I would start by saying that the risk is not only the risk of fraud; it's also the risk of error, and it's really an assessment of how good are the management controls in place to ensure that the financial reporting is as accurate as possible.
So we would look in certain systems and basically ask what could go wrong--either deliberate or accidental--and then at what controls are in place either to prevent it or to detect if something has happened. Then we would test those controls to see if they are actually functioning as planned.
The question of fraud has actually evolved quite a bit over the last five years or so. In the auditing profession we used to have an assumption that management was acting in good faith. You went into an audit with that almost as accepted practice. Since some of the very large scandals in the U.S., and I would say since Enron, basically, that assumption has gone.
So auditors now have a responsibility to not give any bias, if you will, one way or another as to how management will act, and we have to probe senior management about fraud. We have to ask audit committees and boards of directors about fraud. Are they looking at the procedures that are in place? Have there been cases uncovered? What have they done in these cases?
It is a much more extensive audit and investigation than used to be done in the past, though I think every auditor will tell you that an audit will not necessarily uncover fraud, and that is not the main purpose of an audit. But we certainly have to do much more work under standards now than we ever had to in the past. This has been a change that I think has come in largely because of large corporate scandals and events in the U.S. in particular.