The Auditor and Fraud: Is SAS 99 Enough? C Delano Gray October 24, 2009
SAS 99 Consideration of Fraud in a Financial Statement Audit • How much do you know about SAS 99? • SAS 99 Background • SAS 99 Terms and Definitions • Fraud Risk Factors
Test Your Knowledge, Skills, and Abilities to Detect Potential Fraud… Individuals who commit fraud are ordinarily able to rationalize the act and have an:
Test Your Knowledge, Skills, and Abilities to Detect Potential Fraud… Which of the following is most likely to be considered a risk factor incentive related to fraudulent financial reporting? a) Domination of management by top executives. b) Large amounts of cash processed. c) Program is over budget. d) Small high dollar inventory items.
Test Your Knowledge, Skills, and Abilities to Detect Potential Fraud… What is an auditor’s responsibility who discovers senior management is involved in what is a financially immaterial fraud? a) Report the fraud to those charged with governance. b) Report the fraud to Congress. c) Report the fraud to a level of management at least one level below those involved in the fraud. d) Determine that the amounts involved are immaterial, and if so, there is no reporting responsibility.
Test Your Knowledge, Skills, and Abilities to Detect Potential Fraud… Which of the following is not required by SAS No. 99, “Consideration of Fraud in a Financial Statement Audit”? a) Conduct a continuing assessment of the risks of material misstatement due to fraud throughout the audit. b) Conduct a discussion by the audit team of the risks of material misstatement due to fraud. c) Conduct the audit with professional skepticism, which includes an attitude that assumes balances are incorrect until verified by the auditor. d) Inquiries of the audit committee as to their views about the risks of fraud and their knowledge of any fraud or suspected fraud.
SAS 99 Background Standard • It establishes standards and provides guidance to auditors to help them plan and perform their audits to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error for fraud.
SAS 99 Background • Why does SAS 99 exist? • Recent highly publicized fraud cases – Enron, Tyco, MCI • The general public has an expectation that auditors have a responsibility for detecting management fraud. • The accounting profession has always had trouble explaining to critics why an audit conducted in accordance with generally accepted auditing standards (GAAS) might fail to detect a material misstatement of financial statements caused by fraud.
SAS 99 Background The AICPA’s response… • Auditor’s responsibility • Plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. • Management’s responsibility • Design and implement programs to prevent, deter, and detect fraud. When management and those charged with governance, set the proper tone of proper ethical conduct, the opportunities for fraud are significantly reduced.
SAS 99 Terms and Definitions • Fraud – • An intentional act that results in a material misstatement in financial statements. • Fraud generally involves the following: • A pressure or an incentive to commit fraud • A perceived opportunity to do so. • Rationalization of the fraud by the individual(s) committing it.
SAS 99 Terms and Definitions • Fraudulent financial reporting – • Intentional misstatement or omissions of amounts or disclosures in financial statements designed to deceive financial users when the effect causes the financial statements not to be presented, in all material respects, in conformity with GAAP.
SAS 99 Terms and Definitions • Misappropriation of assets – • The theft of an entity’s assets where the effect of the theft causes the financial statement not to be presented in conformity with GAAP (sometimes referred to as defalcation). • Misappropriation of assets can be accomplished in various ways: • including embezzling, • stealing assets, • causing an entity to pay for goods or services that have not been received or causing an entity to overpay for goods or services actually received.
SAS 99 Terms and Definitions • Fraud risk factors – • Because fraud is usually concealed, material misstatements due to fraud are difficult to detect. Nevertheless, the auditor may identify events or conditions that indicate incentives/pressures to perpetrate fraud, opportunities to carry out the fraud, or attitudes/rationalizations to justify a fraudulent action. • Such events or conditions are referred to as fraud risk factors. • incentives/pressures • opportunities • attitudes/rationalizations Fraud experts often refer to these factors as the Fraud Triangle. • Fraud risk factors do not necessarily indicate the existence of fraud; however, they often are present in circumstances where fraud exists.
SAS 99 Terms and Definitions • Those Charged with Governance in Accountability – • Those charged with governance have the duty to oversee the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the financial reporting process, subject matter, or program under audit including related internal controls.
Fraudulent Financial Reporting Incentives / Pressures Excessive pressure by senior management to meet financial or program goals. Opportunity Ineffective monitoring of management. Attitudes / Rationalizations Personal justification that the fraudulent activity is deserved. Misappropriation of Assets Incentives / Pressures Overburdened with personal financial obligations. Opportunity Inadequate internal control over assets and processes. Attitudes / Rationalizations Personal justification that the fraudulent activity is deserved. Fraud Risk Factors
Fraud Risk Management Type: • Misappropriation / Theft • Manipulated Results • Corruption (including Related Party Transactions) Significance: • Macro • Micro • Systemic Readiness Levels: • Prevention / Deterrence • Early Detection • Incident Handling
ErrorversusIntent to Deceive Inherent Challenges
TrustedClients Inherent Challenges
For Consideration Largest threat comes from inside “the system” “Beating the System”
Management Override Inherent “Macro” Risk ???
Fraud Detection Expectations IIA Practice Advisory 1210.A2-1 Statement of Auditing Standards 99
IIA Practice Advisory 1210.A2-1 Consider fraud risks in the assessment of control design and determination of audit steps to perform. While internal auditors are not expected to detect fraud and irregularities, internal auditors are expected to obtain reasonable assurance that business objectives for the process under review are being achieved and material control deficiencies whether through simple error or intentional effort are detected.
IIA Practice Advisory 1210.A2-1 Have sufficient knowledge of fraud to identify red flags indicating fraud may have been committed. This knowledge includes the characteristics of fraud, the techniques used to commit fraud, and the various fraud schemes and scenarios associated with the activities reviewed.
IIA Practice Advisory 1210.A2-1 Be alert to opportunities that could allow fraud, such as control weaknesses. If significant control weaknesses are detected, additional tests conducted by internal auditors should be directed at identifying other fraud indicators.
IIA Practice Advisory 1210.A2-1 Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended. Notify the appropriate authorities within the organization if a determination is made that fraud has occurred to recommend an investigation.
SAS 99: Consideration of Fraud in a Financial Statement Audit Auditor Responsibilities: • “The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error (AU sec. 110.02)”
SAS 99: Consideration of Fraud in a Financial Statement Audit Auditor Responsibilities: • “This statement [SAS 99] established standards and provides guidance to auditors in fulfilling that responsibility, as it related to fraud, in an audit of financial statements conducted in accordance with generally accepted auditing standards (GAAS).”
Overall Requirement An audit should be planned and performed to obtain reasonable assurance about whether the financial statements are free of material misstatements, whether caused by error or fraud. An audit requires due professional care, which in turn requires that the auditor exercise professional skepticism.
Fraud Errors Misappropriation of Assets Financial Reporting Causes of Misstatements Causes
Two Types of Fraud Considered in an Audit • Fraudulent financial reporting (“cooking the books”)--examples • Falsification of accounting records • Omissions of transactions • Misappropriation of assets--examples: • Theft of assets • Fraudulent expenditures
Professional Skepticism • An attitude that includes a questioning mind and a critical assessment of audit evidence • The engagement should be conducted recognizing possibility of material misstatement due to fraud • An auditor should not be satisfied with less than persuasive evidence (more than just inquiry)
Fraud Conditions (“Fraud Triangle) Incentive (Pressure) Opportunity Rationalization (Attitude)
Steps involved in Considering the Risk of Fraud • Staff discussion • Obtain information needed to identify risks • Identify risks • Assess identified risks • Respond to results of assessment • Evaluate audit evidence • Communicate about fraud • Document consideration of fraud
Step 1—Staff Discussion of theRisk of Fraud • Usually led by engagement leader • Brainstorm • Consider how and where financial statements might be susceptible to fraud • Exercise professional skepticism
Step 2—Obtain information needed to identify risk of fraud • Inquiries of management, the audit committee, internal auditors and others (various levels of the organization!) • Consider results of analytical procedures • Consider fraud risk factors • Consider other information
Step 3—Identify Risks that may Result in Fraud and Consider • Type of risk • Significance of risk (magnitude) • Likelihood of Risk • Pervasiveness of risk
Step 4—Assess the identified risks after considering programs and controls • Consider understanding of internal control • Evaluate whether programs and controls address the identified risks • Assess risks taking into account this evaluation
Step 5—Respond to Results of the Assessment As risk increases • Overall responses • More experienced staff • More attention to accounting policies • Less predictable procedures • Specific responses • Consider need to increase evidence by altering the nature, timing and extent of audit procedures (might move from a moderate to high necessary level of comfort for certain audit areas)
Step 5—Respond to Results of the Assessment (concluded) • On all audits, the auditor should consider the possibility of management override of controls and examine: • Adjusting journal entries • Accounting estimates • Unusual significant transactions
Step 6—Evaluate Audit Evidence • Assess risk of fraud throughout the audit • Evaluate analytical procedures performed as substantive tests and at overall review stage • Evaluate risk of fraud near completion of fieldwork • Respond to misstatements • MUST included element of unpredictability – what is this???
Step 7—Communicate about Fraud • Communicate • All fraud to an appropriate level of management • All management fraud to audit committee • All material fraud to management and audit committee • Determine if reportable conditions related to internal control have been identified; communicate them to the audit committee
Document steps 1 -7 Staff discussion Information used to identify risk of fraud Fraud risks identified Assessed risks after considering programs and controls Results of assessment of fraud risk Evaluation of audit evidence Communications requirements If improper revenue recognition was not considered a risk, why it wasn’t Document Consideration of Fraud
Public Oversight Board Panel on Audit Effectiveness - Recommendations • Auditors should perform some “forensic-type” procedures on every audit to enhance the prospect of detecting material financial statement fraud • Attitudinal shift in the auditor’s degree of skepticism • During this phase, auditors should modify the otherwise neutral concept of professional skepticism and presume the possibility of dishonesty at various levels of management, including: • Collusion • Override of internal control • Falsification of documents
Public Oversight Board Panel on Audit Effectiveness - Recommendations • The key question that auditors should ask is “Where is the entity vulnerable to financial statement fraud if management were inclined to perpetrate it?” • Auditors should consider incorporating a surprise or unpredictability element in their tests • Retrospective audit procedures
Public Oversight Board Panel on Audit Effectiveness - Recommendations • Develop or expand training programs for auditors at all levels oriented toward responsibilities and procedures for fraud detection. These programs should emphasize interviewing skills and the exercise of professional skepticism, as well as testing techniques • Using auditors with forensic audit backgrounds to assist in this training would be beneficial.