The AICPA auditing
standards board (ASB) took a significant step toward
addressing this problem by issuing an exposure draft
of a proposed Statement on Auditing Standards,
Consideration of Fraud in a Financial
Statement Audit, which would supersede SAS
no. 82. The ED does not change any of the auditor’s
current responsibilities for fraud in a financial
statement audit. However, it introduces new
concepts, requirements and guidance to assist
auditors in meeting those responsibilities. In
applying the proposed guidance, auditors would plan
and perform every audit with a questioning mind,
recognizing the possibility that a material
misstatement due to fraud could be present,
regardless of past experience with the entity or
prior beliefs about management’s honesty and
integrity. Auditors would continue to be responsible
for planning and performing the audit to obtain
reasonable assurance that financial
statements are free of material
misstatements due to fraud—whether arising from
fraudulent financial reporting or asset
misappropriation. This article discusses some of the
more significant changes from SAS no. 82 and the
potential effects on audits so that practitioners
may express their opinions on these proposals to the
ASB before the end of the ED’s comment period on May
31, 2002.
NEW CONTEXT FOR CONSIDERING RISKS
To provide a richer
understanding of the environment in which fraud is
likely to occur, the ED expands the description of
fraud and its characteristics. It describes three
conditions generally present when fraud
occurs—incentive/pressure, opportunity and
attitude/rationalization (see “The Fraud
Triangle,” below). Input from forensic experts,
academics and others consistently showed that
evaluation of information about fraud was enhanced
when auditors considered it in the context of
these three conditions.
TEAM DISCUSSION AND PROFESSIONAL
SKEPTICISM To
increase awareness and sensitivity to fraud, and
to enhance the fraud-risk-assessment process, the
ED requires audit team members to discuss during
the planning stage the potential for material
misstatements due to fraud. The more experienced
team members should share their insights, and all
the members should exchange ideas about how and
where the entity’s financial statements might be
susceptible to material misstatements due to
fraud. Despite allegations in some recent
high-profile cases, material frauds still are
relatively rare in relation to all financial
statement audits. In fact, most auditors never
will encounter a material fraud during their
careers. Most auditors assess their clients’
honesty and integrity through rigorous client
acceptance and continuance procedures, which might
lead them to assume without question their clients
are honest. In light of this, the ED emphasizes
the importance of maintaining the proper mindset
throughout the audit regarding the potential for
fraud. Consequently, the audit team’s discussion
would acknowledge fraud can occur in any entity
and be perpetrated by anyone.
EXPANDED INQUIRIES
Forensic experts know
inquiry is a highly effective tool in fraud
investigations and that people who are reluctant
to volunteer information about known or suspected
fraud will more likely do so when asked directly.
The ED requires auditors to query management on
its views of the risks of fraud in the entity and
knowledge of any known or suspected fraud (see
sidebar, at the end of this article). It also says
auditors should query others—for example,
individuals outside the entity’s accounting or
financial reporting areas or employees with
varying levels of authority. This requirement is
not intended to be onerous—the nature and extent
of these inquiries would be based on the auditor’s
professional judgment and generally directed to
employees with whom the auditor comes into contact
during the course of the audit (see “‘Why
Ask?’ You Ask,” JofA , Sep.01, page
88).
EXPANDED SCOPE FOR ASSESSING FRAUD RISKS
The ED emphasizes
obtaining a broader range of information to serve
as the foundation for an assessment that goes
beyond considering the fraud risk factors provided
in SAS no. 82. The various sources of
information—the audit team discussion, inquiries
of management and others, consideration of fraud
risk factors, the results of planning analytical
procedures, information from the client acceptance
or continuance process and from reviews of interim
financial statements—all feed into the auditor’s
evaluation of fraud risks. The auditor
uses the information to consider the type
of risk that may exist (for example,
fraudulent financial reporting or misappropriation
of assets), the significance or magnitude
of that risk, the likelihood it will
result in a material misstatement in the financial
statements and the pervasiveness of the
risk (that is, whether it relates to the financial
statements as a whole or to a particular account
or assertion). Thus, the assessment process
identifies “risks” of material misstatements due
to fraud auditors should consider in developing
their responses.
RISKS RELATED TO REVENUE RECOGNITION
Revenue recognition
issues have been at the center of numerous
instances of fraudulent financial reporting and
continue to be the number-one reason for restating
financial statements. To address this problem, the
ED says auditors ordinarily will identify a risk
of material misstatement due to fraud relating to
revenue recognition. Analytical procedures would
be required during planning to help identify
unusual or unexpected relationships involving
revenue or related accounts. The ED also provides
expanded guidance to help auditors make sure
planned audit procedures for revenue accounts and
assertions are appropriate given the identified
fraud risks.
EVALUATE PROGRAMS AND CONTROLS
When the auditor
identifies risks of material misstatements due to
fraud, the ED requires that he or she consider
management’s programs and controls to address
those risks. They might include broader programs
or specific controls designed to prevent, deter or
detect fraud. As in SAS no. 82, the auditor would
consider whether such programs and controls will
mitigate or exacerbate those identified risks.
However, in a change from SAS no. 82, the auditor
would evaluate whether these programs and controls
have been suitably designed and placed in
operation. The auditor’s ultimate assessment of
the risks of material misstatement due to fraud
would take this evaluation into account.
AUDITOR’S RESPONSE
The ED requires the
auditor to develop an appropriate response for
each fraud risk identified and includes more
extensive guidance and examples on how to do so.
The auditor’s responses, which are influenced by
the nature and significance of the risks
identified and the evaluation of the entity’s
programs and controls, might have an overall
effect on how the audit is conducted (for example,
additional persons with specialized skills or
knowledge may be assigned) or might involve
changing the nature, timing or extent of auditing
procedures for specific accounts or assertions.
The response typically also will involve
performing certain procedures to address the risk
of management override of controls.
Management is in a unique position to
perpetrate fraud because it can override
established controls that would appear to be
operating effectively. This risk exists in
virtually all audits and can occur in a number of
unpredictable ways. Currently, the auditor’s
planned procedures in response to inherent and
control risks and the auditor’s assessment of the
risk of material fraud consider, at least
implicitly, the risk of management override. The
ED, however, requires auditors of public companies
to perform certain procedures to further address
this risk. These procedures, which generally would
apply also for audits of nonpublic companies,
except in some limited circumstances as discussed
in the ED, include
Examining journal entries and other
adjustments. Several instances
of fraudulent financial reporting involved the
manipulation of the financial statements through
unauthorized journal entries or other so-called
top-side adjustments. Many auditors already may
review unusual or “nonstandard” journal entries.
However, the ED places more emphasis on the
auditor’s understanding of the entity’s financial
reporting process, including automated and manual
procedures used to prepare financial statements
and related disclosures, and how misstatements may
occur. This understanding, already required by SAS
no. 94, The Effect of Information Technology
on the Auditor’s Consideration of Internal
Controls in a Financial Statement Audit,
provides a basis for determining the nature,
timing and extent of testing of journal entries
and other adjustments for evidence of possible
material misstatement due to fraud. This testing
would be a matter of professional judgment and
would be based on the auditor’s assessment of the
fraud risks, whether effective controls have been
implemented over one or more aspects of the
financial reporting process, the nature of the
financial reporting process and the evidence that
can be examined (for example, the extent of manual
vs. electronic evidence) and the nature and
complexity of the accounts.
Reviewing accounting estimates for bias.
Fraudulent financial reporting often
is accomplished through intentional misstatement
of accounting estimates. Existing auditing
standards already require the auditor to consider
the potential for management bias when reviewing
significant estimates. In addition, the ED
requires the auditor to perform a retrospective
review of significant prior-year estimates for any
potential bias that might signal inappropriate
earnings management (for example, recorded
estimates clustered at one end of an acceptable
range in the prior year and at the other end of an
acceptable range in the current year).
Evaluating the business rationale for
significant unusual transactions.
The use of complex business
structures and sophisticated transactions,
especially transactions involving special purpose
entities or related parties, has been making
headlines recently. Although the auditor typically
gains an understanding of significant
transactions, the ED places a greater focus on
understanding the underlying business rationale
for significant unusual transactions. In
this context, unusual transactions are
those that come to the auditor’s attention that
are outside the normal course of business for the
company or that otherwise appear unusual.
THE EFFECT ON AUDITS
The ASB believes the
expanded requirements and guidance provided in the
ED, if adopted, would substantially change auditor
performance and thereby improve the likelihood
that auditors will detect material misstatements
due to fraud in a financial statement audit. The
ED should improve the audit engagement team’s
overall awareness of the possibility of fraud and
motivate all team members to think about how and
where material fraud might occur. This should lead
auditors to be more alert for indications of
potential material fraud and to carefully consider
whether planned audit procedures appropriately
respond to identified fraud risks, including the
risk of management override of controls. An
increased focus on professional skepticism in
gathering and evaluating audit evidence also
should lead auditors to further challenge evidence
that doesn’t make sense and to obtain additional
corroboration of management’s explanations or
representations concerning material matters.
WHAT ELSE IS NEEDED?
The new and
strengthened requirements of the ED alone will not
guarantee that auditors will detect all material
misstatements due to fraud. Fraud often is
difficult to detect because it involves
concealment through falsification of documents or
collusion. Clearly, the ED is a significant
positive step, incorporating the substance of a
great majority of the specific recommendations of
the Panel on Audit Effectiveness relating to
fraud. The ED addresses the auditor’s
effectiveness in detecting material misstatements
due to fraud, but broader efforts are needed that
focus on the roles of management, the audit
committee, regulators and others in addressing
this important issue. Although it is important to
improve the likelihood auditors will detect
material financial statement fraud, a greater
emphasis also is needed on management’s
responsibility for fraud prevention, deterrence
and detection.
INVITATION TO COMMENT
The auditor’s role in
detecting material fraud in a financial statement
audit has never been under such scrutiny or been
the subject of such controversy. We strongly
encourage auditors and others to consider the
changes the ED proposes and to provide the ASB
with comments and feedback. The ED is available on
the AICPA Web site at www.aicpa.org .
Required Inquiries of
Management The proposed
standard requires auditors to ask
management about
Its knowledge of fraud or
suspected fraud.
Its awareness of any
allegations of fraudulent financial
reporting.
Its understanding about the
risks of fraud in the entity.
Programs and controls
established to mitigate specific fraud
risks or broader programs to prevent,
deter or detect fraud and how it
monitors such programs and controls.
For entities with multiple
locations, the nature and extent of
monitoring of operating locations or
business segments and whether there are
particular operating locations or
business segments for which a risk of
fraud may be more likely to exist.
Whether and how it
communicates to employees its views on
business practices and ethical behavior. | |