SAS 99Statement on Auditing StandardsConsideration of Fraud in a Financial Statement AuditInternal Accounting Control Program
Goals • What is SAS 99 about? • Why is it important? • Consideration of internal controls to prevent fraudulent activity.
SAS 99 • Effective for audits of financial statements for periods beginning on or after December 15, 2002. • Supersedes SAS No. 82 • The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. • Fraud defined: an intentional act that results in a material misstatement in financial statements that are the subject of an audit. [AICPA-Codification of Auditing Standards]
Why a New Standard • Re-emphasize the role of entity management and boards in preventing and detecting fraud
SAS 99 • Why should I want to become familiar with the content of Statement on Auditing Standards (SAS 99)? • How would you feel if fraud were discovered in an area under your responsibility and that fraud had been going on for years? • How do you think others would perceive things? • Fraud can never be completely eliminated, steps can be taken toward detecting it in a timely manner. • Becoming familiar with the risk factors listed in SAS 99 will place employees in a better position to recognize situations that are associated with the commission of fraudulent acts.
Ethics at Work • 76% of employees in business have observed a high level of illegal or unethical conduct at work in the past 12 months • 49% of employees in business have observed misconduct that, if revealed, would cause their firms to “significantly lose public trust” • KPMG 2000 Organizational Integrity Survey
SAS 99 Impact on the Auditor • No change in the auditor’s responsibility to detect material fraud in financial statement audits • No change in the auditor’s required communication of evidence of fraud • Significant changes in required auditing procedures and documentation in a financial statement audit
The SAS Says • It’s management’s responsibility to: • Set the proper tone • Create and maintain a culture of honesty and ethical behavior • Establish appropriate controls
Ethics and Leadership • Leadership is the ability to see around corners • Leadership is the ability to see the problem before others • Leadership is the ability to fix the problem before it becomes a headline
SAS 99 • Two types of misstatements are relevant to the auditors consideration: • Misstatements arising from fraudulent financial reporting • Misstatements arising from misappropriation of assets.
SAS 99 • IACP Primary Objectives • Safeguarding the state’s assets • Providing reliable financial information
SAS 99 • Fraudulent financial reporting may be accomplished by: • Manipulation, falsification, or alteration of accounting records, supporting documents from which financial statements are prepared • Misrepresentation in or intentional omission of significant information on financial statements • Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure
SAS 99 • Misappropriation of assets: • Embezzling cash, theft of inventory/assets • Causing an entity to pay for goods or services not received • False or misleading records and documents
SAS 99 • Three conditions generally are present when fraud occurs • Motive • Opportunity • Rationalization • See Handout
The Fraud Triangle Motive Opportunity Rationalization
What can be done to help control fraud? • Clear written policies and procedures • Maintain documentation • Asset security • Internal control system • Tone at the top
SAS 99 • SAS requires auditor to have “professional skepticism” • A questioning attitude and a critical assessment of audit evidence • Fraud may be present regardless of the auditor’s belief about management’s honesty and integrity
SAS 99 • Internal Controls-help to prevent/detect fraudulent activity • Management/employees may have the capability to override or circumvent controls • Collusion
SAS 99 • Auditors need to obtain information about the entity to identify the risks of material misstatement due to fraud. • Make inquiries of management and others within the entity to obtain their views about the risks of fraud and how they are addressed.
SAS 99 • Auditors should inquire of management about: • Knowledge of any fraud or suspected fraud • Any allegations about fraud • Risks of fraud in the entity • Programs and controls that mitigate these risks • Monitoring of operation locations and business segments; and any location or segments that might have higher fraud risk • If and how management communicates its views on business practices and ethics • Any fraud-related reports it has made to the audit committee
SAS 99 • For those with an internal audit function, auditor should inquire appropriate internal audit personnel about: • Their views about the risks of fraud • And knowledge of fraud or suspected fraud • Any fraud-related work they have done • The adequacy of management’s responses to any fraud-related findings
SAS 99 • Others within the organization the auditor may want to talk to include: • Employees with varying levels of authority • Personnel with whom the auditor comes into contact with during the course of the audit • Operating personnel not directly involved in the financial reporting process • Employees involved in initiating, recording, or processing complex or unusual transactions • In-house legal counsel
SAS 99 • Why are such inquiries important? • Fraud is often uncovered through information received in response to inquiries • Employee’s opportunity to convey information to the auditor that may not have been communicated • Auditor has a different perspective within the organization
Overview of the Fraud Audit Process Brainstorming Documenting Obtaining Risk Info. On-Going Process Throughout the Audit Communicating Identifying Risks Assessing Risks Evaluating Evidence Responding to Risks
Audit Process • Brainstorming • Audit planning • How and where the financial statements might be susceptible to fraud or what’s here to steal • Emphasize importance of proper state of mind (professional skepticism) during the audit • Include risk of management override of controls • Should continue throughout the audit • Obtaining Risk Info. • Inquiries of management and others about fraud risk and their response to the risk • Direct knowledge • Allegations of fraud by others • Programs and controls established to mitigate the specific risks of fraud identified
Audit Process • Identifying Fraud Risks • Professional judgment required • Think in terms of incentive/pressures, opportunities, and rationalization • Risk attributes to consider: • Type of risk: reporting or misappropriation • Significance of the risk – could it be material • Assessing Fraud Risks • Professional Judgment • Evaluation of entity’s programs and controls that address fraud risks • Responding to Risks • Alter the overall way the audit is conducted • Change the nature, timing, or extent of audit procedures
Audit Process • Evaluating Evidence • Evidence of fraudulent activity • Communicating • Whenever “evidence of fraud” is found, it should be brought to the attention of the appropriate level of management • Even if the matter is inconsequential • Documenting • Good documentation of results is vital