Management Fraud Risk Factors: Ratings By Forensic Experts

By Barbara Apostolou, John M. Hassell, and Sally A. Webber

In Brief

Supplementing SAS Guidance with Forensic Insight

SAS 82, Consideration of Fraud in a Financial Statement Audit, identifies 25 risk factors within three categories that auditors should consider when assessing the risk of management fraud in a financial statement audit. But SAS 82 offers no guidance about how much weight or importance to place on the risk factors, meaning auditors’ judgments can vary widely.

The authors conducted a survey to determine how forensic experts weighted and ranked the importance of the 25 factors. Thirty-five experts from the Big Five provided data to produce a composite model of the importance of the factors. The result is a model that may provide auditors with useful guidance on evaluating the factors in assessing the risk of management fraud.

SAS 82, Consideration of Fraud in a Financial Statement Audit, sets the standards for auditors’ assessment of management frauds. Management is responsible for creating a system of internal control which provides reasonable assurance that financial statements are free from management fraud; the auditor is responsible for detecting fraud. In doing so, the auditor must assess the likelihood of management fraud and fraud risk separately from that of unintentional errors.

SAS 82 identifies 25 risk factors to guide the auditor in fulfilling its two requirements:

• Consideration of whether fraud risk factors are present; and
• Assessing the risk of material misstatement due to fraud and documenting a response.

The fraud risk assessment is not intended to be assessed at a level (e.g., high, medium, low), as may be the case with inherent or control risk. The fraud risk assessment evolves throughout the audit and the presence of a risk factor does not necessarily mean that fraud has occurred. Rather, the presence of the risk factor should produce an audit response. The risk factors in SAS 82 are intended to sensitize the auditor to the possibility of fraud and to heighten skepticism. Although SAS 82 specifically addresses both management fraud and employee fraud (asset misappropriation), management fraud is more likely to have a direct and material impact on the financial statements.

The 25 Management Fraud Risk Factors

Neither SAS 82 nor the related implementation guide offers any guidance about how to weight the importance of the 25 management fraud risk factors. Thus, auditors may interpret SAS 82 as indicating that all risk factors are equally important, whereas in a specific audit that is unlikely.

The 25 management fraud risk factors (summarized in Exhibit 1) fall within three categories:

• Management characteristics and influence over the control environment (hereafter, management characteristics);
• Industry conditions; and
• Operating and financial stability characteristics.

SAS 82 presents the risk factors with no indication about their relative importance in making the fraud risk assessment. To determine which of the risk factors were considered most important, the authors surveyed 35 forensic experts at four of the Big Five in an AICPA-sponsored research project. Their firms had identified them as the most experienced individuals in the field. Many held special certification in fraud, including the Certified Fraud Examiner (CFE) (see “Developing Fraud Expertise,” The CPA Journal, April 2001); all held the title of manager, partner, principal, or an equivalent.

Relative Importance of the Risk Factors

A mathematical model, the Analytic Hierarchy Process (AHP), provides a way to measure which factors the experts viewed as more important than others, if at all, through a defined set of factors.

The experts made a series of comparisons in two steps. First, they considered the three categories of management fraud risk factors in pairs. For each comparison, the experts indicated which category was more important than the other in making the management fraud risk assessment. In addition, they specified the magnitude of the importance on a nine-point scale (nine being most important). Second, the experts conducted a similar exercise with the individual risk factors within each of the three categories.

General Decision Model

The responses of each expert were consolidated using commercial software (ExpertChoice.com), which produced a general individual decision model. The decision model is general because it does not apply to any specific facts and circumstances; rather, it reflects the general assessments of relative importance of the risk factors without a specific context. The results of all experts were combined to produce one combined model.

Exhibit 2 presents the general combined decision model by averaging the 35 individual models. The risk factors in each category are ranked from most to least important, and the AHP produces weights that sum to 100%. The management characteristics category was rated most important, with 58.5%. The operating and financial stability characteristics category followed with a weight of 27.0%; the industry conditions category was least important at 14.5%. According to forensic experts, the management characteristics category is about four times as important as the industry conditions category and about twice as important as the operating and financial stability characteristics category.

The two most important individual factors, which accounted for over one-third of the relative importance, were—

• significant compensation tied to aggressive accounting practices (18.0%); and
• management’s failure to display an appropriate attitude about internal control (16.5%).

Individual Decision Models

Not surprisingly, not all of the experts had the same decision model. For example, without any specific facts and circumstances, three experts rated the three categories of factors equally, apparently believing that no one category should receive more (or less) consideration than another. Four experts weighted operating and financial stability characteristics as more important than the management characteristics, an outcome that differs from the combined decision model reported in Exhibit 2. Only one individual’s decision model weighted industry conditions as the most important factor category.

Within categories, two experts that had similar weights for the importance of management characteristics disagreed on the most important factor. One considered it to be “significant compensation tied to aggressive accounting practices” (38.6%), while the other thought it was “nonfinancial management’s influence over GAAP principles or estimates” (35.9%).

The individual decision model results indicate that most experts weighted the risk factor categories and risk factors similarly: management characteristics factors were the most important, operating and financial stability factors next, and industry conditions factors the least important. The individual decision models vary substantially, however, probably due to differing personal experiences.

Additional Risk Factors Identified

When asked which risk factors not included in SAS 82 they thought were important (and perhaps should be included in the management fraud risk assessment), the forensic experts identified nine risk factors, listed in Exhibit 3.

Of the seven additional factors related to management characteristics, most dealt with setting up the proper control environment. For example, one additional factor was “post-initial public offering transition period or a pattern of many recent acquisitions.” These situations usually involve changes in top management personnel and stress on internal control systems. The two additional factors were related to operating and financial stability characteristics: “significant e-commerce activities” and “risk of loss of intangibles.”

Practice Implications

The results of this study suggest that auditors should pay close attention to management characteristics risk factors, particularly when compensation packages are tied to aggressive accounting practices or when management fails to display an appropriate attitude toward internal controls (or fails to implement an appropriate control environment).

Although Exhibit 2 shows that weights for individual factors in the operating and financial stability characteristics category are relatively low, overall that category is important. Furthermore, as shown in Exhibit 3, forensic experts identified two additional risk factors associated with this category. The low weights should not cause auditors to neglect these factors when assessing the likelihood of management fraud. In any particular audit situation, most of these factors would have little or no relevance, and only a few might signal potential management fraud.

Similarly, although industry conditions factors received low weights from the experts, auditors must continue to assess them because they can indicate that other factors are present. For example, management in an industry that is declining or that has a high degree of competition or market saturation and declining margins may experience high turnover of senior management or adopt aggressive accounting practices that affect management compensation. Also, when a company encounters rapid changes in its industry and is vulnerable to changing technology and product obsolescence (an industry conditions factor), management may pay less attention to internal controls than the problems associated with rapid change.

Identifying the presence of risk factors is an essential first step and must be followed by careful consideration of the emphasis that should be placed on the risk factors to develop the required response. In addition, fraud is born of deceit, and specific combinations of risk factors may signal increased risk. The results of this study should help an auditor to “think like an expert,” at least in terms of the relative importance of the risk factors in SAS 82.