SAS 99 not only requires auditors to be reasonably sure that financial statements are free of material misstatements, whether caused by error or fraud, but it gives them focused and clarified guidance on meeting their responsibilities to uncover fraud.

The U.S. Statement on Auditing Standards (SAS) 99, “Consideration of Fraud in a Financial Statement Audit,” is recommended reading for Certified Fraud Examiners worldwide.

CFEs who routinely inspect financial statements will be pleased by the greater emphasis on fraud detection in this new SAS issued by the Auditing Standards Board of the American Institute of CPAs. Additionally, CFEs who are also CPAs now have a new implement in their toolboxes.
The new SAS draws heavily on the international auditing standard ISA 240 but also adds additional steps that may be of particular interest to our non-U.S. readers. ISA 240 is now being revised to incorporate many of these changes.

With the recent rash of accounting scandals, investors, creditors, and other financial statement users want auditors to look deeper for fraud. SAS 99 not only requires auditors to be reasonably sure that financial statements are free of material misstatements, whether caused by error or fraud, but it also gives them focused and clearer guidance on meeting their responsibilities to uncover fraud.

Though much of SAS 99 may be review for CFEs, they still will learn useful information from the statement whether they are auditors, law enforcement, private investigators, attorneys, or other professionals. (Find an overview of SAS 99 and purchasing information at www.aicpa.org/members/div/auditstd/riasai/sas99.asp.)

SAS 99 requires auditors to look for fraud throughout the entire audit process. The standard defines fraud as an intentional act resulting in a material misstatement in the financial statements. Fraud consists of two major types: 1) misstatements resulting from fraudulent financial reporting and 2) misstatements resulting from the misappropriation of assets (often referred to as theft or defalcation).

SAS 99 describes three conditions typically present when fraud is committed: incentives/pressures, opportunities, and attitudes/rationalizations (These are reminiscent of the three sides of the renowned Fraud Triangle1). Specifically, the perpetrator of the fraud likely is under pressure or has an incentive to commit the fraudulent act. Second, opportunities probably exist for the perpetrator to commit the fraud. Finally, the perpetrator likely is able to rationalize his or her fraudulent act or possesses an attitude that the act was acceptable. There is a direct relationship between the existence of the three conditions and the likelihood of the occurrence of fraud. However, SAS 99 emphasizes that all three conditions do not need to be present for fraud to occur. The appendix to SAS 99 provides examples of each of the three conditions. (Exhibit 1 on page 42 shows a sampling of some of the fraudulent financial reporting examples.)

SAS 99 reiterates the importance of exercising professional skepticism throughout the audit. The auditor must maintain a questioning mind and critically assess the responses from the reporting entity’s management and other evidence examined to determine the risk or existence of fraudulent misstatements. The auditor should never accept less-than-persuasive evidence based on the assumption that management is honest.

Discussion Among Engagement Team Members

Before and/or during the performance of information-gathering procedures, SAS 99 requires members of the engagement team, including the auditor who has the final responsibility for the engagement, to meet and discuss the susceptibility of the financial statements to material misstatement due to fraud. The discussion should entail “brainstorming” among the engagement team members for identifying fraud risk factors for the auditee (i.e., incentives/pressures, opportunities, and attitudes/rationalizations). Include a consideration of management’s ability to override controls as part of the discussion.

The discussion should also remind the audit team members to maintain inquiring minds and appropriate levels of professional skepticism throughout the audit, including setting aside any preconceived notions regarding the honesty and integrity of the client entity’s management. This requires the auditor to gather and evaluate evidence objectively throughout the audit for identifying the possibility or existence of a material misstatement due to fraud. Additionally, the engagement team’s brainstorming should set the tone for continuous communication throughout the audit.

Obtaining Information Related to Fraud Risks 

At the start of the financial statement audit process, auditors always seek a sufficient understanding of the auditee’s business and industry. The auditor should then use the information gained to assist in identifying risks of material misstatement due to fraud. SAS 99 specifies procedures the auditor should perform as part of this process.

Make Inquires of Management and Others About Risks of Fraud

An important source of information is inquiries of the auditees’ management and others throughout entities. Such inquiries are frequently effective in helping to detect fraud. SAS 99 requires the auditor to make inquiries of the entity’s management regarding its:

1) knowledge of fraud or suspected fraud;
2) awareness of fraud or allegations of fraud;
3) understanding of the entity’s fraud risks, including any specific risks identified;
4) programs and controls that have been implemented to prevent, deter, and detect fraud including how management monitors the performance of these programs and controls;
5) monitoring of multiple locations or business segments; and
6) communication on business practices and ethical behavior to employees.

The auditor should also ask if management has reported to the audit committee of the board of directors (or an equivalent authority) about how the entity’s internal controls serve to prevent, deter, and detect fraud.

Additionally, the auditor should inquire if the members of the audit committee know about fraud or suspected fraud and how the committee monitors the entity’s programs and controls related to fraud. The auditor should ask employees of the internal audit department (if such a department exists) about their work in preventing and detecting fraud.

Finally, the auditor should ask other personnel within the entity (whether they are directly involved in the financial reporting process or not) about their knowledge or suspicion of the occurrence of fraud. Such inquiries could provide useful information to corroborate responses made by management or to gain insight about the possible override of controls or otherwise unusual activities initiated by management. Furthermore, information obtained from these sources may enlighten the auditor on how management communicates the importance of ethical behavior to its employees.
When evaluating the responses to inquiries, the auditor should be aware constantly that a fraud perpetrator has an incentive to conceal his or her act. Therefore, the auditor should carefully review and assimilate the responses. The auditor should seek additional evidence if he or she finds inconsistencies among the responses from management and others.

Consider Results of Analytical Procedures Performed During Planning

Auditors use analytical procedures during the planning stage of all financial statement audits. SAS 99 stipulates the auditor should consider the results of these procedures in identifying the risks of fraud. For example, the auditor should perform analytical procedures related to revenue, such as a trend analysis by month, for the purpose of identifying improper revenue recognition. However, since analytical procedures often employ aggregated data in detecting unusual relationships, the auditor should use them in conjunction with other evidence and procedures for the purpose of identifying material misstatements due to fraud.

Consider Fraud Risk Factors

During the information-gathering stage of a financial statement audit, the auditor should evaluate if any of the fraud risk factors exist indicating incentives/pressures, opportunities, and attitudes/rationalizations. The auditor should keep in mind that one or more of these risk factors does not need to be present in every instance of fraud; however, they are common indicators of fraud’s existence.

The auditor should not necessarily treat each of the fraud risk factors as being equally significant on each engagement or assume all three conditions must exist together in order for fraud to be perpetrated. For example, the pressure to meet an earnings target may be quite high for a particular auditee. In such an instance, the auditor should view this pressure as an increased risk of a material misstatement due to fraud even if an opportunity for the auditee to commit the fraud is not readily apparent to the auditor. Similarly, if incentives or pressures to commit fraud are not evident for an entity but the opportunity to do so is great (e.g., if the auditee’s internal controls are insufficient to prevent or detect fraud), then the auditor should accordingly view this situation as creating an increased risk of a material financial statement misstatement due to fraud.

SAS 99 also requires the auditor to presume that improper revenue recognition is a fraud risk as is management’s potential override of internal controls. The former is specifically designated as a fraud risk because the vast majority of recent fraudulent financial reporting cases relate to the improper recording of revenue. Likewise, the latter should be included as a risk factor since a client entity’s management can perpetrate and conceal fraud by overriding the controls, a common mechanism.

Finally, once the auditor has identified risks of material misstatement due to fraud, he or she should attempt to discover if the fraud risk can be traced to an individual account or transaction class or if the fraud risk relates to the financial statements as a whole. This identification of the risk’s pervasiveness will assist the auditor in designing specific audit procedures to identify material misstatements due to fraud.

Consider Other Information

The auditor should consider other information to identify material financial statement misstatements due to fraud. Examples of these information sources include:

1) the discussions by the engagement team (as described above);
2) procedures related to the acceptance or continuance of a client;
3) the review of the auditee’s interim financial statements; and
4) inherent risks identified on the account or transaction class level.

Auditor’s Response to Identified Risks

To develop an appropriate audit plan, the auditor of financial statements always gains an understanding of the client entity’s internal control components. As part of developing this understanding, SAS 99 stipulates the auditor should determine if the entity has appropriately designed and implemented programs and controls to prevent, deter, and detect material misstatements due to fraud.

The auditor should exercise professional skepticism in his or her responses to identified fraud risks and in the understanding of the entity’s programs and controls to mitigate material misstatements due to fraud. As part of the response to identified fraud risks, the auditor should evaluate how the risks related to management’s programs and controls impact the conduct of the audit. SAS 99 identifies three “overall responses” that affect the way the audit is performed:

1) The auditor’s assignment of personnel and supervision on specific audit areas should be commensurate with the auditor’s assessment of that area’s related fraud risk.
2) The auditor should evaluate if the accounting principles used by management, including how they are collectively applied, create a material misstatement of the financial statements.
3) The auditor should incorporate an element of unpredictability in the audit procedures to be performed. This would make it harder for anyone to determine the mechanisms used by the auditor in detecting fraudulent financial statement misstatements.

Furthermore, SAS 99 provides some additional auditor responses to the identified risks of fraud. These may require changing the nature, timing, and extent of testing to obtain audit evidence that is more reliable or to obtain additional corrobative information. Some of the examples include:

1) performing audit procedures at different locations on a surprise or unannounced basis (e.g., observing inventory);
2) requesting that the entity count its inventory as close to the last day of the reporting period as possible to reduce the risk of manipulation of balances occurring during the period between the inventory count and the end of the reporting period;
3) performing analytical procedures on disaggregated data, such as analyzing revenues and related margins by month, product line, or business segment; and
4) asking suppliers, customers, or others to confirm the terms of contracts and the absence of side agreements.

Also, since management override of internal controls is required as a fraud risk factor, the auditor should perform specific procedures to address this risk. SAS 99 provides examples of procedures, including the following:

1) Examine journal entries and other significant adjustments that may provide evidence of material misstatements due to fraud.
2) Review accounting estimates for biases that could result in fraudulent, material misstatements. This review should include evaluating the reasonableness of underlying
judgments and assumptions. The auditor also should
perform a retrospective review by examining the accuracy of prior period estimates as a basis for determining if bias exists in current estimates made by management.
3) Evaluate the business rationale for unusual, significant transactions recorded by the entity.

Evaluating Audit Evidence

The auditor should continue to evaluate the potential or existence of a material misstatement due to fraud throughout the audit, according to SAS 99. During fieldwork, the auditor should evaluate whether the specific responses or actions of the management of the client entity indicate an increased risk of fraud. Discrepancies among accounting records or a contradiction among management’s responses to inquiries and the underlying accounting records provide an example of increased risk. Also, if the auditor encounters missing documents or discovers that evidential matter is otherwise unavailable, he or she would need to consider fraud as a potential reason for the unavailability. Additional examples of increased fraud risk are lack of management cooperation or instances in which management is less than forthcoming in assisting the auditor.

Both during and near the completion of fieldwork, the auditor should take a “big picture” approach in deciding if the overall evidence obtained and evaluated is consistent with his or her assessment of fraud risk. Included in this analysis should be the evaluation of results of analytical procedures performed during the overall review stage of the audit and those conducted as a substantive testing procedure, if applicable. This evaluation should assist the auditor in deciding whether additional or different audit procedures are necessary.

Additionally, the auditor with the final responsibility for the engagement should evaluate whether appropriate communications about fraud risks took place among the audit team members. As part of the evaluation, this person should determine whether the communication was ongoing during the performance of the audit.

Responding to Misstatements Possibly Resulting From Fraud

In instances where the auditor has identified a misstatement that is or may be material to the financial statements, the auditor should attempt to obtain additional evidential matter to ascertain if a fraudulent misstatement has or likely has occurred. If the auditor believes the misstatement is or may be the result of fraud, he or she should evaluate the implications of the misstatement on the financial statements and thus the audit.

For example, if the misstatement appears to be immaterial to the financial statements but was the result of a fraudulent act perpetrated by a member of the auditee’s senior management, the auditor should reexamine his or her evaluation regarding the integrity of management. In such instances, the auditor should also reevaluate the risk of material misstatement due to fraud and consider modifying the assessment of control risk and the nature, timing, and extent of substantive testing.

Also, if the auditor simply suspects that fraud may have occurred, he or she should discuss this matter and the approach for further investigation with an appropriate level of management at least one level above those involved, and with senior management and the audit committee. In any case of an actual material misstatement identified as being the result of fraud or in cases in which senior management is suspected of committing fraud, the auditor should inform the audit committee of the client entity’s board of directors (or equivalent authority). Furthermore, upon discovery or suspicion of a misstatement resulting from fraud, the auditor should consider suggesting the client consult with its legal counsel.

Finally, if the auditor believes that a significant risk of material misstatement due to fraud exists, the auditor should consider withdrawing from the engagement and communicating the reasons for withdrawal to the audit committee (or equivalent authority).

The auditor’s obligation to maintain confidentiality generally prohibits the auditor from disclosing fraud or suspected fraud to parties outside the entity. Exceptions to the auditor’s confidentiality requirement include when it is necessary to comply with various legal and regulatory requirements, communicating between predecessor and successor auditors, responding to a subpoena, or responding to a specific agency in accordance with requirements of audits for entities that receive governmental financial assistance.

Documenting the Auditor’s Consideration of Fraud 

In accordance with SAS 99, the auditor should document the following:

1) information pertinent to the discussion by the engagement team during the planning phase of the audit regarding the susceptibility of material misstatements due to fraud (This documentation should include how and when the discussion occurred, who participated in the meeting, and what was discussed);
2) the audit procedures performed to identify and assess
specific risks of material misstatement due to fraud, including a description of the auditor’s response to those risks;
3) for the unusual circumstance in which improper revenue recognition was not included as a risk of material misstatement due to fraud, the reason for that determination;
4) the results of procedures performed to address the risk of management override of controls;
5) any conditions or results, such as the findings from analytical procedures, that caused the auditor to believe additional audit procedures or responses were necessary; and
6) the nature of communications made to management, the audit committee, or others.

Although the issuance of SAS 99 will not result in financial statement auditors providing a higher level of fraud detection assurance (i.e., they will still offer “reasonable assurance” the financial statements are free of material misstatement), the new standard should result in auditors giving fraud detection more attention. In turn, ideally this will result in fewer fraudulent acts going undetected.

[Some source links referenced in this article are no longer available. — Ed.]

Daniel R. Brickner, Ph.D., CPA, is an assistant professor of accounting at Eastern Michigan University in Ypsilanti, Mich. Michael A. Pearson, D.B.A., CFE, CMA, CPA, a member of The White Paper Editorial Review Board, is a professor of accounting at Kent State University in Kent, Ohio.  

1. The ACFE describes the Fraud Triangle – a hypothesis derived from Dr. Donald R. Cressey’s work – as consisting of three sides: pressure or perceived non-sharable financial need, perceived opportunity, and rationalization. For a thorough discussion, see chapter one of “Occupational Fraud and Abuse” by Joseph T. Wells, CFE, CPA, ©1997, Obsidian Publishing Company Inc., Austin, Texas.

Exhibit 1 - A Sampling of Fraud Risk Factors Related to Fraudulent Financial Reporting

Incentives/Pressures

• High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates
• Recurring negative cash flows from operations or an inability to generate cash flows from operations while reporting earnings and earnings growth
• Rapid growth or unusual profitability, especially compared to that of other companies in the same industry
• Profitability or trend level expectations of investment analysts, institutional investors, significant creditors, or other external parties (particularly expectations that are unduly aggressive or unrealistic), including expectations created by management in, for example, overly optimistic press releases or annual report messages
• Perceived or real adverse effects of reporting poor financial results on significant pending transactions, such as business combinations or contract awards
• Information available that indicates management or the board of directors’ personal financial situation is threatened by the entity’s financial performance
• Excessive pressure on management or operating personnel to meet financial targets set up by the board of directors or management, including sales or profitability incentive goals

Opportunities

• Assets, liabilities, revenues, or expenses based on significant estimates that involve subjective judgments or uncertainties that are difficult to corroborate
• Significant, unusual, or highly complex transactions, especially those close to period end that pose difficult “substance over form” questions
• Significant operations located or conducted across international borders in jurisdictions where differing business environments and cultures exist
• Domination of management by a single person or a small group (in a non-owner-managed business) without compensating controls
• Ineffective board of directors or audit committee oversight over the financial reporting process and internal control
• Overly complex organizational structure involving unusual legal entities or managerial lines of authority
• Ineffective accounting and information systems, including situations involving reportable conditions

Attitudes/Rationalizations

• Ineffective communication, implementation, support, or enforcement of the entity’s values or ethical standards by management or the communication of inappropriate values or ethical standards
• Nonfinancial management’s excessive participation in or preoccupation with the selection of accounting principles or the determination of significant estimates
• Excessive interest by management in maintaining or increasing the entity’s stock price or earnings trend
• A practice by management of committing to analysts, creditors, and other third parties to achieve aggressive or unrealistic forecasts
• An interest by management in employing inappropriate means to minimize reported earnings for tax-motivated reasons
• Recurring attempts by management to justify marginal or inappropriate accounting on the basis of materiality
• Strained relationships between management and the current or predecessor auditor

Source: SAS 99 appendix