SAS 99 -- consideration of fraud in a financial statement audit: A revision of statement on Auditing Standards 82

Patrick A Casabona, Michael J Grego. Review of Business. Jamaica: Spring 2003. Vol. 24, Iss. 2;  pg. 16, 5 pgs

Subjects:

Self regulation,  Statements on auditing standards,  Fraud,  Public companies,  Auditing profession

Classification Codes

4310 Regulation,  9190 United States,  4130 Auditing,  8305 Professional services not elsewhere classified

Locations:

United States,  US

Companies:

American Institute of Certified Public Accountants (NAICS: 813920 ) ,  Auditing Standards Board

Author(s):

Patrick A Casabona,  Michael J Grego

Article types:

Feature

Publication title:

Review of Business. Jamaica: Spring 2003. Vol. 24, Iss. 2;  pg. 16, 5 pgs

Source Type:

Periodical

ISSN/ISBN:

00346454

ProQuest document ID:

327542211

Text Word Count

3845

Article URL:

http://gateway.proquest.com/openurl?ctx_ver=z39.88-2003&res_id=xri:pqd&rft_val_fmt=ori:fmt:kev:mtx:journal&genre=article&rft_id=xri:pqd:did=000000327542211&svc_dat=xri:pqil:fmt=text&req_dat=xri:pqil:pq_clntid=16941

 More Like This  »Show Options for finding similar articles

Abstract (Article Summary)

Full Text (3845   words)

Introduction

Much attention has recently been focused on both the fraud committed by business executives (who have the primary responsibility for their company's financial statements) and on the public accounting firms who failed to detect and report the fraud. Because these fraudulent activities have occurred in some of the largest companies in the United States, they have caused a loss of public confidence in audited financial statements, and have created the need to reconsider the procedures performed to uncover fraud in current and future financial statement audits. To meet this need and to serve as the cornerstone of its anti-fraud program, the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) issued Statement on Auditing Standard (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit, which supersedes SAS No. 82 (which has the same title). SAS No. 99 enhances the accounting profession's most decisive steps in combating fraud. Although the auditor's responsibility for detecting fraud has not changed from SAS 82, the new standard provides more guidance on how the auditor should plan and perform the audit to obtain reasonable assurance about whether or not the financial statements contain material misstatements because of errors or fraud. The objectives of this paper are to explain the major requirements of SAS No. 99, and to discuss its impact on financial statement audits.

Background

The ASB issued SAS No. 82 in 1997. It provided guidance on the consideration of material fraud in a financial statement audit That same year, the ASB commissioned research on SAS 82, to study the impact of the standard on practice to determine if further modifications and enhancements were necessary. In August 2000, the Panel on Audit Effectiveness, appointed by the Public Oversight Board, called for changes in the standard. In addition, the International Audit Practices Committee (IAPC) of the International Federation of Accountants issued a revised International Standard on Auditing (ISA 240) in the spring of 2001, which not only incorporated many of the concepts in SAS No. 82 but also provided additional guidance.

The AICPA's Fraud Task Force, which was formed in September 2000, directed the ASB to consider revising SAS No. 82 based on academic research, recommendations from the accounting profession, and recommendations provided by other financial reporting stakeholders. It also instructed the task force to be sensitive to international developments and the long-term need to work toward global audit standard-setting solutions. This initiative of the ASB and its Fraud Task Force is part of a broader AICPA program to address the growing concerns about fraudulent financial reporting. The new SAS 99, resulting from this initiative, clarifies and focuses auditing guidance to increase auditor effectiveness in reducing fraud.

Fraud Risk Factors'

SAS 99 describes and classifies three key risk factors related to fraud:

1. incentive/pressure to perpetrate a fraud,

2. opportunity to carry out the fraud, and

3. attitude/ability to rationalize the fraudulent action.

Incentive/pressure to perpetrate a fraud. Such incentives or pressures may result when financial stability or profitability is threatened by economic, industry, or entity operating conditions. Examples of such incentives include: a high level of competition or market saturation with declining profit margins; vulnerability to rapid changes in technology, product obsolescence, or interest rates; sharp declines in product demand and increases in business failures in the industry or economy; operating losses that increase the probability of bankruptcy or hostile takeover; recurring low or negative cash flows from operations, coupled with positive reported earnings or growth in earnings; profitability levels that are unusual when compared to that of other companies in the same industry; and new accounting, statutory, or regulatory requirements. Incentives to commit fraud can also result when excessive pressure exists for management to meet profitability expectations of analysts, investors, and other external parties; the need for additional financing to remain in business; inability to meet current covenant requirements; and when the personal net worth of management is threatened by the entity's poor financial performance.

Opportunity to carry out the fraud. The nature of the industry or the entity's operations may provide opportunities to engage in fraudulent financial reporting. These opportunities can arise from: significant related party transactions outside the normal course of business; financial statements that include many significant accounting estimates, subjective judgments, and/or uncertainties; significant, unusual, or complex transactions; significant international operations with different business environments/cultures or in tax havens without a business purpose. Other opportunities to commit fraud arise when there is ineffective monitoring of management (as a result of either the domination of management by a single person or small group of people without compensating controls, or an ineffective board of directors or audit committee that provides oversight over the financial reporting process and internal control), when there is a complex or rapidly changing organizational structure, and when there is inadequate monitoring of controls, ineffective accounting or internal audit staff, or ineffective accounting and information systems.

Attitude/ability to rationalize the fraudulent action. This may be present when: there is ineffective communication and support by management of the entity's ethical values; management communicates inappropriate values or ethical standards; there is a history of violations of laws and regulations; management is extremely interested in stock prices and aggressive earnings growth rates; and there is a failure to correct internal control deficiencies and/or inappropriate accounting.

Such rationalization risk factors as described above may not be susceptible to observation by the auditor. Nevertheless, the auditor who becomes aware of the existence of such information should consider it in identifying the risks of material misstatement arising from fraudulent financial reporting.

Appendix A of SAS 99 also presents additional examples related to the above for financial reporting and also for misappropriation of assets. If one or more risk factors exist auditors need to respond accordingly by increasing their audit procedures to detect fraud.

Overview of the Major Provisions of SAS No. 99

The new standard does not change the auditor's basic responsibility under SAS 82, which is to plan and perform an audit to obtain rep sonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. The new standard does, however, contain additional tools and provides more specific guidance and requirements to assist auditors in meeting their responsibility as it relates to fraud in financial statement audits.

The new standard will result in a greater emphasis on professional skepticism, a partner-led discussion of fraud assessment with all of the members of the audit engagement team as part of the planning process, and additional procedures to obtain information needed to identify the risks of material misstatement due to fraud, including inquiries of management and others, and analytical procedures.

Additional analytical reviews of revenue during planning will also be necessary, as well as the new presumption that revenue recognition should be considered a fraud risk in all financial statement audit engagements. The fact that revenue recognition is a new category of fraud risk requires auditors to perform additional procedures to understand revenue recognition transactions, especially if they are complex and unusual.

Finally, the new statement will require the need to perform additional procedures to understand how controls can be overridden by management, and the process for recording journal entries. Obviously, these new rules expand the scope of audit work to include additional control and substantive testing, and will require additional time and effort on every engagement Therefore, auditors will need to set the stage with their clients as to the level of and impact of the additional work and the need for additional fees.

Professional Skepticism and Discussions Among Engagement Team Regarding Risk2

Overall, SAS 99 calls for increased partner involvement in the planning process, and a greater emphasis on professional skepticism. As mentioned above, one of the new required procedures of this new standard is a fraud discussion among all engagement team members. This is a partner-led discussion among all of the key audit team members, including specialists and key professionals, focusing on the susceptibility of the client's financial statements to material misstatement due to fraud. The discussion needs to include the perspectives and insights of the audit partner(s) involved regarding the client's industry and how its business is operated. Discussions should address the factors that may create incentives or pressures to commit fraud (i.e., compensation and bonus incentives, market or competitive pressures, etc.) and to what extent they exist for each client, and the opportunities that exist for a fraud to be perpetrated (i.e., internal control deficiencies or management ability to override controls), and whether the clients environment allows for the rationalization of the fraud. The discussions should also emphasize the importance of an appropriate level of professional skepticism, which includes a questioning mind and a critical assessment of audit evidence. This is because the possibility that a material misstatement due to fraud could be present, regardless of any past experience with the entity or the auditor's belief about management's honesty and integrity. The fraud discussion should emphasize the need for professional skepticism throughout the audit engagement and should lead the audit team members continually to be alert for information or other conditions that indicate that a material misstatement due to fraud may have occurred.

In obtaining information needed to identify risks of material misstatement due to fraud, there should also be a partner/manager discussion with the clients management, the audit committee and others (i.e., internal audit team, legal council, and other personnel not directly involved in financial reporting). The auditor should make inquiries of management and others within the client's entity to obtain their views about the risks of fraud (and whether they are aware of any fraudulent activities that have occurred in the firm) and how they are addressed (as discussed in paragraphs 20-27 of SAS 99). Auditors can provide management with their fraud risk assessment prior to their meeting, as well as sharing additional concerns with them at the meetings. It is also important to have people with the appropriate level of experience leading these discussions. Additionally, if engagement risk is greater than normal, the audit engagement team should consider involving a forensic auditor in the fraud discussion meeting. Forensic auditors provide an in-depth perspective of how and why a fraud may be perpetrated, and will raise the level of professional skepticism within the engagement team.

Additional Preliminary Analytical Procedures3

Another new required procedure of SAS 99 is the performance of preliminary analytical procedures to identify unusual or unexpected relationships surrounding revenues. These relationships may be indicative of a material misstatement due to fraudulent financial reporting. Although auditors traditionally perform preliminary analytical review procedures in every financial statement audit engagement, such analytical procedures generally use data aggregated at a high level. Therefore, the results of those analytical procedures only provide a broad initial indices tion about whether a material misstatement of the financial statements may exist. Accordingly, the results of analytical procedures performed during the planning stage should be considered along with other information gathered by the auditor in identifying the risks of material misstatement due to fraud. Under the new standard, auditors will need to review on a more detailed level, and focus on revenue recognition transactions occurring at year-end, and on identifying unusual or complex transactions. For example, an auditor should compare revenues recorded by month in the current year compared to prior years, and review for unusual or unexpected differences. Also, an auditor could compare gross margins on a monthly or quarterly basis against the same periods in the prior year, and be cognizant not only of trends and ratios that were expected to remain consistent, but also ones they would expect to change that did not Other analytical procedures that would be helpful are comparisons of the clients profitability, bad debt expense, and inventory and accounts receivable turnover ratios with industry averages to identify unexplained relationships.

Some Comments on Revenue Recognition as Fraud Risk4

According to the new standard, improper revenue recognition is presumed to be a fraud risk for all industries and for all companies. Therefore, audit engagement teams should consider how fraudulent revenue recognition may occur and, based on such assessment, tailor the audit procedures to address the specific identified risk related to revenue recognition or document how and why the presumption of a specific identified risk has been overcome.

Since revenue recognition often is dependent on the particular facts and circumstances surrounding the transaction, as well as the accounting principles used to record the revenue for a particular industry, the auditor should develop auditing procedures based on an understanding of the entity and its environment, including the composition of revenues, specific aspects of the revenue transactions, and unique industry considerations. If there is an identified risk of material misstatement due to fraud related to improper revenue recognition, the auditor should consider performing substantive analytical procedures using disaggregated data, for example, comparing revenue reported by month and by product line or business segment during the current reporting period with comparable prior periods. The auditor should also confirm with the clients customers that all of the criteria for recognizing revenue have been satisfied. Additional procedures should also be performed to test the appropriateness of revenue recognized from transactions occurring near year end, especially to determine if there are any unusual terms or conditions. Finally, for those situations for which revenue transactions are electronically processed, the auditor will need to test controls to determine whether they provide assurance that recorded revenue transactions occurred and are properly recorded.

Audit Responses to the Assessment of Risks5

The auditor's response to the assessment of the risks of material misstatement of the financial statements due to fraud is influenced by the nature and significance of the risks identified as being present, and the entity's programs and controls that address these identified risks. The auditor should respond to risks of material misstatement due to fraud in one of three ways: a response that has an overall effect on how the audit is conducted, a specific response to identified risks involving the nature, timing, and extent of the auditing procedures to be performed, and a response involving the performance of certain procedures to further address the risk of material misstatement due to fraud involving management override of controls, given the unpredictable ways in which such over-ride can occur.

The auditor should respond to risks that have an overall effect on how the audit is performed with increased professional skepticism, to ensure the sufficiency and reliability of the audit evidence and additional corroboration. The personnel or specialists assigned to the audit engagement should have a level of skill commensurate with the assessed risk. This may require the assignment of additional or more experienced personnel to the engagement The auditor should also review the overall application of accounting principles and any resulting biases detected. In this respect, the auditor must consider whether the accounting principles and policies adopted by management, individually or collectively, create a material misstatement of the financial statements. Finally, the auditor should add an element of unpredictability in the selection of audit procedures from year to year. (i.e., sampling methodology, timing, locations, etc).

In response to specifically identified risks, the auditor may modify the nature, timing, and extent of both substantive tests and tests of controls. The nature of auditing procedures may be changed to obtain evidence that is more reliable. The timing of a substantive balance test may be moved from an interim date to period-end, to be more effective. The extent of the procedures applied may be increased by using larger sample sizes. Examples of such modifications include: performing procedures at locations on a surprise or unannounced basis; requesting inventory counts closer to period-end to minimize the risk of irregularities; performing substantive analytical procedures using disaggregated data (as described earlier), etc.

Procedures to Address the Risk of Management Override of Controls6

SAS No. 99 requires additional procedures for every audit to address the risk of management's override of controls. The new procedures include testing authorization and approval of journal entries, as well as an examination of journal entries and other adjustments for evidence of possible material misstatement due to fraud. Management is in a unique position to perpetrate fraud because of its ability to directly or indirectly manipulate accounting records and prepare fraudulent financial statements by overriding established controls that otherwise would be operating effectively. Note that if the auditor concludes that, in a particular circumstance, the performance of additional procedures to specifically address the risk of management override of controls is unnecessary, the reasons supporting the auditor's conclusion should be documented.

The procedures that are used to address the risk of management override of controls should include an identification, examination, and understanding of the type, number, monetary value, and sources of journal entries and other adjustments made in preparing the financial statements, including entries made to unrelated, unusual or seldom used accounts. In addition, the auditor must understand entries recorded at year-end that are not fully explained, entries that are not linked to general ledger account numbers, entries that are rounded off, etc. The auditor should also focus on journal entries related to complex or unusual transactions, significant estimates, and entries made at the end of the reporting period. In acquiring the necessary level of understanding of these potential problem areas, the auditor should also make additional inquiries, as necessary, outside of the normal business channels.

SAS No. 99 also requires the auditor to evaluate accounting estimates for management bias using retrospective look-back procedures. Auditors should consider whether differences in current estimates indicate a management bias and, if so, the impact on their consideration of the estimates taken as a whole. It is also necessary to do a retrospective review of significant estimates reflected in the prior years financial statements (i.e., sales returns and allowances, accounts receivable allowances, inventory reserves, asset valuations, contingencies, etc.) and assess whether the judgments and assumptions indicate any bias. The auditor should then apply the information obtained from the look-back analysis in his or her assessment of any bias in the current year estimates. If a bias is identified, the auditor will need to assess whether it represents a risk of material misstatement due to fraud. The auditor should also evaluate the business rationale for significant unusual transactions, and understand the business reasons for each transaction.

Evaluating Audit Evidence7

The auditor's assessment of the risks of material misstatement due to fraud should be ongoing throughout the audit. Conditions may be identified during fieldwork that change or support a judgment regarding the assessment of the risks, such as: discrepancies in the accounting records, conflicting or missing evidential matter, and problematic or unusual auditor/client relationships. If the auditor believes that any potentially material misstatements identified during the audit are a result of fraud, the auditor should: attempt to do the following: obtain additional evidential matter to make a definitive decision about the issue; consider the implications for other aspects of the audit; discuss the matter with an appropriate level of management (at least one level above those involved, and with senior management and the audit committee); and suggest that the client consult with legal counsel (if appropriate). An auditor may conclude that there is such a significant risk of material misstatement due to fraud that the auditor should consider withdrawing from the engagement and communicating the reasons for withdrawal to the audit committee or others with equivalent authority and responsibility. The decision to withdraw from the engagement may depend on: implications about management integrity, and/or management's cooperation in investigating the circumstances and taking the appropriate action.

Conclusions

The new auditing standard should have a major effect on the planning of audit engagements. It will require additional control testing of how and why journal entries are recorded, as well as enhanced preliminary analytical procedures for revenue. Finally, new substantive testing procedures are required for. testing estimates for bias (a retroactive review of prior-year estimates), updating interim conclusions, unusual journal entries, complex transactions, and the evaluation of business purpose for significant unusual transactions.

Since the new standard will change the scope of the audit and increase its time requirements, auditors should discuss the impact and additional costs of implementing SAS 99 with clients as soon as possible. The new standard could easily add 5% or more to the audit time, much of which is from managers and partners. Therefore, clients should be involved in billing and scope discussions and be made aware of new time requirements.

The value of a high-quality audit has never been greater. Although SAS 99 is effective for audits of financial statements for fiscal periods beginning on or after December 15, 2002, all of the Big Four accounting firms began adopting significant portions of the Standard earlier than that.

There is one other thing that everyone should keep in mind, however. The Public Company Accounting Oversight Board (PCAOB), which was established in 2002 as a result of the Sarbanes-Oxley Bill, to provide oversight on the development and implementation of auditing procedures, among other responsibilities, fell short of agreeing to endorse the AICPA's auditing standards at its first meeting on November 13, 2002. Let's hope the PCAOB quickly realizes that they will have to work together not only with the ASB of the AICPA, but also with the International Audit Practices Committee (IAPC) of the International Federation of Accountants, in order to develop the best standards and to prevent fraud from adversely affecting the integrity of the items reported in financial statements.

*The authors would like to acknowledge the contribution of Stephen Kurtz in the writing of this article.