AICPA guide clarifies fraud responsibilities in KPMG assurance work

Where the responsibility starts, and where it stops

The AICPA’s fraud refresher lands on a pressure point KPMG teams know well: client complexity is rising, automation is expanding, and red flags are easier to miss when deadlines squeeze the work. The core message is simple but easy to blur in practice, especially when the same engagement team is expected to do more with less. Fraud is always serious, but the practitioner’s responsibility depends on the type of engagement, and that distinction is where judgment, documentation, and client communication matter most.

In preparation and compilation work, the practitioner is not performing an assurance role. That means the work is not designed to uncover every misstatement or hidden wrongdoing, even if management or other stakeholders may act as though it should. For KPMG staff, this is the first fault line to watch: if the engagement letter, scope discussion, or follow-up conversations create the impression that the team is providing fraud detection assurance, the gap between expectation and obligation can become a liability issue later.

What changes in a review engagement

Review engagements sit in the middle, but they are not a soft version of an audit. Under the AICPA’s guidance, the accountant is expected to make inquiries about actual, suspected, or alleged fraud. That requires more than routine box-checking. It means listening carefully to management responses, noting inconsistencies, and pushing for clarification when explanations do not line up with what the team sees in the numbers or in the client’s control environment.

For managers, this is also where documentation becomes protection. If a client later claims the team ignored warning signs, the file needs to show what was asked, what was answered, and why the response was accepted or escalated. In busy season, when reviews can be compressed into tight turnaround windows, those small discipline points are often what separate a clean engagement from an avoidable dispute.

Why audits carry the heaviest burden

In audits, the obligation is stronger still. The Public Company Accounting Oversight Board says fraud consideration is an integral part of the audit and begins at the earliest stages of engagement acceptance or retention, then continues through planning, risk assessment, response, and evaluation of results. That matters because fraud is not something auditors are supposed to think about only after a problem appears. It is built into the work from the start, including the decision to take on or keep the client.

The PCAOB’s AS 2401 also frames communications about fraud to management, the audit committee, and others, which raises the stakes for how concerns are documented and escalated. AS 2301 adds that responses to assessed risks of material misstatement, particularly fraud risks, should involve professional skepticism and the use of unpredictability in audit procedures. In practical terms, that means teams cannot just repeat prior-year testing on autopilot and call it sufficient. If the risk profile shifts, the response has to shift with it.

The practical friction points inside KPMG teams

This is where real engagements get messy. A client with automated controls, dense data flows, and a lot of reliance on technology can create a false sense of comfort if the team assumes systems will surface fraud on their own. The AICPA refresher is a reminder that technology can support detection, but it does not replace critical thinking about what the evidence means, what management may be hiding, or where the procedures need to go deeper.

For KPMG professionals, that has direct implications for day-to-day behavior. New staff need to understand early that fraud awareness is part of routine engagement discipline, not a once-a-year training module. Senior associates and managers need to be alert to the places where pressure builds: compressed deadlines, aggressive client expectations, and the temptation to treat red flags as noise if they do not fit the planned work. Those are exactly the conditions where judgment slips and file quality can erode.

Documentation, escalation, and the expectations gap

The biggest risk is not always that fraud is missed. It is that the team and the client are operating from different assumptions about what the engagement should catch. Preparation and compilation work are not assurance engagements, review work requires targeted inquiry, and audits require a designed response to fraud risk. If that distinction is never made clearly, the client may expect a level of detection that the engagement was never intended to provide.

Strong engagement-letter language helps, but so does repeated communication during the work itself. When a suspicious transaction, weak control, or inconsistent explanation appears, the issue should be documented in plain terms, escalated through the right review channels, and discussed with the client at the right level. If necessary, that includes the audit committee and management, consistent with the fraud communications contemplated in AS 2401. That kind of discipline protects both the firm and the professionals doing the work.

Why KPMG’s forensic lens matters here

KPMG’s own fraud and forensic materials point in the same direction: AI and advanced data analytics can help identify and manage risks, enhance compliance, and prevent fraud and misconduct, but those tools are aids to judgment, not substitutes for it. The firm also says effective internal control over financial reporting helps safeguard assets from fraud or significant loss. That is a useful reminder for assurance teams because the strongest fraud response is rarely a single test or a single system. It is the combination of controls, skepticism, analytics, and escalation.

That combination matters increasingly as KPMG markets technology-enabled assurance and forensic capabilities. The more automated the client environment becomes, the more important it is to understand where automation ends and professional responsibility begins. Tools can flag anomalies, but they cannot decide whether a pattern is benign, whether management’s explanation holds up, or whether the evidence supports a deeper response.

What the standards are signaling next

The PCAOB is also actively reviewing whether AS 2401 should be revised to better align auditor responsibilities with recent developments in practice. That is a signal to the market that fraud expectations are not standing still. Firms that treat fraud procedures as static are likely to fall behind both the standard setter and client reality, especially as technology changes the way risks appear and the way evidence is tested.

For KPMG professionals, the practical takeaway is clear. Fraud responsibility is not solved by a control environment, a dashboard, or a model. It rests on knowing which engagement you are in, what assurance you are actually providing, and when a warning sign needs to move from observation to action. In a firm where promotion cycles reward judgment, consistency, and trust, that is not just a compliance issue. It is a core test of assurance work itself.