|The AICPA auditing standards board (ASB) took a significant step toward addressing this problem by issuing an exposure draft of a proposed Statement on Auditing Standards, Consideration of Fraud in a Financial Statement Audit, which would supersede SAS no. 82. The ED does not change any of the auditor’s current responsibilities for fraud in a financial statement audit. However, it introduces new concepts, requirements and guidance to assist auditors in meeting those responsibilities. In applying the proposed guidance, auditors would plan and perform every audit with a questioning mind, recognizing the possibility that a material misstatement due to fraud could be present, regardless of past experience with the entity or prior beliefs about management’s honesty and integrity. Auditors would continue to be responsible for planning and performing the audit to obtain reasonable assurance that financial statements are free of material misstatements due to fraud—whether arising from fraudulent financial reporting or asset misappropriation. This article discusses some of the more significant changes from SAS no. 82 and the potential effects on audits so that practitioners may express their opinions on these proposals to the ASB before the end of the ED’s comment period on May 31, 2002.
To provide a richer understanding of the environment in which fraud is likely to occur, the ED expands the description of fraud and its characteristics. It describes three conditions generally present when fraud occurs—incentive/pressure, opportunity and attitude/rationalization (see “The Fraud Triangle,” below). Input from forensic experts, academics and others consistently showed that evaluation of information about fraud was enhanced when auditors considered it in the context of these three conditions.
To increase awareness and sensitivity to fraud, and to enhance the fraud-risk-assessment process, the ED requires audit team members to discuss during the planning stage the potential for material misstatements due to fraud. The more experienced team members should share their insights, and all the members should exchange ideas about how and where the entity’s financial statements might be susceptible to material misstatements due to fraud.
Despite allegations in some recent high-profile cases, material frauds still are relatively rare in relation to all financial statement audits. In fact, most auditors never will encounter a material fraud during their careers. Most auditors assess their clients’ honesty and integrity through rigorous client acceptance and continuance procedures, which might lead them to assume without question their clients are honest. In light of this, the ED emphasizes the importance of maintaining the proper mindset throughout the audit regarding the potential for fraud. Consequently, the audit team’s discussion would acknowledge fraud can occur in any entity and be perpetrated by anyone.
Forensic experts know inquiry is a highly effective tool in fraud investigations and that people who are reluctant to volunteer information about known or suspected fraud will more likely do so when asked directly. The ED requires auditors to query management on its views of the risks of fraud in the entity and knowledge of any known or suspected fraud (see sidebar, at the end of this article). It also says auditors should query others—for example, individuals outside the entity’s accounting or financial reporting areas or employees with varying levels of authority. This requirement is not intended to be onerous—the nature and extent of these inquiries would be based on the auditor’s professional judgment and generally directed to employees with whom the auditor comes into contact during the course of the audit (see “‘Why Ask?’ You Ask,” JofA , Sep.01, page 88).
The ED emphasizes obtaining a broader range of information to serve as the foundation for an assessment that goes beyond considering the fraud risk factors provided in SAS no. 82. The various sources of information—the audit team discussion, inquiries of management and others, consideration of fraud risk factors, the results of planning analytical procedures, information from the client acceptance or continuance process and from reviews of interim financial statements—all feed into the auditor’s evaluation of fraud risks.
The auditor uses the information to consider the type of risk that may exist (for example, fraudulent financial reporting or misappropriation of assets), the significance or magnitude of that risk, the likelihood it will result in a material misstatement in the financial statements and the pervasiveness of the risk (that is, whether it relates to the financial statements as a whole or to a particular account or assertion). Thus, the assessment process identifies “risks” of material misstatements due to fraud auditors should consider in developing their responses.
Revenue recognition issues have been at the center of numerous instances of fraudulent financial reporting and continue to be the number-one reason for restating financial statements. To address this problem, the ED says auditors ordinarily will identify a risk of material misstatement due to fraud relating to revenue recognition. Analytical procedures would be required during planning to help identify unusual or unexpected relationships involving revenue or related accounts. The ED also provides expanded guidance to help auditors make sure planned audit procedures for revenue accounts and assertions are appropriate given the identified fraud risks.
When the auditor identifies risks of material misstatements due to fraud, the ED requires that he or she consider management’s programs and controls to address those risks. They might include broader programs or specific controls designed to prevent, deter or detect fraud. As in SAS no. 82, the auditor would consider whether such programs and controls will mitigate or exacerbate those identified risks. However, in a change from SAS no. 82, the auditor would evaluate whether these programs and controls have been suitably designed and placed in operation. The auditor’s ultimate assessment of the risks of material misstatement due to fraud would take this evaluation into account.
The ED requires the auditor to develop an appropriate response for each fraud risk identified and includes more extensive guidance and examples on how to do so. The auditor’s responses, which are influenced by the nature and significance of the risks identified and the evaluation of the entity’s programs and controls, might have an overall effect on how the audit is conducted (for example, additional persons with specialized skills or knowledge may be assigned) or might involve changing the nature, timing or extent of auditing procedures for specific accounts or assertions. The response typically also will involve performing certain procedures to address the risk of management override of controls.
Management is in a unique position to perpetrate fraud because it can override established controls that would appear to be operating effectively. This risk exists in virtually all audits and can occur in a number of unpredictable ways. Currently, the auditor’s planned procedures in response to inherent and control risks and the auditor’s assessment of the risk of material fraud consider, at least implicitly, the risk of management override. The ED, however, requires auditors of public companies to perform certain procedures to further address this risk. These procedures, which generally would apply also for audits of nonpublic companies, except in some limited circumstances as discussed in the ED, include
Examining journal entries and other adjustments. Several instances of fraudulent financial reporting involved the manipulation of the financial statements through unauthorized journal entries or other so-called top-side adjustments. Many auditors already may review unusual or “nonstandard” journal entries. However, the ED places more emphasis on the auditor’s understanding of the entity’s financial reporting process, including automated and manual procedures used to prepare financial statements and related disclosures, and how misstatements may occur. This understanding, already required by SAS no. 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Controls in a Financial Statement Audit, provides a basis for determining the nature, timing and extent of testing of journal entries and other adjustments for evidence of possible material misstatement due to fraud. This testing would be a matter of professional judgment and would be based on the auditor’s assessment of the fraud risks, whether effective controls have been implemented over one or more aspects of the financial reporting process, the nature of the financial reporting process and the evidence that can be examined (for example, the extent of manual vs. electronic evidence) and the nature and complexity of the accounts.
Reviewing accounting estimates for bias. Fraudulent financial reporting often is accomplished through intentional misstatement of accounting estimates. Existing auditing standards already require the auditor to consider the potential for management bias when reviewing significant estimates. In addition, the ED requires the auditor to perform a retrospective review of significant prior-year estimates for any potential bias that might signal inappropriate earnings management (for example, recorded estimates clustered at one end of an acceptable range in the prior year and at the other end of an acceptable range in the current year).
Evaluating the business rationale for significant unusual transactions. The use of complex business structures and sophisticated transactions, especially transactions involving special purpose entities or related parties, has been making headlines recently. Although the auditor typically gains an understanding of significant transactions, the ED places a greater focus on understanding the underlying business rationale for significant unusual transactions. In this context, unusual transactions are those that come to the auditor’s attention that are outside the normal course of business for the company or that otherwise appear unusual.
The ASB believes the expanded requirements and guidance provided in the ED, if adopted, would substantially change auditor performance and thereby improve the likelihood that auditors will detect material misstatements due to fraud in a financial statement audit. The ED should improve the audit engagement team’s overall awareness of the possibility of fraud and motivate all team members to think about how and where material fraud might occur. This should lead auditors to be more alert for indications of potential material fraud and to carefully consider whether planned audit procedures appropriately respond to identified fraud risks, including the risk of management override of controls. An increased focus on professional skepticism in gathering and evaluating audit evidence also should lead auditors to further challenge evidence that doesn’t make sense and to obtain additional corroboration of management’s explanations or representations concerning material matters.
The new and strengthened requirements of the ED alone will not guarantee that auditors will detect all material misstatements due to fraud. Fraud often is difficult to detect because it involves concealment through falsification of documents or collusion. Clearly, the ED is a significant positive step, incorporating the substance of a great majority of the specific recommendations of the Panel on Audit Effectiveness relating to fraud. The ED addresses the auditor’s effectiveness in detecting material misstatements due to fraud, but broader efforts are needed that focus on the roles of management, the audit committee, regulators and others in addressing this important issue. Although it is important to improve the likelihood auditors will detect material financial statement fraud, a greater emphasis also is needed on management’s responsibility for fraud prevention, deterrence and detection.
The auditor’s role in detecting material fraud in a financial statement audit has never been under such scrutiny or been the subject of such controversy. We strongly encourage auditors and others to consider the changes the ED proposes and to provide the ASB with comments and feedback. The ED is available on the AICPA Web site at www.aicpa.org .
|Required Inquiries of Management
The proposed standard requires auditors to ask management about
Its knowledge of fraud or suspected fraud.
Its awareness of any allegations of fraudulent financial reporting.
Its understanding about the risks of fraud in the entity.
Programs and controls established to mitigate specific fraud risks or broader programs to prevent, deter or detect fraud and how it monitors such programs and controls.
For entities with multiple locations, the nature and extent of monitoring of operating locations or business segments and whether there are particular operating locations or business segments for which a risk of fraud may be more likely to exist.
Whether and how it communicates to employees its views on business practices and ethical behavior.