The Auditor and Fraud
SAS no. 82 clarifies the auditors responsibilities.
Editor’s note: The information contained in this article is specific to the auditing and assurance landscape on or about the date it was authored, including references to Generally Accepted Auditing Standards in effect at that time. For up-to-date information as of September 2023, please refer to the JofA article “A Refresher on Fraud and the Responsibility for Its Detection.” To ensure you have the most recent and relevant information on audit and assurance issues, including Statements on Auditing Standards currently in effect, visit the AICPA & CIMA Audit & Assurance website.
| EXECUTIVE SUMMARY |
|
| JANE MANCINO, CPA, is a technical manager in the American Institute of CPAs auditing standards division. Ms. Mancino is an employee of the American Institute of CPAs. Her views, as expressed in this article, do not necessarily represent the views of the AICPA. Official positions are determined through certain specific committee procedures, due process and deliberation. |
The most highly publicized statement on auditing standards in years rolled off the presses in early February. SAS no. 82, Consideration of Fraud in a Financial Statement Audit , provides expanded operational guidance on the auditors consideration of material fraud in conducting a financial statement audit. The new SAS, which supersedes SAS no. 53, The Auditors Responsibility to Detect and Report Errors and Irregularities , is effective for audits of financial statements for periods ending on or after December 15, 1997. This article explains why the American Institute of CPAs issued the new standard and how it will change what auditors do.
WHY A NEW SAS ON FRAUD?
In its March 1993 report, In the Public Interest , the Public Oversight Board of the AICPA division for CPA firms SEC practice section made a number of recommendations about fraud, including issuing a call for auditors to exercise the professional skepticism demanded by SAS no. 53. The AICPA board of directors, in its June 1993 report, Meeting the Financial Reporting Needs of the Future: A Public Commitment From the Public Accounting Profession , supported the POB recommendations and other initiatives to prevent and detect fraud. As a result of these and other developments, the AICPA auditing standards board formed the fraud task force to take a hard look at SAS no. 53. The ASB concluded that it was crucial to develop a SAS that focused solely on financial statement fraud.
After substantial deliberation, the ASB issued an exposure draft of a proposed SAS, Consideration of Fraud in a Financial Statement Audit , in May 1996. Although some mistakenly viewed the ED as a response to the Private Securities Litigation Reform Act of 1995, the boards consideration of fraud had started long before that legislation was signed in December 1995. After considering the issues raised in comment letters and revising the proposed SAS, in November 1996 the ASB voted to issue the final standard.
DETECTION RESPONSIBILITY
SAS no. 82 clarifies, but does not increase, the auditors responsibility to detect fraud. The auditors responsibility is still framed by the key concepts of materiality and reasonable assurance. The ASB believed this obligation was so central to an audit that a responsibility statement should be placed in the general standards (AU section 110 of AICPA Professional Standards ) to heighten the auditors overall awareness throughout the audit. The full text of the responsibility statement appears in the box below.
Is the auditor responsible for detecting any kind of fraud that may have occurred? Absolutely not. The auditors responsibility relates to the detection of material misstatements caused by fraud and is not directed to the detection of fraudulent activity per se. Thus, the auditor of financial statements must obtain reasonable assurance that the statements are free of material misstatements, whether caused by error or fraud.
| Amendment to “Responsibilities and Functions of the Independent Auditor” 2. The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected. The auditor has no responsibility to plan and perform the audit to obtain reasonable assurance that misstatements, whether caused by errors or fraud, that are not material to the financial statements are detected. |
THE RISK OF MATERIAL MISSTATEMENT
The SAS describes two types of fraud that may result in financial statement misstatements:
- Fraudulent financial reporting. An example of fraudulent financial reporting is a company that ships customers goods that have not been ordered and then records the revenue as if it met all the criteria for revenue recognition. In other cases involving new high technology products, company personnel may have provided customers with a side agreement granting right of return for any reason or made payment for the goods contingent on receipt of funding or some other event. In such cases the side agreement typically is not disclosed to the auditor because the underlying transaction would not meet the criteria for revenue recognition under generally accepted accounting principles.
- Misappropriation of assets. Examples of misappropriation of assets are thefts of cash, inventory or securities. Small practitioners specifically asked for guidance in this area because they were more likely to encounter misappropriations than fraudulent financial reporting. Auditors from larger firms were more concerned about fraudulent financial reporting from a materiality standpoint but also thought guidance on misappropriations would be helpful.
Some practitioners questioned the auditors responsibility to detect certain significant defalcations, such as at a retailing company where thefts are reflected in cost of goods sold after inventories are adjusted to actual quantities on hand. While the answer depends on the actual facts and circumstances involved, many believe the auditor should have a feel for when inventory shrinkage is not in line with other entities in the industry. Although some argue the amount attributed to a defalcation should be shown on a line labeled “theft expense,” there is no such requirement under GAAP.
| How a Financial Statement Audit Differs From a Fraud Audit In an audit conducted in accordance with generally accepted auditing standards, the independent auditors objective is to express an opinion on how fairly the financial statements present—in all material respects—financial position, results of operations and cash flows in conformity with generally accepted accounting principles. A fraud audit is a separate engagement from a financial statement audit conducted in accordance with GAAS. In a fraud audit, there typically is an allegation of fraud or a fraud has already been discovered; the accountant is called in to gather evidence or to act as an expert witness in connection with legal proceedings relating to the fraud. he or she is not asked to give an opinion on the financial statements as a whole. The fraud audit typically is a consulting service; the accountant should refer to the AICPA statements on standards for consulting services for appropriate guidance. In conducting such an engagement, a practitioner also is subject to the AICPA and the applicable state CPA society Code of Professional Conduct. Additional guidance on conducting fraud investigations is available in the AICPA practice aid Fraud Investigations in Litigation and Dispute Resolution Services . |
SAS no. 82 requires the auditor to specifically assess the risk of material misstatement of the financial statements due to fraud in every audit. The auditor is not expected to assess the risk of fraud as high, medium or low, as might be the case in assessing control risk. Rather, SAS no. 82 asks the auditor to consider risk factors relating to fraudulent financial reporting and misappropriation of assets in each of the categories shown in paragraphs 16 and 18 of the statement. The auditor then needs to consider that risk assessment in designing the audit procedures he or she will perform. In the context of this statement, risk assessment is a process rather than a rating or a score.
Does an auditor have to use the risk factors identified in the SAS? The specific risk factors can be customized as long as the auditor considers factors in each of the categories itemized in paragraphs 16 and 18. For instance, the auditor may wish to consider risk factors relevant only to a specific industry, such as banking. Under other circumstances, the auditor may wish to choose only those risk factors applicable to the small business under audit. Alternatively, an auditor may believe there are additional risk factors—not identified in the SAS—that require serious consideration. Auditors should be aware, however, that the risk factors in the SAS are discriminating and have been found to be present frequently in actual instances of fraud.
What procedures should the auditor perform to ascertain that risk factors are present? Typically auditors will identify the presence of risk factors in planning the audit, in their consideration of internal control and inherent risk, from their past knowledge of the client (for ongoing clients) and in making certain inquiries of management required by SAS no. 82. Those inquiries include asking management about the risk of fraud in the entity and whether any frauds have been perpetrated on or within the entity. If the client has a program to prevent, deter or detect fraud, the auditor should ask whether it has identified any fraud risk factors.
Ongoing risk assessment. Auditors should be aware of the risk factors throughout an audit, not just at the planning stage. The new SAS provides additional items, called “other conditions,” that auditors need to consider in making the assessment. Examples include missing documents, unusual discrepancies between the entitys records and confirmation replies and unusual delays by the entity in providing requested information. When additional risk factors or other conditions come to their attention, auditors need to consider the impact, if any, on the risk assessment.
RESPONSE TO RISK
The auditors response to risk can vary widely. he or she may believe the audit program already addresses areas of risk sufficiently, making no further response necessary. Depending on the nature of the risk, the auditor may wish to change the nature, timing or extent of procedures. The auditor may wish to increase the number of locations at which inventory counts are observed or assure that the inventory counts are moved close to yearend. In connection with receivable confirmation requests, the auditor—faced with other risk factors—may wish to inquire of the appropriate person about the existence of side agreements. When the auditor has significant concerns about managements integrity or otherwise concludes it is not possible to address the level of risk on the engagement, he or she should consider withdrawing from the audit, with appropriate communications to the entitys audit committee.
EVALUATING AUDIT TEST RESULTS
The assessment of the risk of material misstatement due to fraud is a cumulative process, one that is ongoing throughout the audit. At the end of the audit, the auditor should consider whether the accumulated results of audit procedures and other observations, such as other conditions noted in paragraph 25, affect the assessment of risk due to fraud that was made when planning the audit. This may provide insight into whether there is a need to perform additional audit procedures.
What should the auditor do when he or she finds a misstatement due to fraud? Guidance in SASs nos. 82 and 53 on the auditors response to a detected fraud is very similar. If the misstatement resulting from fraud is not material to the financial statements, the auditor should refer the matter to an appropriate level of management at least one level above those involved and be sure the audit implications have been adequately considered. For fraud resulting in a material effect on the financial statements, or if the auditor is unable to determine the size of the misstatement, the auditor should take the actions identified above. In addition, the auditor should attempt to determine whether material fraud exists and, if so, its effect and, when appropriate, suggest that the client consult with legal counsel.
COMMUNICATION
Auditors have certain specific communication requirements. The SAS no. 82 guidance on communication is very similar to that in SAS no. 53. Any fraud involving senior management and any fraud that is material to the financial statements should be reported directly to the audit committee. As noted earlier, immaterial fraud should be reported to a level of management above those perpetrating the fraud.
Under certain circumstances, the auditor may have a responsibility to communicate outside the entity. For example, in audits of SEC registrants, the Securities and Exchange Commission requires auditors to report certain illegal acts pursuant to the Private Securities Litigation Reform Act of 1995 (codified in section 10A(b)1 of the Securities Exchange Act of 1934). When the auditor identifies fraud risk factors with control implications, he or she must consider whether they represent reportable conditions that should be reported to management and the audit committee.
DOCUMENTATION
The auditor should document in the work papers the assessment of the risk of material misstatement due to fraud. At a minimum, the auditor needs to document those risk factors identified in the audit engagement and the auditors response to them. If other risk factors are identified during the audit that cause the auditor to believe an additional response is required, he or she should document those factors or conditions and any further response the auditor concluded was appropriate.
| The View From the Inside Out: The Impact of SAS 82 on Business and Industry As they do with most new standards, companies have begun to consider the impact of Statement on Auditing Standards no. 82, Consideration of Fraud in a Financial Statement Audit , on their operations. Right now, theyre focusing attention on two areas, audit fees and the relationship with the external auditor. Audit fees . Although there is general agreement the standard may increase the audit fees some companies pay, the effect is likely to be minimal. Joseph P. Liotta, director—auditing for Consolidated Edison Co. of New York in New York City, said in a majority of cases SAS no. 82 will do little or nothing to audit fees. “Well-run organizations probably will not see noticeable changes.” But, Liotta said, “some situations, particularly initial public offerings or certain industries, that require more effort on the public accountants part may increase fees.” And in companies where management is not effectively addressing fraud risk factors, costs also may be greater. But SAS no. 82 is not the only pronouncement that generates additional compliance costs. As Liotta, a member of the American Institute of CPAs auditing standards board fraud task force, pointed out, “This can happen with any technical pronouncement; for example, a companys internal costs can go up in complying with a Financial Accounting Standards Board statement.” Companies concerned about the cost of complying with SAS no. 82 can take measures—such as implementing controls designed to prevent and detect fraud—that will have the effect of reducing future fees. Relationship with external auditor. What will companies themselves have to do differently, both internally and in their interactions with their auditors? When he is asked this question, Liotta said he points to two paragraphs in SAS no. 82—paragraphs 13 and 24. Paragraph 13 requires the public accountant to make an inquiry of management to obtain its understanding about the risk of fraud in the entity and to determine whether it knows of any fraud perpetrated against the entity. “This will require companies to do some work. When well-run companies with good managements are asked straightforward questions, they like to give straightforward answers.” In this case, Liotta said companies may have to do some internal assessments—carried out by the internal auditors or corporate controllers—to identify areas of risk for fraudulent financial reporting and for material misappropriation so they can give the outside auditors intelligent answers about the risk of fraud. Changes in the management representation letter are now being developed to incorporate the new fraud terminology. Liotta believes signing this letter will cause management to think carefully about what information the letter includes. Liotta said SAS no. 82 means auditors will be asking different questions of management and public accountants should bring this change to managements attention now so there is no surprise come next yearend. According to Liotta, “Research has shown that more frauds will be found by simply asking the right questions. Many people in an organization know something is going on but dont have an outlet to talk about it. If the auditor simply sits down with them, he or she can find out quite a bit.” Liotta sees paragraph 24 of SAS no. 82 as an extension of paragraph 13, but more detailed. It says that if an entity has established a program designed to deter and detect fraud, the auditor may—but does not have to—consider its effectiveness. But the auditor should still question the staff overseeing the program to determine whether it has identified any fraud risk factors. Liotta said organizations have established many different programs to deter and detect fraud—internal audit departments, ethics hotlines and security departments. “The people who staff these programs have to understand they are going to be asked questions about what they find in their work.” And, Liotta said, they are probably going to have to give an assessment about the overall impact of what they find on the financial statements and make a presentation to the public accountants. “Thats not going to generate more work for them,” he said, “but it will put some of them in a position—perhaps for the first time—of talking to the public accountants.” Because many corporations are organized as corporate holding groups or management companies and most business activities are carried out at a subsidiary level, Liotta said the real assessment of risk has to be done at the subsidiary level. He said paragraph 17 of SAS no. 82 spells out from a financial reporting point of view the fraud risk factors, which will be “very important to internal auditors” in making the risk assessment. Internal auditors wont be surprised by the factors, Liotta said, “but they will help them to look at fraudulent financial reporting from a subsidiary viewpoint.” The purpose is to protect corporate management, “because the numbers that make up the consolidated financial statements come from down below and could contain some surprises.” Liotta emphasized that “sometimes fraud occurs not at the highest level of the organization but, rather, at the lowest. The numbers and the effect could be significant.” Overall effect. Asked about the likely impact of SAS no. 82, Liotta characterized it as an “operational document.” If carried out properly, he said, it is “likely fraudulent financial reporting will be identified—if it exists.” Liotta believes SAS no. 82 will increase the level of sensitivity on the part of external auditors and get them to “probe deeper.” He advises chief financial officers, controllers and chief internal auditors to get copies of SAS no. 82, become familiar with its provisions and determine how their companies risk assessment processes should be modified. — Peter D. Fleming |
A SPECIAL ISSUE
The ASB viewed fraud as a special issue and considered it crucial to develop an SAS that focused solely on material misstatements arising from fraud. Auditors have a basis for determining compliance only with laws and regulations that have a direct and material effect on the determination of financial statement amounts, such as tax laws or the determination of revenue earned under a government contract. It isnt feasible to design an audit to provide reasonable assurance of detecting all illegal acts that could have a material effect on financial statements. U.S. businesses are subject to myriad laws and regulations that, if violated, could lead to material consequences. These include laws governing securities issuance and trading, occupational safety and health, food and drug administration, environmental protection, price fixing and antitrust violations. As a practical matter, auditors have little chance of detecting most illegal acts unless informed of them by the client or if there is evidence of a government investigation or enforcement proceeding in corporate documents available to the auditor.
IMPLEMENTATION GUIDANCE
Since SAS no. 82 was viewed as being particularly important from its inception, the AICPA took several steps to develop nonauthoritative implementation guidance for the new standard, including communication efforts to publicize both the exposure draft and the final statement, which were widely covered in the national business and trade press. The sidebar that appears above identifies some nonauthoritative practice aids on SAS no. 82 that practitioners may find useful.
REEVALUATION
SAS no. 82 was a major initiative on the ASBs part to provide expanded operational guidance on the auditors consideration of fraud in a financial statement audit. Once the SAS has been in use for two busy seasons, the ASB will evaluate how well it has accomplished its objectives and identify any further steps that need to be taken. This feedback process also may help identify specific issues for further research on fraud deterrence and detection.
| AICPA Guidance on Implementing SAS 82 The American Institute of CPAs is rolling out a new effort to provide user-friendly standards by offering implementation guidance on Statement on Auditing Standards no. 82, Consideration of Fraud in a Financial Statement Audit. These implementation efforts include
For information and to register, call 800-862-4272 and give the operator code WR. A video CPE self-study course based on these presentations will be available in late summer.
Note: The above prices do not include sales tax or shipping and handling. To order, call 800-862-4272 between 8:30 a.m. and 7:30 p.m. eastern time or fax 800-362-5066. | |||||||||||||||||||||
