Expanded Guidance for Auditor Fraud Detection Responsibilities
By Donald K. McConnell, Jr., and George Y. Banks
Understanding and Using the New Standard
This article summarizes the provisions of SAS No. 99, Consideration of Fraud in a Financial Statement Audit, which is effective for audits of financial statements for periods beginning on or after December 15, 2002, with an emphasis on the newly introduced provisions.
The most noteworthy changes in the new standard are as follows:
When the Auditing Standards Board (ASB) issued SAS 82, Consideration of Fraud in a Financial Statement Audit, in 1997, it committed to monitoring the effect of that standard on practice and to assessing the need for further guidance. A Fraud Task Force was formed in September 2000 to make that assessment. The task force considered recommendations and input from the Fraud Research Steering Task Force, external auditors, internal auditors, forensic accountants, regulators, academic researchers, and the POB Panel on Audit Effectiveness (O’Malley Panel). The task force recommended greater focus on the roles of the external auditor, management, audit committees, and regulators in combating, detecting, and preventing fraud.
The ASB responded by issuing SAS 99, also titled Consideration of Fraud in a Financial Statement Audit, in October 2002. It provides more definitive auditing standards, intended to improve auditor performance and thereby increase the likelihood that auditors will detect fraudulent financial reporting.
Auditors focus on activities that result in materially misstated financial statements. Intent determines whether such activities are fraudulent or due to error. Two types of misstatements are relevant to auditors’ consideration of fraud: those arising from fraudulent financial reporting, and those arising from misappropriation of assets.
In addition to incentives, pressures, and opportunities, many forensic auditors consider rationalization a key element: Some persons’ attitudes or ethical values allow them to knowingly and intentionally perpetrate fraud. Furthermore, even fundamentally honest persons can rationalize committing fraud under intense pressure. The ASB revised the fraud risk factors from SAS 82, which are now presented in an appendix to SAS 99, and categorized then by the three characteristic fraud conditions: incentives and pressures, opportunities, and attitudes and rationalizations. Exhibits 1 and Exhibit 2 highlight significant changes to those SAS 82 fraud risk factors.
Required Audit Team Discussions
SAS 99 requires audit engagement team discussions of fraud susceptibilities and reiterates the importance of professional skepticism. The O’Malley Panel concluded that GAAS provides insufficient guidance for implementing the concept of professional skepticism and that auditors don’t always adequately pursue conditions noted during an audit or adequately corroborate management representations. In SAS 99, the ASB admonishes auditors to set aside previous beliefs about management honesty and integrity, regardless of past experience with an entity. In gathering and evaluating evidence, auditors should not be satisfied with less than persuasive evidence that management is honest.
Obtaining information to identify risks of material misstatement due to fraud. SAS 99 requires auditors to gather a broad range of information as input for identifying material areas of fraud risk. In addition to considering the fraud risk factors, auditors must now inquire of management and others in order to identify fraud risks, consider the results of analytical procedures performed in the planning phases, and consider other information helpful in identifying risks of material fraudulent misstatement. Furthermore, SAS 99 indicates auditors should use management inquiry as a means for identifying material fraud risk factors.
The basic premise of the inquiry process is that forensic auditors often find that individuals are more likely to provide valuable information when directly questioned about fraud, rather than voluntarily coming forward with such information. An auditor should inquire about the following:
When making such inquiries, auditors should realize that management is often in the best position to perpetrate fraud, and use professional judgment in determining whether corroborating responses are necessary. Auditors should obtain additional evidence to resolve any inconsistencies in responses, as well as make inquiries of audit committees, internal auditors, and others that might have information helpful in identifying fraud risks.
Under the Sarbanes-Oxley Act of 2002, audit committees must establish procedures for receipt, retention, and treatment of complaints regarding accounting, internal controls, or auditing matters. Consequently, auditors should obtain an understanding of how the audit committee exercises fraud oversight, and must directly ask the audit committee, or its chair, about fraud risks or knowledge of actual or suspected fraud. Internal auditors should be asked about procedures performed during the year to identify or detect fraud, and the adequacy of management’s responses to such procedures. Finally, auditors should inquire of individuals outside of financial reporting areas about the existence or suspicion of fraudulent activities. These inquiries might serve to corroborate management responses, and may provide information regarding possible management override of controls, or information that is useful in evaluating the effectiveness of management’s policies regarding ethical behavior. Auditors might also make inquiries of employees in various management levels; of in-house and legal counsel; and of persons involved in initiating, recording, or processing complex or unusual transactions. Additional evidence should be obtained to resolve any inconsistent responses to inquiries.
SAS 99 states that auditors should ordinarily presume the risk of material misstatement due to fraud with regard to revenue recognition and should perform analytical procedures related to revenue accounts.
In addition, auditors can identify risks of material misstatement due to fraud through measures such as audit engagement team discussions. Procedures relating to a client’s acceptance and continuation decisions and identified inherent risks can provide further useful information. Reviews of interim financial statements can also be relevant in identifying fraud risks because interim statements provide unique opportunities for fraudulent financial reporting.
Incentives and pressures can give rise to risk of material fraudulent misstatements apart from those previously described. Even absent specific fraud risks, auditors should consider the possibility that management might override controls and evaluate that risk without regard to other conclusions or previous experience. Auditors should ascertain whether identified fraud risks are pervasive to the financial statements or related to specific account balances, transaction classes, or assertions. This determination should help an auditor when designing appropriate testing procedures.
Assessing Identified Fraud Risks
In obtaining an understanding of internal controls for planning the audit, auditors should determine whether management has established programs and controls addressing identified fraud risks, and whether such programs and controls are both suitably designed and operating effectively. The auditor should also consider whether such programs and controls mitigate, or exacerbate, fraud risks. SAS 99 requires the auditor to assess risk of material misstatement due to fraud after evaluating the suitability of design and operation of entity programs and controls addressing such risk. The auditor should then consider this assessment in developing an appropriate audit response to each identified material fraud risk not effectively mitigated by entity programs and controls.
Responding to results of the fraud risk assessment. SAS 99 includes extensive examples of appropriate responses to fraud risks (see Exhibit 3 for some conditions that affect the auditor’s risk assessment). Auditors may elect to withdraw from an engagement if designing auditing procedures that sufficiently address the risk of material fraudulent misstatement is impracticable.
Overall responses to risks of material misstatement. An auditor might respond to identified risks of fraudulent misstatement by assigning forensic or information technology specialists to the engagement. Additionally, an auditor should consider whether client accounting principles and policies, considered collectively, create a possible bias leading to material misstatement. Finally, an overall response to fraud risk factors should incorporate forensic elements. Although the O’Malley Panel recommended adding a forensic fieldwork phase to audits, the ASB chose to recommend application of selected forensic procedures whose purpose would be to disrupt and limit the ability to predict audit work. Examples include performing substantive tests of selected accounts or assertions not normally tested due to immateriality or perceived low risk.
Responses involving nature, timing, and extent of procedures to address identified risks. An auditor might change the nature of testing to obtain more reliable evidence or additional corroborative information from external sources, including public-record information about key customers, vendors, or counterparties to a major transaction. SAS 99 also suggests using computer-assisted audit techniques to gather more extensive evidence. Timing issues might involve performing substantive testing at or near the end of the reporting period, because fraud risk concerns might render ineffectual the extension of interim testing conclusions to year-end. Additional considerations include increasing sample sizes or performing analytical procedures using disaggregated data (such as comparing gross profit by locations, product lines, or months to auditor-developed expectations).
Where potential improper revenue recognition schemes raise the risk of material misstatement due to fraud, an auditor might consider the following items:
SAS 99 also introduces the following considerations:
If identified risks of material fraudulent misstatement regarding inventories are found, the following steps should be considered:
Furthermore, SAS 99 suggests following up physical inventory counts with procedures directed toward inventory quantities, such as comparing quantities for the current period to prior periods by inventory category or location. Computer-assisted techniques can be used to further test inventory count compilations, such as a sort by tag number to test tag controls.
If an auditor has identified risks of material misstatement related to the misappropriation of assets, the scope of testing must be linked to the specific information and the specific account or class of transactions. Where certain assets are highly vulnerable to defalcation in material amounts, an auditor might obtain an understanding of relevant prevention and detection controls and test their effectiveness. For example, the physical inspection of cash or securities at or near year-end might be appropriate.
Responses to risk of management override. Even when controls appear to be operating effectively, management can direct employees to help perpetrate fraud. SAS 99 requires auditors to examine both standard and nonstandard journal entries, review accounting estimates for biases, and evaluate business rationale for significant unusual transactions.
In examining journal entries and other adjustments for risk of material fraudulent misstatement, an auditor should obtain an understanding of controls over journal entries and other adjustments, identify and select such entries for testing, and determine the timing of testing. An auditor should obtain an understanding of the entity’s financial reporting process, including identification of the type, number, and usual monetary value of journal entries and other typical adjustments. He should also determine who can initiate such entries, what approvals are required, and how journal entries are recorded. An entity may have specific journal entry controls, such as preformatted account numbers and automatically generated exception reports of unsuccessful attempts to make entries outside of established parameters. Auditors should understand such controls and determine whether they are suitably designed and operated.
In testing journal entries and other adjustments, the identification of fraud risk factors may help auditors identify specific types of journal entries that require testing. Both routine transactions and the processing of journal entries and other adjustments may involve a combination of manual and automated procedures and controls. Auditors should inspect the general ledger, whether manual or electronic, to identify journal entries for testing and examination of support. Where journal entries and other adjustments exist only in electronic form, information technology experts may be needed to extract desired data. Similarly, computer-assisted audit techniques may be needed to identify the journal entries to be tested. Additionally, while standard journal entries to record routine transactions are normally subject to a company’s internal controls, this might not be the case for nonstandard journal entries such as for business combinations or asset impairment entries, or for consolidating adjustments, report combinations, or reclassifications, which are generally not reflected in formal journal entries. Additional emphasis should be placed on identifying and testing such items outside of the normal course of business. Auditors should recognize that even though controls over journal entries might be operating effectively, audit procedures should include the identification and substantive testing of specific items: Although many auditors scrutinize nonstandard journal entries, SAS 99 requires testing standard journal entries and other adjustments to the financial statements.
The testing of journal entries should usually be concentrated at the end of the reporting period, because fraudulent journal entries or other adjustments typically occur then. Nevertheless, the 1999 COSO Report stated that many frauds are initiated in quarterly 10-Q forms, often in relatively small initial amounts, with amounts increasing over approximately two fiscal years. Consequently, auditors should consider testing journal entries throughout the audit period.
An auditor should carefully consider whether differences between management estimates and audit determinations, even if individually reasonable, indicate possible bias. If so, those estimates should be reconsidered in the aggregate, and retrospective reviews of significant prior-year estimates should be performed to find indications of possible bias, especially prior estimates based on assumptions that are highly sensitive or significantly impacted by management judgments. Such retrospective reviews should enable an auditor to identify possible bias in management’s current-year estimates.
Finally, an auditor should evaluate the business rationale for significant unusual transactions that are outside the normal course of business or otherwise atypical. An understanding of the business rationale—or lack thereof—may suggest such transactions have been consummated for purposes of engaging in fraudulent financial reporting or concealing misappropriated assets. An auditor should consider whether the following conditions exist:
Evaluating Audit Evidence
Auditors may be able to identify previously unrecognized risks of material fraudulent misstatement by performing analytical procedures as substantive tests or by performing required overall review stage analytics. Auditors must perform analytical procedures related to revenue recognition through the end of the reporting period, and should be particularly wary of uncharacteristically large amounts of income reported toward the end of the reporting period from unusual transactions, as well as income that is inconsistent with previous periods or with cash flow from operations. Additionally, some fraudulent activities might cause unexpected analytical relationships because perpetrators find themselves unable to manipulate related variables to create seemingly normal or expected relationships. Finally, auditors should evaluate whether responses to analytical procedure inquiries have been vague, implausible, or inconsistent with evidential matter obtained directly in the audit.
Near the end of fieldwork, an auditor should qualitatively evaluate whether accumulated evidence and observations affect the earlier assessment of the risk of material fraudulent misstatement. This evaluation may provide insight about whether additional or different audit tests are needed. The auditor with final audit responsibility should ascertain that appropriate communication regarding conditions or information indicative of material misstatement due to fraud occurred among audit team members throughout the audit.
If misstatements are or may be the result of fraud perpetrated by higher-level management but the effects are immaterial, an auditor should nevertheless reevaluate the initial fraud risk assessment because such misstatements might indicate other problems related to management integrity. Consequently, the auditor should consider how such findings affect the nature, timing, and extent of testing, and assess the effectiveness of controls where control risk had been assessed to be less than maximum.
If an auditor believes that a misstatement is or may be the result of fraud and has either determined that the effect could be material or has been unable to evaluate materiality, the next step is to investigate whether material fraud has occurred, then its effect on the financial statements and the auditor’s report. Additionally, an auditor should consider the implications for other aspects of the audit and discuss the matter and an investigative approach with management at least one level above those seemingly involved, as well as with senior management and the audit committee. If senior management might be involved, the matter should be addressed directly with the audit committee. The auditor might also suggest the client consult with legal counsel. Finally, the auditor might conclude that withdrawing from the engagement is necessary, if management and the board fail to take meaningful action.
Communicating possible fraud to management, the audit committee, and others. Auditors should bring investigations that reveal evidence of fraud to the attention of appropriate management, even inconsequential matters such as minor embezzlement by a low-level employee. Auditors should reach an understanding with the audit committee concerning communications in such cases. Any fraud causing material misstatement of the financial statements or involving senior management should be reported directly to the audit committee.
Where risks of material fraudulent misstatement have been identified, an auditor should consider whether those risks represent reportable conditions that require communication to senior management and the audit committee. Programs or controls that are absent or inadequate to mitigate fraud risks might represent reportable conditions as well. An auditor may also choose to communicate to the audit committee other risks identified in the fraud risk assessment, as part of the required communications, where relevant.
The auditor may have a duty to disclose confidential information externally to comply with legal and regulatory requirements, to answer a successor auditor’s inquiries under SAS 84, in response to a validly issued subpoena, or at the request of a funding or other specified agency in accordance with relevant requirements.
Documenting the auditor’s consideration of fraud. SAS 99 imposes significant new documentation requirements. Auditors should document the following information:
SAS 99 requires auditors to approach engagements with professional skepticism, a questioning mind, and an awareness that fraud can occur anywhere and anytime, regardless of prior experience with a company.
Prior to SAS 99, audit fees were already increasing in response to rising professional liability insurance premiums and the increasing cost of auditing more expansive disclosures. The standard’s significant additional inquiries, procedures, and documentation requirements will generally expand engagement hours. Furthermore, because the Sarbanes-Oxley Act significantly increased audit committee responsibilities, many audit committee members anticipate more extensive discussions with their auditors concerning fraud risks, and more testing from auditors, especially in areas where fraud can occur. The Sarbanes-Oxley Act also imposes significant potential penalties upon management; for example, when management knowingly and willfully certifies 10-K or 10-Q forms containing material misstatements. Even seemingly mundane issues, such as providing representations, may now cause management to think twice. Consequently, ethical management may want—indeed welcome—greater auditor scrutiny of possible fraud risks.
©2006 The CPA Journal. Legal Notices
Visit the new cpajournal.com.