| uditors will enter a much expanded arena of procedures to
detect fraud as they implement SAS no. 99. The new standard aims to
have the auditor’s consideration of fraud seamlessly blended into
the audit process and continually updated until the audit’s
completion. SAS no. 99 describes a process in which the auditor (1)
gathers information needed to identify risks of material
misstatement due to fraud, (2) assesses these risks after taking
into account an evaluation of the entity’s programs and controls and
(3) responds to the results. Under SAS no. 99, you will gather and
consider much more information to assess fraud risks than you have
in the past. (For the text of the new standard, see Official
Releases, page 105.)
SAS no. 99 reminds
auditors they need to overcome some natural tendencies—such as
overreliance on client representations—and biases and approach the
audit with a skeptical attitude and questioning mind. Also
essential: The auditor must set aside past relationships and not
assume that all clients are honest. The new standard provides
suggestions on how auditors can learn how to adopt a more critical,
skeptical mind-set on their engagements, particularly during audit
planning and the evaluation of audit evidence.
DISCUSSION AMONG ENGAGEMENT PERSONNEL
SAS no. 99 requires the audit team to discuss the potential
for a material misstatement in the financial statements due to fraud
before and during the information-gathering process. This required
“brainstorming” is a new concept in auditing literature, and early
in the adoption process firms will need to decide how best to
implement this requirement in practice. Keep in mind that
brainstorming is a required procedure and should be applied
with the same degree of due care as any other audit
There are two primary objectives of the
brainstorming session. The first is strategic in nature, so the
engagement team will have a good understanding of information that
seasoned team members have about their experiences with the client
and how a fraud might be perpetrated and concealed.
|The second objective
of the session is to set the proper “tone at the top” for
conducting the engagement. The requirement that brainstorming
be conducted with an attitude that “includes a questioning
mind” is an attempt to model the proper degree of professional
skepticism and “set” the culture for the engagement. The
belief is that such an audit engagement culture will infuse
the entire engagement, making all audit procedures
that much more effective.
The mere fact the engagement team has a
serious discussion about the entity’s susceptibility to fraud
also serves to remind auditors that the possibility does exist
in every engagement—in spite of any history or preconceived
biases about management’s honesty and integrity.
You should note that SAS no. 99 does not
restrict brainstorming to the planning phase of the audit
process. Brainstorming can be used in conjunction with any
part of the information-gathering process. Auditors gather
data continuously throughout the engagement, so look for
opportunities to brainstorm all the way through. Some auditors
may choose to meet for discussions again near the conclusion
of the audit to consider the findings and experiences of all
team members and whether the team’s assessment about and
response to the risk of material misstatement due to fraud
The new fraud
standard, Statement on Auditing Standards no. 99,
Consideration of Fraud in a Financial Statement
Audit, is the cornerstone of the AICPA’s
comprehensive antifraud and corporate responsibility
program. The goal of the program is to rebuild the
confidence of investors in our capital markets and
reestablish audited financial statements as a clear
picture window into corporate America. From providing
CPAs with clarified and focused auditing guidance to
establishing a new institute for fraud studies, the
AICPA is determined to help reduce the incidence of
This article is
adapted from chapter 2 of Fraud Detection in a GAAS
Audit—SAS No. 99 Implementation Guide by Michael
Ramos, which was published by the AICPA concurrent with
the issuance of the new fraud standard. This
nonauthoritative practice aid provides an in-depth,
section-by-section explanation as well as implementation
guidance and practice tips for the standard. To order
the book (product no. 006613) by telephone, call the
AICPA at 888-777-7077; to order online go to www.CPA2biz.com.
In addition to brainstorming, SAS no. 99 requires
audit team members to communicate with each other throughout the
engagement about the risks of material misstatement due to fraud. In
fact, the standard requires the auditor with final responsibility
for the audit to determine whether there has been appropriate
communication among team members throughout the
EFFECTIVE BRAINSTORMING SESSION
Split it into two parts. The main
objective of brainstorming is to generate ideas about how fraud
might be committed and concealed at the entity. That is all that SAS
no. 99 requires. As a practical matter, some engagement teams may
choose to discuss how they might respond to the identified
Determine a reasonable time limit.
Consultants and business owners who participate
regularly in business brainstorming sessions suggest that a good
session lasts about an hour. After that, the energy begins to fade
and the law of diminishing returns sets in.
Consider assigning “homework.”
The session will be much more productive if all
members have a similar level of understanding about the client, the
nature of its business and its current financial performance. For
auditors brainstorming about fraud matters, it may be beneficial to
perform analytical, fact-based research before the session. In
structuring your session, it will help to consider the
characteristics of the fraud triangle. For example, you might
discuss the incentives/pressures that may exist at the entity or the
opportunities management or employees have to commit fraud. You also
might discuss observations about attitude/rationalization that may
indicate the presence of risk at the company.
Describe the objective of the session in
language people can relate to. To help generate
creative, practical ideas, pose questions people can more easily
understand, such as the following:
If you were the bookkeeper for the entity, how could you
embezzle funds and not get caught?
If you worked on the loading dock, how could you steal
If you owned this company, how might you manipulate the
financial statements to impress bankers?
You might consider setting
ground rules to help you achieve your objective. Here are some
No ideas or questions are dumb. Prejudging
questions by labeling them “dumb” is one sure way to stifle the
contribution of ideas.
No one “owns” ideas. When individuals become
personally invested in an idea, they tend to “fight” for it as long
as possible. There may be a time and a place for battling over the
validity of an idea, but a brainstorming session is not one of them.
There is no hierarchy. The world of ideas does not
recognize rank, experience or compensation level. Create an
environment in which senior team members share information without
dominating the discussion and junior members feel “safe”
contributing their own ideas.
Excessive note-taking is not allowed. A
brainstorming session is an intuitive, spontaneous process.
Excessive note taking is a barrier to this process.
TO IDENTIFY THE RISKS OF FRAUD
no. 99 significantly expands the number of information sources for
identifying risks of fraud. It provides guidance on obtaining
Management and others within the organization.
Consideration of fraud risk factors.
Management. The new
standard lists several items you should ask about that relate to
management’s awareness and understanding of fraud, fraud risks and
the steps taken to mitigate risks. Several of these inquiries were
not required under previous standards. Some inquiries are relatively
straightforward, but others may require you to “educate” management
about the characteristics of fraud, the nature of fraud risks and
the types of programs and controls that will deter and detect fraud.
The guidance contained in SAS no. 99 provides you with the
background necessary to discuss these matters.
Others. The SAS requires
you to make inquiries of the audit committee (even if it is not
active), internal audit personnel (if applicable) and others about
the existence or suspicion of fraud and to inquire as to each
individual’s views about the risks of fraud. “Others” can include
those employees who are outside the financial reporting
For the most part, auditors tend to restrict their
client inquiries to personnel directly involved in the
financial-reporting process. This approach is appropriate for
matters of which accounting personnel have direct knowledge—for
example, how transactions are processed or controlled. However, it
is less effective to ask accounting personnel about matters of which
they do not have first-hand knowledge (for example, the procedures
used to examine, count and receive items into inventory). Critics of
the audit process frequently cite the auditor’s reluctance to make
inquiries outside of the accounting department as a reason for the
lack of the in-depth understanding necessary to plan and perform an
effective and efficient audit. SAS no. 99 is the first standard that
requires auditors to make inquiries of “others within the entity,”
Operating personnel not directly involved in the
People with knowledge of complex or unusual
In-house legal counsel.
Further, you should not restrict your inquiries to
senior management. The standard suggests making inquiries of
personnel at various levels within the organization. These are two
primary objectives in making such inquiries.
To obtain first-hand knowledge of fraud.
Fraud can happen in any department and at any level
within the organization. Someone in the entity may have observed a
person committing or concealing a fraud. Often, those with knowledge
of a fraud have stated, after the fact, that they would have told
someone, “but nobody asked.” SAS no. 99 increases the likelihood
that the auditor will now be that “someone” who asks.
To corroborate or lend perspective to
representations of others. Operating personnel can
corroborate representations made by others or provide a different
perspective on how things “really work.” For example, accounting
department personnel may be able to provide you with the recommended
control procedures relating to the safeguarding of inventory, but
operational personnel can tell you how the control procedures are
applied in practice and when, if ever, those controls are overridden
The standard allows you to use considerable judgment
in determining to which employees within the organization you should
direct your inquiries and what questions you should ask.
The new standard obligates
you to inquire of management and others in the entity. However, it
does not restrict you to making only those inquiries. In fact, it
encourages you to make additional inquiries in order to gather or
corroborate a wide variety of information that can help you identify
or assess risks of material misstatement due to fraud. Many of the
queries related to these matters should be submitted to personnel
outside of management or the accounting department. For example, you
may wish to use inquiries to
Identify the presence of the fraud triangle
Understand the policies, procedures and controls for
recording journal entries or other adjustments.
Identify circumstances under which management has or may
override internal controls.
Understand policies and procedures related to revenue
Understand the business rationale for significant unusual
Asking the same question of different people can
increase the effectiveness of your inquiries, as you can compare
answers to identify consistencies or anomalies in the responses.
One of the reasons
auditors fail to detect material misstatements caused by fraud is
that they tend to look at current numbers in isolation from the past
or other relevant information. For that reason, SAS no. 99 says the
auditor should consider the results of analytical procedures in
identifying the risks of material misstatement caused by fraud, and
the standard provides a list of procedures auditors can employ that
may indicate the presence of such risks.
A fraud risk factor is an
event or condition that tracks the three conditions of the fraud
triangle. Although fraud risk factors do not necessarily indicate
that fraud exists, they often are warning signs where it does. Like
SAS no. 82, this standard lists numerous illustrative fraud risk
factors to help the auditor in considering whether fraud risks are
present. However, in SAS no. 99, these illustrative fraud risk
factors have been reorganized to track the fraud triangle.
Auditors are cautioned not to think that these fraud
risk factors are all-inclusive. In fact, research has found that
auditors who used open-ended questions that encouraged them to
develop their own fraud risk factors outperformed those who relied
on a checklist based on looking only for the illustrated fraud risk
PROCEDURES TO IDENTIFY FRAUD RISKS
SAS no. 99 says, “When obtaining information about the entity
and its environment, the auditor should consider whether the
information indicates that one or more fraud risk factors are
present.” As a practical matter, the application of SAS no. 22,
Planning and Supervision, relating to audit planning, and
SAS no. 55, Consideration of Internal Control in a Financial
Statement Audit, as amended, relating to internal controls and
the other sections of SAS no. 99, should allow you to identify the
broad categories of fraud risks related to incentive/pressure and
Regarding fraud risk factors relating to
attitude/rationalization, you cannot possibly know with certainty a
person’s ethical standards and beliefs. However, during the course
of your engagement, you may become aware of circumstances that
indicate the possible presence of an attitude or ability to
rationalize that you consider to be a fraud risk. For example, a
recurring attempt by management to justify marginal, inappropriate
accounting on the basis of materiality and a strained relationship
between management and the current or predecessor auditor are fraud
risks relating to fraudulent financial reporting.
SAS no. 99 requires you to consider other
information that may be helpful in identifying the risks of material
misstatement due to fraud. This other data can be gleaned
The engagement team’s brainstorming session.
Client acceptance and continuance procedures.
Reviews of interim financial information.
Consideration of inherent risks at the account or
IDENTIFY AND ASSESS
The key to designing
effective audit tests is to perform an effective synthesis of the
identified risks. Synthesis is defined as “the assembling of a
complex whole from originally separate parts.” That is what you must
do after you identify risks. SAS no. 99 requires auditors to assess
fraud risks, but one of the problems practitioners have had with the
previous standard on fraud is that they mistakenly believed
“assessment” to mean they should describe the risk as high, medium
or low. That is not how “assessment” is meant to be interpreted in
SAS no. 99. The following illustration maps the audit process from
risk identification to audit test design. “Synthesis” is the element
that links the two ends of the process.
Eliminate risk synthesis from the process step, and
the chain is broken—there is no link to risk
Once that link between risk identification and audit
test design is eliminated, it is not surprising that the design of
audit tests is not effective in helping auditors identify
Your goal is to “assess” or to synthesize the
identified risks to determine where the entity is most vulnerable to
material misstatement due to fraud, the types of frauds that are
most likely to occur and how those material misstatements are likely
to be concealed.
PROCEDURES TO IDENTIFIED RISKS OF MATERIAL MISSTATEMENT DUE TO
To help you do a more
effective job combining identified risks and providing that
necessary link, SAS no. 99 offers this guidance. Remember the three
elements of the fraud triangle; the risk of material misstatement
due to fraud generally is greater when all three are present. As an
auditor, use your intuition, judgment and experience to look for
patterns in the identified fraud risks. The new standard reminds you
that failure to observe one of the elements of the triangle does not
guarantee an absence of fraud. Stated another way, it has been
observed that auditors have a tendency to identify incentive and
opportunity but mistakenly fail to pursue the issue because they
have not seen an attitude/rationalization that is conducive to
It also helps to consider whether the identified
risks are related to either specific accounts or transactions or to
the financial statements as a whole. Once you can link the
identified risks to a specific account (or the financial statements
taken as a whole), you then can design and perform more effective
procedures. When assessing information about potential fraud risks,
consider the type, significance, likelihood and pervasiveness of the
When assessing risks,
the new SAS has two additional requirements. As the auditor, you
Presume improper revenue recognition is a fraud
risk. The vast majority of fraudulent financial
reporting schemes involved improper revenue recognition. SAS no. 99
states that you “should ordinarily” presume there is risk of
material misstatement due to fraud relating to revenue recognition.
If you do not identify improper revenue recognition as a risk of
material misstatement due to fraud, you should document the reasons
supporting this conclusion.
Always identify the risks of management
override of controls as a fraud risk. Those who have
studied fraudulent financial reporting have noted that risk of
management override is unpredictable, and, therefore, it is
difficult for auditors to design procedures to identify and assess
it. For that reason, management override always should be addressed
in the design of audit procedures.
ENTITY’S ANTIFRAUD PROGRAMS AND CONTROLS
Once you have identified specific risks of fraud, you should
consider the entity’s programs and controls that mitigate or
exacerbate your identified risks of material misstatement due to
fraud. SAS no. 99 provides examples of programs and controls in
large and small businesses. A new document, entitled Management
Antifraud Programs and Controls, is included as an exhibit to
SAS no. 99; it also is posted online at www.aicpa.org/antifraud/management.
This document, issued by the AICPA and other organizations, provides
examples of programs and controls management can implement to help
deter, prevent and detect fraud.
RESPONDING TO THE
You should address
the risks of material misstatement due to fraud with a response
Has an overall effect on how the audit is
Identifies risks involving the nature, timing and extent of
Addresses management override of controls.
Judgments about the risks of material misstatement
due to fraud have an overall effect on how the audit is conducted in
the following ways.
Assignment of personnel and supervision.
SAS no. 99 provides relatively straightforward
guidance on this matter, which is easy to understand and implement.
The guidance says the greater the risk of material misstatement, the
more experienced personnel and the greater amount of supervision
required on the engagement.
Accounting principles. The
standard audit report expresses an opinion as to whether the
financial statements “present fairly…in accordance with GAAP.” Some
auditors and others involved in the financial reporting process have
questioned whether the “present fairly” criterion has become
subordinate to “in accordance with GAAP.” That is, the issue may be
whether some entities make a case that “since GAAP does not
explicitly prohibit a particular accounting treatment, it must be
acceptable” without considering whether the accounting will result
in a “fair presentation” of the financial position, results of
operations and cash flows.
Thus, the choice of accounting principles, in
addition to their application, becomes crucial for auditors to
consider. SAS no. 99 requires you to consider management’s selection
and application of significant accounting principles as part of your
overall response to the risks of material misstatement.
The new standard focuses your attention on
accounting principles related to subjective measurements and complex
transactions. In addition, given the presumption of revenue
recognition as a fraud risk, you should consider the integrity of
the entity’s policies on revenue recognition and whether these
policies are consistent with key revenue-recognition concepts such
as the completion of the earnings process, the realization of sales
proceeds and the delivery of the product or service.
Predictability of auditing procedures.
Successful perpetrators of fraud are familiar with the
audit procedures external auditors normally perform. With this
knowledge they can conceal the fraud in accounts where auditors are
least likely to look. SAS no. 99 requires you to incorporate an
element of unpredictability into your procedures from year to year,
and it provides tips for implementing this requirement.
ACCOUNTS OR CLASSES OF TRANSACTIONS
SAS no. 99 provides general guidance on modifying the nature,
timing and extent of the audit procedures you will perform to
address identified risks of material misstatement due to fraud.
Three other audit areas merit special mention: revenue recognition,
inventory quantities and accounting estimates, which can go hand in
hand with fraud and therefore can be interrelated.
RISK OF MANAGEMENT
OVERRIDE OF INTERNAL CONTROL
99 requires you to perform certain tasks to address the risk of
management override of internal control. Executives can perpetrate
financial reporting frauds by overriding established control
procedures and recording unauthorized or inappropriate journal
entries or other postclosing modifications (for example,
consolidating adjustments or reclassifications). To address such
situations, SAS no. 99 requires you to test the appropriateness of
journal entries recorded in the general ledger and other
Understanding the financial reporting
process. To effectively identify and test nonstandard
journal entries, you will need to obtain a good understanding of the
entity’s financial reporting process. This knowledge is important
because it allows you to be aware of what should happen in
a “normal” situation so you then can identify anomalies. You also
should know how journal entries are recorded (for example, directly
online or in batch mode from physical documents), be familiar with
the design of any controls over journal entries and other
adjustments and learn whether those controls have been placed in
operation. This information will help you design suitable
Testing journal entries and other
adjustments. Your assessment of the risk of material
misstatement due to fraud, together with your evaluation of the
effectiveness of controls, will determine the extent of your tests.
SAS no. 99 requires that you inspect the general ledger to identify
journal entries to be tested and examine the support for those
The new standard provides extensive guidance on what
to consider when selecting items for testing. Computer-assisted
audit techniques may be required to identify entries that exist only
REVIEW OF ACCOUNTING ESTIMATES
Accounting estimates are particularly vulnerable to
manipulation because they depend heavily on judgment and the quality
of the underlying assumptions. SAS no. 99 requires you to perform a
retrospective review of prior-year accounting estimates for the
purpose of identifying bias in management’s assumptions underlying
the estimates. This review is not intended to call into question
your professional judgments made in prior years that were based on
information available only at that time. Rather, it should be
considered within the context of its implications for the
current-year audit and the facts and circumstances that currently
FOR SIGNIFICANT UNUSUAL TRANSACTIONS
Many financial reporting frauds have been perpetrated or
concealed by using unusual transactions that are outside the normal
course of business. SAS no. 99 obligates auditors to understand the
business rationale for these types of transactions and provides an
excellent list of items you should consider when attempting to
understand the business rationale for unusual transactions. As a
prerequisite for performing this required procedure, the engagement
team’s understanding of the entity and its environment must be
sufficient to allow it to recognize an unusual transaction.
SAS no. 99 provides
comprehensive examples of conditions you may identify during
fieldwork that might indicate fraud. SAS no. 99 reminds auditors
that analytical procedures conducted as substantive procedures or as
part of the overall review stage of the audit also may uncover
previously unrecognized risks of material misstatement due to fraud.
The standard provides several examples of unusual or unexpected
analytical relationships that may indicate a risk of material
misstatement due to fraud.
MAY BE THE RESULT OF FRAUD
99 describes how you should respond when you determine that a
misstatement is, or may be, the result of fraud. If you believe such
a misstatement exists, but its effect is not material to the
financial statements, you still are required to evaluate the
implications of your belief, especially those dealing with the
organizational person(s) involved. For example, if you discover that
a member of senior management has fraudulently overstated his or her
expenses for reimbursement, you will want to reevaluate the
integrity of that individual and the impact an untrustworthy person
in that position could have on the financial statements and your
In those instances where the misstatement is or may
be the result of fraud, and the effect either is material or cannot
be determined, you are required to take the following
Attempt to obtain additional evidence.
Consider the implications for other aspects of the
Discuss the matter and the approach for further
investigation with an appropriate level of management that is at
least one level above those involved and with senior management and
the audit committee.
If appropriate, suggest the client consult with legal
SAS no. 99 provides guidance on the auditor’s course
of action when the risk of material misstatement due to fraud is
such that he or she is considering withdrawing from the engagement.
It is impossible to definitively describe when withdrawal is
appropriate, but in any event you probably will want to consult with
your legal counsel.
SAS no. 99 says, “Whenever you have determined that there is
evidence that a fraud may exist, that matter should be brought to
the attention of the proper level of management. This is appropriate
even if the matter might be considered inconsequential, such as a
minor defalcation by an employee at a low level in the entity’s
organization.” Thus, the threshold for communication is “evidence
that a fraud may exist.” The mere presence of a fraud risk factor or
some other condition that has been observed when fraud is present
generally does not meet this threshold.
documentation requirements of SAS no. 99 significantly extend those
of the previous standard, requiring documentation supporting
compliance with substantially all the major requirements of the
standard. SAS no. 99 provides a complete, easy-to-understand list of
According to the standard, you are required to
The discussion among engagement personnel in planning the
audit regarding the susceptibility of the entity’s financial
statements to material misstatement due to fraud, including how and
when the discussion occurred, the audit team members who
participated and the subjects discussed.
The procedures performed to obtain information necessary to
identify and assess the risks of material misstatement due to
Specific risks of material misstatement due to fraud that
were identified and a description of the auditor’s response to those
If the auditor has not identified improper revenue
recognition as a risk of material misstatement due to fraud in a
particular circumstance, the reasons supporting that
The results of the procedures performed to further address
the risk of management override of controls.
Conditions and analytical relationships that caused the
auditor to believe additional auditing procedures or other responses
were required and any further responses the auditor concluded were
appropriate to address such risks or other conditions.
The nature of the communications about fraud made to
management, the audit committee and others.
SAS no. 99 has the potential to significantly
advance the profession—to help auditors do their jobs more
effectively, to audit smarter. It is a standard that reaches into
all areas of the audit process and it moves auditors in a different
direction, away from the “checklist mentality” and more into a
thinking person’s audit. It puts professional skepticism front and
center—exactly where it should be. Depending on how the standard is
implemented, it has the potential to be a watershed for how auditors
think about and perform an audit.
The new fraud standard, while a significant step
forward in expanding the functions of an engagement team in planning
and performing an audit, is just one component of the AICPA’s
comprehensive antifraud and corporate responsibility program. Other
fraud-related initiatives first were described in the September 4
speech AICPA President and CEO Barry C. Melancon delivered to the
Yale Club in New York. In the speech he underscored the AICPA’s
commitment to strengthen investor confidence by enhancing the
quality of audits and reinforcing the profession’s core values. When
taken together, the initiatives establish a culture in which
preventing and detecting fraud is everyone’s business—auditors,
corporate America and the financial reporting community. The program
Establishing an Institute for Fraud Studies with the
University of Texas at Austin and the Association of Certified Fraud
Examiners to explore the origin of and circumstances surrounding
Launching an Antifraud and Corporate Responsibility
Resource Center, to be located on the AICPA Web site, featuring
news, tools, information and resources in fraud prevention,
detection and deterrence.
Designing antifraud criteria and controls for public
Calling on CPAs to dedicate 10% of their CPE credits to
Sponsoring a fraud summit to bring together corporate
leaders, the CPA profession and the financial reporting community to
identify new ways to reduce the incidence of fraud.
Developing free corporate governance training programs
focused on the roles and responsibilities of management and
Working to ensure academic institutions and college
textbook authors incorporate antifraud education in training
materials, courses and textbooks.
Many of these initiatives will be rolled out in the
coming months. For more information about SAS no. 99, to read the
appendix to it entitled, “Examples of Fraud Risk Factors,” and to
learn about the antifraud and corporate responsibility program,
visit the AICPA Web site at www.aicpa.org/antifraud/risk .