AWR Articles

Statement On Auditing Standards No. 99 – Consideration Of Fraud In A Financial Statement Audit The Next Step In Fraud Detection Responsibility

• Professional skepticism is the most fundamental change. Yet, SAS 99 really says nothing new about professional skepticism. Auditors have always been required to maintain a healthy professional skepticism.

• SAS 99 requires the audit team to conduct a Brainstorming session in the planning stage of each audit. Every member of the audit team is to be in attendance and the goal of this session is to discuss, as a team, the fraud risks of an entity or how fraud might be committed and concealed by the client. Active discussion and participation at all team levels is expected and the results of this brainstorming session must be documented in audit workpapers.

• Information gathering during audits after implementing SAS 99 will look radically different than the same process during audits prior to SAS 99. SAS 99 requires auditors to move away from the typical comfort zones of preprinted internal control checklists and discussions with only accounting department personnel. SAS 99 requires interviews of others within an organization that have knowledge of the business, its unusual or complex transactions, and with specific knowledge of critical operating areas or transaction cycles. Candidates for interview will not necessarily be limited to management personnel. Furthermore, candidates should expect the questions to be critical and open-ended, intended to illicit more than yes and no answers.

• These interviews and the informationgathering process is one step in a process, defined by SAS 99, of identifying specific risks of material financial statement misstatement due to fraud. Another step in that process is the identification of and assessment of fraud risk factors. Fraud risk factors are events or conditions that track against the three conditions generally present when a fraud occurs: incentive, opportunity, and rationalization. These fraud risk factors and the fraud conditions exist in every organization and vary within industries. Expect your auditors to evaluate the fraud risk factors in your organization and more importantly, how management identifies and addresses them.

• SAS 99 sets two required risk assessments. First, auditors must now assume that improper revenue recognition is a high fraud risk. Generally, most fraudulent financial reporting schemes involve improper revenue recognition, and thus, the industry gives auditors very little judgment in addressing the fraud risk from improper revenue recognition. Second, since management is in the best position to commit fraud, management override of internal controls to prevent and deter fraud is also considered a high fraud risk.

• Auditors implementing SAS 99 will look at internal controls put in place by management with a different focus. They will supplement their existing understanding of internal control with a new perspective that considers fraud risk.

• After the information gathering and internal control review described above, your auditors will design procedures to respond to these identified risks. SAS 99 requires certain procedures, including:
• Auditing procedures designed to test journal entries
• Annual retrospective review of accounting estimates
• Critical evaluation of accounting principles and application of GAAP
• Evaluating the business rationale for significant unusual transactions