditor's report.
Fig. 2: Approaches to structuring fraud and NOCLAR disclosures within auditor's reports
This diagram illustrates two approaches: 'Simple' and 'Integrated'.
'Simple' approach: * Auditor's report on ABC plc * Auditor's responsibilities for the audit * Approach to detecting fraud and other irregularities
'Integrated' approach: * Auditor's report on XYZ plc * Key audit matters * Approach to detecting fraud and other irregularities * Fraud * Non-compliance with laws and regulations
The diagram shows that the 'Integrated' approach involves more nested layers compared to the 'Simple' approach.
The 'Integrated' approach included disclosures as a separate section, which was separated into distinct commentaries on fraud and NOCLAR. These in turn set out the risks identified by the auditor, as well as the auditor's specific responses to those risks. An explanation was also often frequently provided as to why identified fraud and NOCLAR risks had or had not been treated as Key Audit Matters. One firm also consistently explained why fraudulent revenue recognition had not been treated as a significant financial statement risk. This particular risk is presumed by the auditing standards but can be rebutted by the auditor if there are reasonable grounds for doing so.
The 'Integrated' approach results in longer disclosures and its features are most common in reports issued by some of the Big 4 firms, though it is also apparent in some Challenger reports. The features of the 'Simple' approach were most common with Challenger firms but were shared by reports issued by some of the Big 4 firms.
2. The extent of boilerplate
An indication of the quality of disclosures on how auditors responded to the risk of fraud and NOCLAR is the extent to which generic language ('boilerplate') is used. Boilerplate disclosures may not help the user to understand specific risks for an individual company. Evidence indicates that the extent of boilerplate varies between market segments and between groups of audit firms.
To quantify the extent of boilerplate, each auditor's report was allocated a boilerplate score for these specific disclosures calculated as the proportion of disclosures that include commonly occurring four-word phrase groups. The lower the score, the lower the prevalence of boilerplate. As this uses a different body of text to identify commonly occurring phrases, these findings are not directly comparable with the findings reported for entire auditor's reports in Snapshot 1. However, it does provide a way of comparing different firms and market segments.
Fig. 3: Estimated average boilerplate scores for fraud and NOCLAR disclosures
A bar chart showing boilerplate scores for fraud and NOCLAR disclosures across different categories.
Boilerplate score (from 0 to 0.6):
- FTSE 100: ~0.2
- FTSE 250: ~0.3
- AIM: ~0.5
- Big 4: ~0.25
- Challenger: ~0.45
The chart illustrates that AIM companies and Challenger firms have higher boilerplate scores.
Figure 3 shows how the average boilerplate scores for fraud and NOCLAR disclosures varied by market segment and by audit firm group. Disclosures for FTSE 100 companies had on average the lowest levels of boilerplate, while large AIM companies had the highest proportion of boilerplate in their disclosures. In addition, disclosures in reports issued by Challenger firms exhibited the most boilerplate, while Big 4 firms had the least. This could be because more companies audited by Challengers are smaller, less complex, and with a lower need for tailored reporting.
In addition, the information on the length of disclosures in Figure 1 indicate that shorter reports contain more boilerplate. This, as well as trends between audit firms and between market segments, are consistent with the findings on the extent of boilerplate in auditor's reports presented in Snapshot 1.
3. Fraud risks
Auditors have responded to the requirement that their reports explain the extent to which the audit could detect fraud by including information on fraud risks and the responses to those risks. The identified risks tended to be those presumed by the auditing standards, namely management override of controls and fraudulent revenue recognition. Responses to identified risks tended to be generic and were frequently not tailored to the specific circumstances of the entity.
Figure 4 presents the average number of fraud risks that were included in disclosures on how the auditor has responded to the risk of fraud. Auditor's reports issued for FTSE 100 companies included the greatest number of fraud risks, followed by those issued for those in the FTSE 250. Large AIM companies had the lowest average number of risks. Big 4 reports also described more risks on average those issued by Challenger firms.
Fig. 4: Average number of identified fraud risks
A bar chart showing the average number of identified fraud risks by category.
Average number of risks:
- FTSE 100: 2.3
- FTSE 250: 2.0
- AIM: 1.7
- Big 4: 1.8
- Challenger: 1.7
The chart illustrates that FTSE 100 companies had the highest average number of identified fraud risks.
The different types of risks included in these disclosures is set out in Figure 5. The most common risks – management override of controls, and fraudulent revenue recognition – are presumed by the auditing standards. The next four most common risks – accounting estimates, intangibles and goodwill, financial instruments, and provisions – are areas of financial reporting where the increased role for the exercise of judgement by management gives rise to an elevated risk of fraudulent financial reporting.
Fig. 5: Types of identified fraud risks
A horizontal bar chart showing the proportion of all fraud risks identified.
Fraud risks and their approximate proportion of all risks:
- Management override of controls: ~30%
- Revenue recognition: ~25%
- Accounting estimates: ~15%
- Intangibles & goodwill: ~10%
- Financial instruments: ~8%
- Provisions: ~5%
- Assets: ~3%
- Adjusting or exceptional items: ~2%
- Expected credit losses: ~1%
- Investment property: ~1%
- Contract accounting: <1%
- Acquisition accounting: <1%
- Other: ~2%
The chart highlights that 'Management override of controls' and 'Revenue recognition' are the most common identified fraud risks.
Auditor's reports also set out the risk assessment procedures used to identify fraud risks, and the actions taken by auditors to respond to those identified risks. Figure 6 sets out these different types of auditor responses. In total, almost three times as many risk assessment procedures (2,428) were disclosed compared to the actions taken by auditors to respond to those risks (878).
Fig. 6: Types of responses to fraud risks
A horizontal bar chart showing the proportion of all responses, categorized into risk assessment procedures and responses to identified risks.
Risk assessment procedures and their approximate proportion of all responses:
- Enquiries of management: ~18%
- Review of entity's documents: ~15%
- Engagement team communication: ~12%
- Use of audit firm's internal experts: ~10%
- Evaluation of entity's controls: ~8%
- Review of entity's correspondence: ~7%
- Understanding the entity & its environment: ~5%
- Other risk assessment procedures: ~10%
Responses to identified risks and their approximate proportion of all responses:
- Management override of controls testing: ~5%
- Financial statement review: ~4%
- Revenue recognition testing: ~3%
- Controls testing: ~2%
- Other substantive procedures: ~1%
The chart indicates a higher proportion of risk assessment procedures compared to specific responses to identified risks.
For both these types of auditor response, the disclosures were often highly generic, and in many cases simply represented actions that are required by the auditing standards. These include stating that enquiries were made of directors, or that board minutes were reviewed, or that manual journals were tested. The 'other actions' category in the figure, totalling 18%, included those that were specifically tailored to an identified fraud risk and the circumstances of the individual company. However, even this category included many generic procedures which the auditing standards require auditors to perform.
4. NOCLAR risks
The requirement for auditor's reports to set out the extent to which the audit could detect irregularities has led to auditors including detail on the legal and regulatory frameworks to which the company was subject and created the greatest risks around non-compliance with laws and regulations (NOCLAR). Reports also set out the specific risks of non-compliance with those frameworks that the auditor had identified for the company in question.
Figure 7 shows the average number of legal and regulatory frameworks identified by auditor's reports, as well as the average number of specific NOCLAR risks, for the sample. In total, a much higher number of frameworks (1,285) than risks (169) were disclosed. Reports issued for FTSE 100 companies identified the largest average number of frameworks, followed by FTSE 250 companies and large AIM companies. Reports issued by the Big 4 firms also, on average, identified more frameworks than those issued by Challenger firms. Meanwhile, there is little difference between market segments for the average number of specific NOCLAR risks disclosed in auditor's reports. For all three market segments, less than one specific risk is identified in each report. Auditor's reports issued by Challenger firms include even fewer risks than Big 4 firms.
Fig. 7: Average numbers of legal and regulatory frameworks and NOCLAR risks
A grouped bar chart showing the average number of frameworks and risks by category.
Average number of frameworks / risks:
- FTSE 100: Frameworks: 6.2, Risks: 0.8
- FTSE 250: Frameworks: 5.6, Risks: 0.7
- AIM: Frameworks: 3.9, Risks: 0.7
- Big 4: Frameworks: 5.6, Risks: 0.8
- Challenger: Frameworks: 4.3, Risks: 0.3
The chart clearly shows that the number of identified frameworks significantly outweighs the number of identified NOCLAR risks across all categories.
Figure 8 illustrates the frequency with which different legal and regulatory frameworks are included in auditor's reports. It also compares this with the frequency with which specific risks were identified against these frameworks. The most commonly identified frameworks were company law, tax legislation, financial reporting frameworks, and general financial regulation (which includes the listing rules). Some of these frameworks rarely resulted in specific risks of non-compliance. For example, relatively few specific NOCLAR risks were identified in relation to breaches of company law or financial reporting frameworks. The identification of specific risks was more common for tax legislation, employment and pensions law, financial services regulations, and competition and consumer protection law. This suggests that the identification of specific non-compliance risks was related to the circumstances of the audited company. However, Snapshot 3 demonstrates that these specific risks were rarely treated as Key Audit Matters within the auditor's report.
Fig. 8: Types of legal and regulatory frameworks and NOCLAR risks
A horizontal grouped bar chart showing the proportion of frameworks and risks for various NOCLAR frameworks.
NOCLAR framework and approximate proportions:
- Company law: Framework:
25%, Risks:2% - Tax: Framework:
20%, Risks:10% - Financial reporting: Framework:
18%, Risks:2% - General financial regulation: Framework:
15%, Risks:1% - Employment & pensions: Framework:
10%, Risks:8% - Financial crime: Framework:
8%, Risks:4% - Health & safety: Framework:
7%, Risks:3% - Corporate governance: Framework:
6%, Risks:1% - Financial services regulation: Framework:
5%, Risks:5% - Competition & consumer protection: Framework:
4%, Risks:4% - Sector specific: Framework:
3%, Risks:0.5% - Environmental protection: Framework:
2%, Risks:0.5% - Data privacy & protection: Framework:
1%, Risks:1% - Export rules & sanctions: Framework:
0.5%, Risks:0.5% - Intellectual property law: Framework:
0.5%, Risks:0.5% - Other: Framework:
2%, Risks:1%
The chart indicates that while frameworks like Company Law and Financial Reporting are frequently identified, specific NOCLAR risks associated with them are relatively low compared to frameworks like Tax or Employment & Pensions.
Summary
- Audit firms have used a range of approaches to explain the extent to which the audit was considered capable of detecting irregularities, including fraud.
- The disclosures were on average longest, with the least amount of boilerplate, in auditor's reports issued for FTSE 100 companies and by Big 4 audit firms.
- Conversely, the related disclosures in reports issued for large AIM companies and by Challenger firms are shorter and contain more boilerplate.
- Identified fraud risks tended to be those presupposed by the auditing standards.
- The responses to fraud risks tend to be generic and describe procedures that the auditor is required to do for any audit, rather than being specifically tailored to the circumstances of the entity.
- The legal and regulatory frameworks identified for NOCLAR risks tend to be generic, though the actual risks set out in the disclosures are more specific to the company in question.
Acknowledgements
This snapshot is based on an analysis of 396 auditor's reports issued during 2021, and commissioned by the FRC from a team of academics based at the Universities of Portsmouth, Southampton, and Brunel.
Financial Reporting Council