(a)  (i) The internal audit function in any entity is part of the overall corporate governance function of an entity. Corporate governance objectives include the management of the risks to which the entity is subject that would prevent it achieving its overall objectives such as profitability. Corporate governance objectives also include the overarching need for the management of an entity to exercise a stewardship function over the entity’s assets.
(ii) A large part of the management of risks, and the proper exercise of stewardship, involves the maintenance of proper controls over the business. Controls over the business as a whole, and in relation to specific areas, include the effective operation of an internal audit function.
(iii) Internal audit can help management manage risks in relation to fraud and error, and exercise proper stewardship by:

• commenting on the process used by management to identify and classify the specific fraud and error risks to which the entity is subject (and in some cases helping management develop and implement that process);
• commenting on the appropriateness and effectiveness of action taken by management to manage the risks identified (and in some cases helping management develop appropriate actions by making recommendations);
• periodically auditing or reviewing systems or operations to determine whether the risks of fraud and error are being effectively managed;
• monitoring the incidence of fraud and error, investigating serious cases and making recommendations for appropriate management responses.
  (iv) In practice, the work of internal audit often focuses on the adequacy and effectiveness of internal control procedures for the prevention, detection, and reporting of fraud and error. Routine internal controls (such as the controls over computer systems and the production of routine financial information) and non-routine controls (such as controls over year-end adjustments to the financial statements) are relevant.
  (v) It should be recognised however that many significant frauds bypass normal systems of internal control and that in the case of management fraud in particular, much higher level controls (those relating to the high level governance of the entity) need to be reviewed by internal audit in order to establish the nature of the risks, and to manage them effectively.

(b)  (i) External auditors are required by ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements to consider the risks of material misstatements in the financial statements due to fraud. Their audit procedures will then be based on a risk assessment. Regardless of the risk assessment, auditors are required to be alert to the possibility of fraud throughout the audit and maintain an attitude of professional scepticism, notwithstanding the auditors’ past experience of the honesty and integrity of management and those charged with governance. Members of the engagement team shall discuss the susceptibility of the entity’s financial statements to material misstatements due to fraud.

(ii) Auditors shall make enquiries of management regarding management’s assessment of fraud risk, its process for dealing with risk, and communications with those charged with governance and employees. They shall enquire of those charged with governance about the oversight process.

(iii) Auditors shall also enquire of management and those charged with governance about any suspected or actual instance of fraud.

(iv) Auditors shall consider fraud risk factors, unusual or unexpected relationships, and assess the risk of misstatements due to fraud, identifying any significant risks. Auditors shall evaluate the design of relevant internal controls, and determine whether they have been implemented.

(v) Auditors shall determine an overall response to the assessed risk of material misstatements due to fraud and develop appropriate audit procedures, including testing certain journal entries, reviewing estimates for bias, and obtaining an understanding of the business rationale of significant transactions outside the normal course of business. Appropriate written representations shall be obtained.

(vi) Auditors are only concerned with risks that might cause material misstatements in the financial statements. External auditors might therefore pay less attention than internal auditors to small frauds (and errors), although they must always consider whether evidence of single instances of fraud (or error) are indicative of more systematic problems.

(vii) It is accepted that because of the hidden nature of fraud, an audit properly conducted in accordance with ISAs might not detect a material misstatement in the financial statements arising from fraud. In practice, routine errors are much easier to detect than frauds.

(viii) Where auditors encounter suspicions or actual instances of fraud (or error), they must consider the effect on the financial statements, which will usually involve further investigations. They should also consider the need to report to management and those charged with governance.

(ix) Where serious frauds (or errors) are encountered, auditors need also to consider the effect on the entity’s ability to continue as a going concern, and the possible need to report externally to third parties, either in the public interest, for national security reasons, or for regulatory reasons. Many entities in the financial services sector are subject to this type of regulatory reporting and many countries have legislation relating to the reporting of money laundering activities, for example.