If you’re engaged to do an audit, there’s a chance not everything you find will be by the book. Luckily for you, International Standards on Auditing give you some guidance on what to do if you discover fraud. Here’s a rundown of your responsibilities under ISA 240 if you’re asked to do an audit.

What Is Your Responsibility?

Under ISA 240, you are required you to understand the difference between fraud and error, and to further distinguish between fraud from misappropriation of assets and misstatements from fraudulent financial reporting. Under ISA 240, it’s your job to be skeptical.

As part of the audit, you’re required to talk to management about risks of misstatements and how management responds to these areas of risk. You’re also in charge of knowing how management communicates these risks to others and if it knows of any fraud going on within the company. As the auditor, you need to get an understanding of the governance process to oversee processes. You’ll have to evaluate unusual and unexpected relationships that might change your opinion on the financial statements.

What Sort of Tests Should Be Used?

During the audit, always presume revenue recognition has been recorded incorrectly and expenses are understated. As you check the accounts, ISA 240 outlines your responsibility to test the appropriateness of accounting entries throughout the entire period you’re auditing. You’re also in charge of examining accounting estimates. You also need to follow ISA 240’s guidance on searching for significant transactions outside of the normal course of business.

Get Written Representations

Although it’s your client’s responsibility to disclose material events, it’s your responsibility to make sure that happens. According to ISA 240, you need to have management acknowledge its responsibility for the design and maintenance of internal controls, that it’s disclosed financial statements that aren’t misstated, and that there’s no fraud going on.

Communicating That You Found Fraud

If you find evidence of fraudulent activity, the first step is to let your client’s management know. ISA 240 guidelines tell you to do this in a timely manner. The auditing standards also say that those with the primary responsibility of preventing these things from happening should be told to immediately begin discussing detection and prevention measures.

What to Document

ISA 240 also outlines some of your documentation requirements. It’s up to you to discuss your findings and write out the assessed risk of material misstatement based on the fraud you found. You have to outline your overall response to the risk, what procedures should be taken, and what communication you had with your client.

If You Just Can’t Continue

There might be situations where you don’t feel comfortable continuing. In this case, you should first consider your professional and legal responsibilities. Think about whether it’s appropriate to withdraw, and discuss with your client the reason for your withdrawal. Per ISA 240, you’re also charged with speaking to regulatory or government authorities.

It’s uncomfortable to find out that one of your clients has been committing fraud. Thankfully, there are auditing rules to help you outline your course of action. If you find fraud, let your client’s management know, document what you found, and alter your opinion accordingly.