|Andrew H. Barnett , CPA, PhD, is the director of the School of Accountancy, San Diego State University in California, and a former member of the AICPA accounting and review services committee. James E. Brown , CPA, is a partner of Baird, Kurtz & Dobson, Joplin, Missouri, and a past member of the AICPA auditing standards board. Robert Fleming , CPA, is a shareholder of Urbach Kahn & Werlin, PC, Albany, New York, and a former member of the ASB and its fraud task force. William J. Read , CPA, PhD, is Gibbons Research Professor of Accountancy, Bentley College, Waltham, Massachusetts.|
The fraud auditing standard hit the financial community in April 1997 with more fanfare than any of its 81 predecessors. Designed to give the auditor guidance in detecting material misstatements caused by fraud, SAS no. 82 also clarifies the auditor's responsibilities. It affects audits of multinational manufacturers in New York and car dealerships in Montana. And its effective date—audits of financial statements for periods ending on or after December 15, 1997—means you have to know how to apply it now.
An earlier article, "The Auditor and Fraud" (JofA, Apr.97, page 32), discussed the standard's major provisions. However, the auditor continues to need practical implementation guidance. Note the case study (pages 72-73) illustrates how the auditor may comply with the steps shown in the flowchart (page 71) in the audit of a small business. It should help clarify how practitioners might consider the presence of risk factors, assess the risk of material misstatement due to fraud, develop a response, document the performance of their assessment and meet their communication responsibilities.
The fraud SAS is upon us; it's time to know it and time to use it.
DETECTING AND DETERRING FRAUD RISK
SAS no. 82, Consideration of Fraud in a Financial Statement Audit , recognizes the auditor should be part of a broad, comprehensive effort that attempts to minimize fraud risk. Management is responsible for the prevention and detection of fraud and plays a significant role in deterring fraud by establishing a positive control environment and appropriate control activities. Essentially, the auditor and management are responsible for several areas, or methods, of fraud control: Control environment. The control environment sets the tone of an organization, influencing the control consciousness of its people. The tone at the top is largely responsible for determining the attitude and performance expectations of others within the organization. A management that takes its responsibility seriously and establishes a positive control environment mitigates fraud risk. Conversely, fraud risk generally increases when management conveys the impression that internal control is unimportant or a necessary evil or that it provides only minimal benefits. Control activities. Since financial statement fraud can occur even in a positive control environment, management needs control activities—the policies and procedures that help ensure the entity addresses risks. For example, consider an entity with a large inventory of computer chips. Control activities—including periodic physical counting of this inventory and prompt reconciliation of the resulting count to perpetual inventory records—reduce the potential for undetected material defalcation. Entities that do not reconcile the count results to the perpetual inventory records face an increased likelihood of material defalcation. Auditor skepticism. SAS no. 82 also is designed to make the auditor more skeptical. If a control environment is not positive or if management has not established relevant control activities, the potential for fraud may be high. The auditor needs to be more sensitive to the possible existence of fraud. He or she may have to probe deeper, challenge management's explanations of significant matters and extend audit procedures. This article largely addresses this third and final line of defense.
SAS 82's APPROACH
In clarifying the auditor's responsibility for detecting fraud, SAS no. 82 requires the auditor to perform certain steps throughout the audit. For example, it requires the auditor to consider the presence of fraud risk factors relating to fraudulent financial reporting and misappropriation of assets. Paragraphs 16 and 18 of the statement describe specific categories under those two risk factors.
The standard also establishes specific auditor responsibilities for the assessment of fraud risk, documentation of performance and communication to management. The auditor must obtain management's understanding about the risk of fraud in the entity and determine whether it has knowledge of fraud perpetrated on or within the entity.
The flowchart illustrates the auditor's responsibilities under SAS no. 82 as well as some ideas on how the auditor can fulfill those responsibilities. Note that the assessment of fraud risk is a continuous process throughout the course of the audit. The auditor has to keep an eye on fraud risk during planning and throughout the engagement.
The previous standard, SAS no. 53, The Auditor's Responsibility to Detect and Report Errors and Irregularities , required the auditor to assess the risk of material misstatement due to errors or irregularities (fraud). The auditor also needed to design and perform audit procedures appropriate for the assessed risk. Under SAS no. 82, the auditor must specifically assess and respond to the risk of material misstatement due to fraud. While the auditor typically may assess fraud risk at the time of assessing control or inherent risk, there is no requirement to assess fraud risk in either quantitative (0% to 100%) or qualitative (high, medium or low) terms.
STATIC OR CONTINUOUS?
In the case study, the auditor identified the risk factors during both the planning and the performance of the audit. However, there is no one time to catch a fraud. The assessment of fraud risk has three steps that the auditor must repeat throughout the audit as relevant information comes to his or her attention:
- Consider the presence of risk factors.
- Assess risk.
- Develop a response.
In the case study, the audit partner recognized that one individual dominated the organization and probably could override any controls. The partner also recognized other control weaknesses, including the low degree of management oversight of branch activity and the lack of independent approval before accounts were written off as uncollectible. SAS no. 82 requires the auditor to consider controls (as well as the susceptibility of assets to misappropriation) in the context of an assessment of risk of material misstatement due to fraud.
|The Auditor's Consideration of Fraud Risk|
The example outlined in the case study could have occurred before the issuance of SAS no. 82. In the example, the auditor knew "something was wrong" and performed follow-up procedures until she had a satisfactory answer. In some respects, SAS no. 82 provides a structure or a more formal process for what a "good" auditor does instinctively.
WAS AN AUDIT FAILURE IN THE MAKING?
The case study also illustrates some reasons for an auditor's failure to detect material misstatements due to fraud. An auditor might not exercise the proper degree of professional skepticism. For example, in the case study, the staff accountant relied exclusively on responses to inquiries and performed no procedures to corroborate the branch manager's explanations. The auditor who wishes to increase his or her chances of detecting fraud cannot be timid about asking questions. Often, others in the organization know about or suspect fraud.
An auditor may simply be unaware that observed conditions can indicate a material fraud. The case study's staff accountant was too concerned with adjusting entries and not concerned enough about the apparent indication of fraud. Also, the staff accountant, who had not encountered fraud risk in the past, may simply not have known what to watch for. Did he look at the numbers in isolation, without developing an expectation about their reasonableness in view of other relevant information? The staff accountant failed to compare writeoff percentages and thus did not notice the variance from the main store.
|Case Study: Misappropriation of Assets|
|Like many auditors, Julie
Jones, CPA, never really expected that one of her clients
would actually experience a material fraud. However, she
refused to be lulled into a false sense of security or relax
her professional skepticism. A recent audit engagement
demonstrated the wisdom of her approach. Jones's description
of, and observations about, her unexpected experience follow:
Last year, my firm audited a privately owned lumber wholesaler with about $2.1 million in sales. The client had two locations in the state, one in town and a branch located in a city about 180 miles away. I stayed in town to do the audit at the main location and sent a staff assistant to the branch location for accounts receivable audit work. When the assistant returned after three days, I asked him if he had found anything. I was relieved when he replied he had not because we were under time pressure.
As I reviewed the customer accounts the assistant had selected for testing, I noticed an unusual one: a $90,000 credit to accounts receivable control, with an offset to the allowance for bad debts. The explanation read: "To adjust the general ledger to the accounts receivable trial balance at the branch." I asked the assistant why an adjustment that significant was necessary. He repeated the branch manager's explanation that the branch office had some collection problems with several long-time customers and had eased credit terms and criteria to increase sales.
When planning the audit, I recognized that the manager dominated at the branch and could probably override any controls. However, I did not worry when I first heard this since I was reasonably confident the company's remaining recorded receivables were collectible. Later that day, while reviewing the analytical procedures, I noticed that the accounts receivable writeoff percentages at the branch location were much higher than those of the main store. The workpapers carried this explanation: "Per store manager, writeoff and return policies were liberalized at the branch in order to attract customers in response to increased competition."
The next day I began to sense something was not right. While talking to the controller at the main store, I referred to the problems at the out-of-town location and that they were working out. "It appears those credit policy changes you implemented earlier this year helped to attract new customers," I said.
"Credit policy changes?" she said. "What are you talking about? The company is a wholesale distributor—it doesn't have the kind of customers you find in a retail store. Most of our customers are construction contractors. We have been very sensitive to the economic indicators in that industry and the financial health of our customers. If anything, we have tightened credit." The branch manager's explanation, I learned, had no basis in fact.
With that, I was convinced something was wrong, so the audit team confirmed selected sales and cash receipts activity in the customers' accounts that looked suspicious. We also traced payments back and forth from the subledger to the general ledger. We found delays between the date customers said payments had been made and when they were recorded. We also found an unusually large number of noncash credit entries to customer accounts.
It turned out the branch manager was stealing payments that customers had made on account. The manager was covering by writing off related accounts, but with occasional errors. The errors increased the number of entries necessary to cover the theft, which is why the subledger did not agree with the general ledger and why the writeoff rates were so much higher than the others. That $90,000 misstatement was definitely material, but it was not the only misstatement.
Going by the book. Julie Jones detected the material misappropriation of assets by following the approach described in SAS no. 82 and illustrated in the flowchart. First, she noted certain signs that she identified as fraud risk factors or other conditions affecting her risk assessment. Jones was aware that duties for processing large amounts of cash at the branch were not adequately divided among different individuals and that management was not providing adequate oversight of branch activities. She also knew that managers were no more or less honest than the employees-they just had more opportunity to commit fraud.
Once Jones identified these risk factors and other conditions, she made an assessment that "something was wrong." The combination of risk factors and other conditions considered individually and together led the auditor to make that assessment. She determined the planned audit procedures were insufficient, so she extended her audit procedures until she was able to detect the material misstatement.
To complete the procedures required by the SAS, Jones would need to document certain items in the workpapers and make sure she complied with the communication requirements of the SAS. Specifically, she should document the risk factors and other conditions identified and her responses.
The auditor cannot let budget pressures inordinately influence audit procedures in the presence of fraud risk factors. In the case study, the audit partner exercised an appropriate level of supervision and review. As a result, she performed additional procedures to obtain sufficient audit evidence.
As the flowchart shows, SAS no. 82 contains important documentation requirements. In planning for the audit, the auditor should document his or her performance of the fraud risk assessment and response to the factors identified. During field work, the auditor may identify risk factors or other conditions that lead to reassessing fraud risk. The auditor should document the factors or conditions identified and any further response deemed necessary.
Paragraph 37 of SAS no. 82 contains the specific requirement to document evidence of the performance of the assessment of the risk of material misstatement due to fraud. The auditor is allowed significant flexibility about the form of documentation. In the case study, the audit partner documented the risk factors and other conditions present, which were the noncash credits to accounts receivable control and the contradictory explanations given by the manager. She also documented her response, which included contacting the store's customers about specific receipts on account. Additionally, she explained the rationale for her audit response, but such explanation is not required. The explanation of the partner's rationale would assist in the review of the circumstances at a later date. She also could explain the client's actions, if any, which would mitigate the risk in the future. Again, however, such explanation is not required.
Evidence of performing the fraud risk assessment could include the following:
- All of the risk factors identified as present during audit planning, regardless of whether they require a response.
- The response to those risk factors.
- Fraud risk factors or other conditions identified during the performance of field work that cause the auditor to believe an additional audit response is required and the auditor's additional response.
In identifying risk factors, the auditor may begin with a checklist of risk factors adapted from those in SAS no. 82 or a questionnaire. The auditor's considerations of internal control and inherent risk, past experience (if any) with the client and inquiries of management help identify the presence of fraud risk factors. The auditor has to document only the risk factors present.
Some auditors may wish to document other judgments. Optional documentation includes judgments such as
- The underlying rationale about why the risk factors identified are believed to possibly lead to misstatements.
- A conclusion that the auditor's planned response to the assessed level of fraud risk is adequate.
- Any existing control policies that mitigate the effect of risk factors.
- Specific inquiries related to fraud (performance of inquiries is required, but not documentation).
Of course, thorough and appropriate documentation may assist the auditor in subsequently reviewing, or even defending, judgments.
COMMUNICATIONS ABOUT FRAUD
According to SAS no. 82, when the auditor determines that evidence of a fraud may exist, he or she should discuss the issues with an appropriate level of management. The SAS distinguishes between the identification of fraud risk factors and the more serious identification of evidence that a fraud may exist. For example, in the case study, the partner subsequently determined that misrepresentations by the branch manager about liberalizing credit policies, along with the writeoffs, constituted evidence that a fraud may exist. At this point, the auditor should discuss the evidence with senior management even if the auditor does not believe the fraud is material. See paragraph 24(a) in SAS no. 53 and compare with paragraph 38 in SAS no. 82.
The auditor should report directly to the board of directors or its audit committee any evidence that senior management is involved in a possible fraud or that a fraud may cause a material financial statement misstatement. If the auditor believes senior management is involved, and there is no audit committee, the auditor should consider the guidance in paragraph 36 of SAS no. 82, which includes considering withdrawal from the engagement. When the risk factors identified constitute reportable conditions, the auditor should inform management and the audit committee.
The disclosure of fraud to parties other than the client's senior management and its audit committee usually is not part of the auditor's responsibility. Ordinarily, auditors' ethical or legal obligations of confidentiality prevent them from doing so anyway.
SAS no. 82 potentially represents a watershed standard in the profession's effort to provide auditors with performance standards to assist them in discharging their responsibilities in detecting material misstatements. To assist auditors, the AICPA offers a variety of resources:
- Considering Fraud in a Financial Statement Audit: Practical Guidance for Applying SAS no. 82 (product no. 008883JA). This nonauthoritative practice aid includes three sections: implementation guidance; industry-specific risk factors and guidance; and examples including common fraud schemes. It provides documentation examples that meet the minimum requirements of the SAS and examples that go beyond them.
- CPE courses in various formats-computer-based, video and self-study. Call the AICPA at 800-862-4272.
- The AICPA Technical Information Hotline (800-862-4272).
As the case study shows, practitioners need to study the statement carefully. Only by becoming familiar with its provisions and requirements can auditors properly hone their skills in rooting out fraud.