Auditors will enter a much expanded arena of
procedures to detect fraud as they implement SAS no. 99. The
new standard aims to have the auditor’s consideration of fraud
seamlessly blended into the audit process and continually
updated until the audit’s completion. SAS no. 99 describes a
process in which the auditor (1) gathers information needed to
identify risks of material misstatement due to fraud, (2)
assesses these risks after taking into account an evaluation
of the entity’s programs and controls and (3) responds to the
results. Under SAS no. 99, you will gather and consider much
more information to assess fraud risks than you have in the
past. (For the text of the new standard, see Official
Releases, page 105.)
PROFESSIONAL SKEPTICISM
NEW REQUIREMENT: DISCUSSION AMONG ENGAGEMENT
PERSONNEL There are two primary objectives of the brainstorming session. The first is strategic in nature, so the engagement team will have a good understanding of information that seasoned team members have about their experiences with the client and how a fraud might be perpetrated and concealed.
In addition to brainstorming, SAS no. 99 requires audit team members to communicate with each other throughout the engagement about the risks of material misstatement due to fraud. In fact, the standard requires the auditor with final responsibility for the audit to determine whether there has been appropriate communication among team members throughout the engagement.
STRUCTURING AN EFFECTIVE BRAINSTORMING SESSION
Determine a reasonable time limit. Consultants and business owners who participate regularly in business brainstorming sessions suggest that a good session lasts about an hour. After that, the energy begins to fade and the law of diminishing returns sets in. Consider assigning “homework.” The session will be much more productive if all members have a similar level of understanding about the client, the nature of its business and its current financial performance. For auditors brainstorming about fraud matters, it may be beneficial to perform analytical, fact-based research before the session. In structuring your session, it will help to consider the characteristics of the fraud triangle. For example, you might discuss the incentives/pressures that may exist at the entity or the opportunities management or employees have to commit fraud. You also might discuss observations about attitude/rationalization that may indicate the presence of risk at the company. Describe the objective of the session in language people can relate to. To help generate creative, practical ideas, pose questions people can more easily understand, such as the following:
SOME BRAINSTORMING RULES
OBTAIN INFORMATION TO IDENTIFY THE RISKS OF FRAUD
Management. The new standard lists several items you should ask about that relate to management’s awareness and understanding of fraud, fraud risks and the steps taken to mitigate risks. Several of these inquiries were not required under previous standards. Some inquiries are relatively straightforward, but others may require you to “educate” management about the characteristics of fraud, the nature of fraud risks and the types of programs and controls that will deter and detect fraud. The guidance contained in SAS no. 99 provides you with the background necessary to discuss these matters. Others. The SAS requires you to make inquiries of the audit committee (even if it is not active), internal audit personnel (if applicable) and others about the existence or suspicion of fraud and to inquire as to each individual’s views about the risks of fraud. “Others” can include those employees who are outside the financial reporting process. For the most part, auditors tend to restrict their client inquiries to personnel directly involved in the financial-reporting process. This approach is appropriate for matters of which accounting personnel have direct knowledge—for example, how transactions are processed or controlled. However, it is less effective to ask accounting personnel about matters of which they do not have first-hand knowledge (for example, the procedures used to examine, count and receive items into inventory). Critics of the audit process frequently cite the auditor’s reluctance to make inquiries outside of the accounting department as a reason for the lack of the in-depth understanding necessary to plan and perform an effective and efficient audit. SAS no. 99 is the first standard that requires auditors to make inquiries of “others within the entity,” such as
Further, you should not restrict your inquiries to senior management. The standard suggests making inquiries of personnel at various levels within the organization. These are two primary objectives in making such inquiries.
The standard allows you to use considerable judgment in determining to which employees within the organization you should direct your inquiries and what questions you should ask.
EVEN MORE INQUIRIES
Asking the same question of different people can increase the effectiveness of your inquiries, as you can compare answers to identify consistencies or anomalies in the responses.
PLANNING ANALYTICAL PROCEDURES
FRAUD RISK FACTORS Auditors are cautioned not to think that these fraud risk factors are all-inclusive. In fact, research has found that auditors who used open-ended questions that encouraged them to develop their own fraud risk factors outperformed those who relied on a checklist based on looking only for the illustrated fraud risk factors.
DESIGNING AUDIT PROCEDURES TO IDENTIFY FRAUD RISKS
Regarding fraud risk factors relating to attitude/rationalization, you cannot possibly know with certainty a person’s ethical standards and beliefs. However, during the course of your engagement, you may become aware of circumstances that indicate the possible presence of an attitude or ability to rationalize that you consider to be a fraud risk. For example, a recurring attempt by management to justify marginal, inappropriate accounting on the basis of materiality and a strained relationship between management and the current or predecessor auditor are fraud risks relating to fraudulent financial reporting. SAS no. 99 requires you to consider other information that may be helpful in identifying the risks of material misstatement due to fraud. This other data can be gleaned during
IDENTIFY AND ASSESS FRAUD RISKS
Eliminate risk synthesis from the process step, and the chain is broken—there is no link to risk identification.
Once that link between risk identification and audit test design is eliminated, it is not surprising that the design of audit tests is not effective in helping auditors identify risks Your goal is to “assess” or to synthesize the identified risks to determine where the entity is most vulnerable to material misstatement due to fraud, the types of frauds that are most likely to occur and how those material misstatements are likely to be concealed.
LINKING AUDIT PROCEDURES TO IDENTIFIED RISKS OF
MATERIAL MISSTATEMENT DUE TO FRAUD It also helps to consider whether the identified risks are related to either specific accounts or transactions or to the financial statements as a whole. Once you can link the identified risks to a specific account (or the financial statements taken as a whole), you then can design and perform more effective procedures. When assessing information about potential fraud risks, consider the type, significance, likelihood and pervasiveness of the risk.
REQUIRED RISK ASSESSMENTS
CONSIDERING THE ENTITY’S ANTIFRAUD PROGRAMS AND
CONTROLS
RESPONDING TO THE ASSESSED RISKS
Judgments about the risks of material misstatement due to fraud have an overall effect on how the audit is conducted in the following ways. Assignment of personnel and supervision. SAS no. 99 provides relatively straightforward guidance on this matter, which is easy to understand and implement. The guidance says the greater the risk of material misstatement, the more experienced personnel and the greater amount of supervision required on the engagement. Accounting principles. The standard audit report expresses an opinion as to whether the financial statements “present fairly…in accordance with GAAP.” Some auditors and others involved in the financial reporting process have questioned whether the “present fairly” criterion has become subordinate to “in accordance with GAAP.” That is, the issue may be whether some entities make a case that “since GAAP does not explicitly prohibit a particular accounting treatment, it must be acceptable” without considering whether the accounting will result in a “fair presentation” of the financial position, results of operations and cash flows. Thus, the choice of accounting principles, in addition to their application, becomes crucial for auditors to consider. SAS no. 99 requires you to consider management’s selection and application of significant accounting principles as part of your overall response to the risks of material misstatement. The new standard focuses your attention on accounting principles related to subjective measurements and complex transactions. In addition, given the presumption of revenue recognition as a fraud risk, you should consider the integrity of the entity’s policies on revenue recognition and whether these policies are consistent with key revenue-recognition concepts such as the completion of the earnings process, the realization of sales proceeds and the delivery of the product or service. Predictability of auditing procedures. Successful perpetrators of fraud are familiar with the audit procedures external auditors normally perform. With this knowledge they can conceal the fraud in accounts where auditors are least likely to look. SAS no. 99 requires you to incorporate an element of unpredictability into your procedures from year to year, and it provides tips for implementing this requirement.
ADDRESS SPECIFIC ACCOUNTS OR CLASSES OF
TRANSACTIONS
RISK OF MANAGEMENT OVERRIDE OF INTERNAL CONTROL
Understanding the financial reporting process. To effectively identify and test nonstandard journal entries, you will need to obtain a good understanding of the entity’s financial reporting process. This knowledge is important because it allows you to be aware of what should happen in a “normal” situation so you then can identify anomalies. You also should know how journal entries are recorded (for example, directly online or in batch mode from physical documents), be familiar with the design of any controls over journal entries and other adjustments and learn whether those controls have been placed in operation. This information will help you design suitable tests. Testing journal entries and other adjustments. Your assessment of the risk of material misstatement due to fraud, together with your evaluation of the effectiveness of controls, will determine the extent of your tests. SAS no. 99 requires that you inspect the general ledger to identify journal entries to be tested and examine the support for those items. The new standard provides extensive guidance on what to consider when selecting items for testing. Computer-assisted audit techniques may be required to identify entries that exist only electronically.
RETROSPECTIVE REVIEW OF ACCOUNTING ESTIMATES
BUSINESS RATIONALE FOR SIGNIFICANT UNUSUAL
TRANSACTIONS
EVALUATING AUDIT EVIDENCE
MISSTATEMENTS THAT MAY BE THE RESULT OF FRAUD
In those instances where the misstatement is or may be the result of fraud, and the effect either is material or cannot be determined, you are required to take the following steps:
SAS no. 99 provides guidance on the auditor’s course of action when the risk of material misstatement due to fraud is such that he or she is considering withdrawing from the engagement. It is impossible to definitively describe when withdrawal is appropriate, but in any event you probably will want to consult with your legal counsel.
DOCUMENTATION According to the standard, you are required to document
SAS no. 99 has the potential to significantly advance the profession—to help auditors do their jobs more effectively, to audit smarter. It is a standard that reaches into all areas of the audit process and it moves auditors in a different direction, away from the “checklist mentality” and more into a thinking person’s audit. It puts professional skepticism front and center—exactly where it should be. Depending on how the standard is implemented, it has the potential to be a watershed for how auditors think about and perform an audit. The new fraud standard, while a significant step forward in expanding the functions of an engagement team in planning and performing an audit, is just one component of the AICPA’s comprehensive antifraud and corporate responsibility program. Other fraud-related initiatives first were described in the September 4 speech AICPA President and CEO Barry C. Melancon delivered to the Yale Club in New York. In the speech he underscored the AICPA’s commitment to strengthen investor confidence by enhancing the quality of audits and reinforcing the profession’s core values. When taken together, the initiatives establish a culture in which preventing and detecting fraud is everyone’s business—auditors, corporate America and the financial reporting community. The program includes
Many of
these initiatives will be rolled out in the coming months.
For more information about SAS no. 99, to read the appendix
to it entitled, “Examples of Fraud Risk Factors,” and to
learn about the antifraud and corporate responsibility
program, visit the AICPA Web site at http://antifraud.aicpa.org/Resources/Auditors/Identifying+and+Assessing+Vulnerability+to+Fraud/
|
Breaking News
- Feature
- AUDITING /BUSINESS & INDUSTRY /FRAUD
PODCAST
Most Read
SPONSORED WHITE PAPER
Preparing the statement of cash flows
This instructive white paper outlines common pitfalls in the preparation of the statement of cash flows, resources to minimize these risks, and four critical skills your staff will need as you approach necessary changes to the process.
RESOURCES
Keeping you informed and prepared amid the COVID-19 crisis
We’re gathering the latest news stories along with relevant columns, tips, podcasts, and videos on this page, along with curated items from our archives to help with uncertainty and disruption.
From The Tax Adviser
From CPA Insider