© 2003 by the AICPA SAS 99: Consideration of Fraud in a Financial Statement Audit

© 2003 by the AICPA Overall Requirement An audit should be planned and performed to obtain reasonable assurance about whether the financial statements are free of material misstatements, whether caused by error or fraud. An audit requires due professional care, which in turn requires that the auditor exercise professional skepticism.

© 2003 by the AICPA Causes of Misstatements Causes Fraud Errors Misappropriation of Assets Financial Reporting

© 2003 by the AICPA Two Types of Fraud Considered in an Audit Fraudulent financial reporting (“cooking the books”)--examples Falsification of accounting records Omissions of transactions Misappropriation of assets--examples: Theft of assets Fraudulent expenditures

© 2003 by the AICPA Professional Skepticism An attitude that includes a questioning mind and a critical assessment of audit evidence.

© 2003 by the AICPA More Focus on Professional Skepticism! The auditor should conduct the engagement with a mindset that recognizes the possibility that a material misstatement due to fraud could be present, regardless of any past experience with the entity and the auditor’s belief about management’s honesty and integrity. Professional skepticism requires an ongoing questioning of whether the information and evidence obtained suggests that a material misstatement due to fraud has occurred.

© 2003 by the AICPA Terminology Simplification To simplify the display, we will abbreviate the term used in the standard “risk of material misstatement due to fraud” as follows: Risk of material misstatement= Risk of fraud due to fraud

© 2003 by the AICPA Fraud Conditions (“Fraud Triangle) Incentive (Pressure) Opportunity Rationalization (Attitude)

© 2003 by the AICPA Steps involved in Considering the Risk of Fraud 1. Staff discussion 2. Obtain information needed to identify risks 3. Identify risks 4. Assess identified risks 5. Respond to results of assessment 6. Evaluate audit evidence 7. Communicate about fraud 8. Document consideration of fraud

© 2003 by the AICPA Step 1—Staff Discussion of the Risk of Fraud Brainstorm Consider how and where financial statements might be susceptible to fraud Exercise professional skepticism

© 2003 by the AICPA Step 2—Obtain information needed to identify risk of fraud Inquiries of management, the audit committee, internal auditors and others -whether management has knowledge of any fraud or suspected fraud - any allegations of fraud received from employees, analysts, regulators - management’s understanding about the risks of fraud - Any programs and controls to mitigate specific fraud risks - Control over multiple locations - Whether and how management communicates to employees its views on business practices and ethical behavior.

© 2003 by the AICPA Step 2—Obtain information needed to identify risk of fraud Inquiries of management, the audit committee, internal auditors and others Consider results of analytical procedures Consider fraud risk factors Consider other information

Risk Factors See Appendix 1, Example of Risk Factors Classification: Fraudulent Financial Statements vs. Misappropriation of Assets; Incentives, opportunities, rationlization © 2003 by the AICPA

Difficulties in identifying and interpreting red flags Fraud risk factors are not the same as evidence of fraud Fraud risk factors may indicate the existence of risks other than fraud. Can be ambiguous There is no linear relationship between the number of fraud risk factors and the level of fraud risk © 2003 by the AICPA

Difficulties in identifying and interpreting red flags Fraud risk factors are of limited significance in isolation Some fraud risk factors are very difficult to observe © 2003 by the AICPA

Step 3—Identify Risks that may Result in Fraud and Consider Type of risk Significance of risk (magnitude) Likelihood of Risk Pervasiveness of risk

© 2003 by the AICPA Step 4—Assess the identified risks after considering programs and controls Consider understanding of internal control Evaluate whether programs and controls address the identified risks Assess risks taking into account this evaluation

© 2003 by the AICPA Step 5—Respond to Results of the Assessment As risk increases Overall responses More experienced staff More attention to accounting policies Less predictable procedures Specific responses Consider need to increase evidence by altering the nature, timing and extent of audit procedures

© 2003 by the AICPA Step 5—Respond to Results of the Assessment (concluded) On all audits, the auditor should consider the possibility of management override of controls and examine: Adjusting journal entries Accounting estimates Unusual significant transactions

© 2003 by the AICPA Step 6—Evaluate Audit Evidence Assess risk of fraud throughout the audit. Conditions may be identified during fieldwork that change or support a judgment regarding the assessment of the risks: Discrepancies in the accounting records Conflicting or missing evidential matter Problematic or unusual relationship between the auditor and management

© 2003 by the AICPA Step 6—Evaluate Audit Evidence (continued) Evaluate analytical procedures performed as substantive tests and at overall review stage Evaluate risk of fraud near completion of fieldwork Respond to misstatements: fraud? Material? Implication? Withdraw from the engagement?

© 2003 by the AICPA Step 7—Communicate about Fraud Communicate All fraud to an appropriate level of management All management fraud to audit committee All material fraud to management and audit committee Determine if reportable conditions related to internal control have been identified; communicate them to the audit committee

© 2003 by the AICPA Step 7—Communicate about Fraud Should auditors disclose possible fraud to outside parties? Any exceptions?

© 2003 by the AICPA Step 7—Communicate about Fraud (continued) The disclosure of possible fraud to outside parties ordinarily is not part of the auditor’s responsibility unless the matter is reflected in the auditor’s report. Exceptions exist: To comply with certain legal and regulatory requirement (e.g., report an auditor change on 8- K) To a successor auditor In response to a subpoena To a funding agency in accordance with requirements for the audits of entities that receive governmental financial assistance.

© 2003 by the AICPA Document Consideration of Fraud Document steps 1 -7 Staff discussion Information used to identify risk of fraud Fraud risks identified Assessed risks after considering programs and controls Results of assessment of fraud risk Evaluation of audit evidence Communications requirements If improper revenue recognition was not considered a risk, why it wasn’t

© 2003 by the AICPA Impact of SOX on Accounting Profession audio.php audio.php PCAOB Board composition Funding Standard setting Investigative and disciplinary authority International authority

© 2003 by the AICPA Impact of SOX on Accounting Profession New roles for audit committees and auditors Report to audit committee Audit committees must approve all services Auditor must report new information to audit committee Audit partner rotation Employment implications

© 2003 by the AICPA Impact of SOX on Accounting Profession Tougher penalties for those who destroy records, commit securities fraud and fail to report fraud Management assessment of internal controls Audit report to attest to the assessment made by management on internal control structures