1. SAS No. 99: Consideration of Fraud in a Financial Statement Audit
Dr. Donald K. McConnell Jr.
1/1/2019

2. Background
Auditing Standards Board committed in 1997 to review impact of SAS no. 82 on practice
Conclusions:
Need to focus not only on auditor’s role in combating fraud, but also roles of management, audit committees, and regulators
Focus should be on prevention and deterrence measures, as well as detection of fraud
1/1/2019

3. Result Was Issuance of SAS No. 99
Intended to affect substantial changes in auditor performance, improving likelihood fraud would be detected
Does not change auditor’s fundamental fraud detection responsibilities
Establishes significant additional audit requirements and enhanced fraud detection guidance
1/1/2019

4. Most Significant Changes from SAS 82
Required planning discussions among audit team members concerning fraud risks
broader guidance concerning sufficient professional skepticism
Expanded inquiries of management and others to identify fraud risks
Added a third fraud condition: attitude/rationalization
Broader guidance for assessing fraud risks
Expanded revenue recognition fraud risk guidance
Procedures to address risk of management override of controls
1/1/2019

5. The Auditor Has a Responsibility to Plan and Perform the Audit to Obtain Reasonable Assurance about Whether the Financial Statements Are Free of Material Misstatement, Whether Caused by Error or Fraud
1/1/2019

6. Description and Characteristics of Fraud
Fraud a broad legal concept
Auditor’s focus should be on activities causing financial statements to be materially misstated, not all fraud
Key elements in most fraud schemes:
Incentives/pressures
Opportunities
Attitudes/rationalizations [new to Au 316]
Even fundamentally honest persons can rationalize committing fraud under intense pressures!
1/1/2019

7. Description and Characteristics of Fraud (con.)
Intent determines whether activities are fraudulent, or due to error
Fraud can occur anywhere and anytime involving anyone, regardless of prior experience with a client
Fraud schemes often difficult to detect due to:
Concealment
Possible collusive activities
Falsified documentation
1/1/2019

8. Two Types of Fraudulent Misstatements
Misstatements arising from fraudulent financial reporting [fraud for the entity]
Misstatements arising from misappropriation of assets [fraud against the entity]
1/1/2019

9. Professional Skepticism
Existing standards did not provide sufficient guidance for adequate professional skepticism
Based on fundamental belief that management generally possesses integrity:
Auditors don’t always adequately pursue audit conditions noted: Why?
Fail to adequately corroborate management representations
Auditors must set aside all previous beliefs about management honesty and integrity!
1/1/2019

10. Required Audit Team Discussions
Required interactive audit team “brainstorming” to exchange fraud risk ideas in planning phases
Should ordinarily involve key members of the audit team, including engagement partner
May involve specialists or IT professionals
1/1/2019

11. Brainstorming Rules [J of A, Jan. ’03, pg. 29]
No ideas or questions are “dumb” *
No one “owns” ideas
There is no hierarchy
Ideas should not recognize rank
Senior audit staff should not dominate discussions
Staff auditors should feel safe contributing ideas
No excessive note taking allowed
Session should be intuitive and spontaneous
Excessive note taking is a barrier
1/1/2019

12. What Would Be Discussed?
Discussions should focus on:
How and where financial statements might be susceptible to material fraudulent misstatement
Ways management might be able to perpetrate and conceal such
How assets could be misappropriated
Risks of management override of controls
Known internal and external factors creating fraud incentives or pressures
Continued fraud risk communications throughout the audit
1/1/2019

13. The Overall Process: Consideration of Fraud in a Financial Statement Audit
Obtain information identifying risks of material fraudulent misstatement
Assess identified fraud risks after considering entity programs and controls
Respond to results of that fraud risk assessment
Evaluate whether accumulated evidence adequately addresses those responsibilities
1/1/2019

14. Identifying Risks of Material Fraud:
Obtain a broader range of information as input, not just fraud risk factors from SAS No. 82 (fraud risk factors now in Appx. A)
Inquiries of management to identify fraud risks
Inquiries of audit committees, internal auditors, and others to identify fraud risks
Consider results of planning stage analytical procedures
Other information helpful in identifying risks of material fraudulent misstatement
1/1/2019

15. Inquiries of Management
Management’s awareness of fraud perpetrated or suspected
Management’s awareness of fraud allegations from former or current employees, analysts, or short sellers
Management’s understanding about entity fraud risks, general and specific
Programs and controls established for prevention, deterrence, and detection
Nature and extent of fraud risk monitoring
Whether and how ethical values are communicated
1/1/2019

16. Inquiries of Audit Committees, Internal Auditors, and Others
How is fraud oversight exercised?
Knowledge of fraud risks
Knowledge of actual or suspected fraud
Internal auditors:
All above, plus
Procedures performed during the year to identify or detect fraud
Adequacy of management responses
1/1/2019

17. Inquiries of Audit Committees, Internal Auditors, et. al. (con.)
Inquiries to individuals outside of financial reporting areas:
To corroborate management responses
Information regarding possible management override
Evaluation of management’s policies regarding ethical behavior
Obtain additional audit evidence if inconsistent responses
Premise of inquiries: Individuals more likely to respond to direct questions than to voluntarily disclose information!
“I knew of fraud, but nobody asked!”
1/1/2019

18. Identifying Fraud Risks in Planning Stage: Analytical Procedures
Usually involve aggregated data, thus only broadly suggestive of fraud risks
SEC finding: 70% of recent AAER’s reveal alleged or actual fraudulent revenue overstatement
Ordinarily presume high risk of fraudulent revenue recognition
Should therefore perform analytical procedures relating to revenue accounts:
Relate sales volume to production in comparison with prior periods (G.P. test)*
Comparative monthly revenues with sales returns shortly after year end*
1/1/2019

19. Other Information Helpful in Identifying Fraud Risks
Audit engagement team discussions
Reviewing interim financial statements:
Unique opportunities for fraudulent reporting
Many frauds initiated during interim periods. Why?
Auditor scrutiny of interim F.S.’s characteristically less than for an annual audit of financial statements
1/1/2019

20. Assessing Identified Fraud Risks
Has management established programs and controls addressing identified fraud risks?
Are such suitably designed and operating effectively? [auditor must test operating effectiveness]
Do such mitigate or actually exacerbate identified fraud risks?*
Auditor must develop an appropriate response to each identified material fraud risk not effectively addressed by entity programs and controls
1/1/2019

21. Responding to Results of Fraud Risk Assessment
Having considered entity fraud programs and controls, the auditor may undertake:
A response involving more general considerations apart from specific procedures planned
A response to specific identified risks involving nature timing and extent of auditing procedures
A response involving performance of certain procedures to address possible management override
Engagement withdrawal, where impracticable to design procedures adequately addressing risk
1/1/2019

22. Overall Responses to Risks of Material Misstatements
Consider assigning forensic or IT specialists, in addition to more experienced personnel
Consider whether client accounting principles and policies collectively suggest possible bias
Why include forensic elements in financial statement audits?
1/1/2019

23. Overall Responses to Risks of Material Misstatements (con.)
Successful fraudsters are familiar with audit procedures normally performed
They conceal fraud in accounts not likely examined, or items below audit scopes
Be sure to incorporate forensic elements into all audits, to disrupt predictability:
Substantive tests of accounts or assertions not normally tested due to immateriality or low perceived risk
Changing timing of testing
Using different sampling methods
Procedures at unexpected locations, or
On unannounced basis
1/1/2019

24. Responses Involving Nature, Timing, and Extent of Procedures
Obtain more reliable evidence
Obtain additional corroborative evidence from external sources [public record information] about existence and nature of key customers, vendors, transaction counter-parties
Consider using computer assisted audit techniques [CAATS] to gather more extensive evidence
1/1/2019

25. Responses Involving Nature, Timing, and Extent of Procedures
Fraud risks might preclude projecting interim assessment conclusions to year end
Thus, substantive testing would need to be done at or near year end
Extent:
Consider increasing sample sizes
Consider performing analytical procedures using disaggregated date [e.g. monthly vs. annual data]
1/1/2019

26. If Potential Improper Revenue Recognition Schemes Raise Risks:
Perform analytics relating to revenue using disaggregated data
Confirm with customers absence of “side agreements,” e.g.:
Acceptance/delivery terms
Continuing vendor obligations
Rights of return by customers
Cancellation provisions
Inquiry of sales personnel or in house counsel of unusual terms or conditions relating to year end sales or shipments
1/1/2019

27. Where Revenue Recognition Schemes Raise Risks (con.)
Auditor presence at year end to observe shipments or returns awaiting processing
Perform appropriate sales and inventory cut-off tests
Test IT processed revenue transactions for assurance:
Transactions occurred
Properly recorded
Consider CAATS to identify unusual or unexpected revenue issues
1/1/2019

28. Where Inventory Fraud Risks Exist
Examine inventory records to identify locations requiring attention
Observe counts on unannounced basis and concurrently
Rigorously examine boxed contents, manner in which inventories stacked, liquids quality
Obtain copies of tags or count sheets to minimize alteration risk or inappropriate compilation
Compare quantities to prior periods by category or location
Consider CAATS to test for omissions or duplication
1/1/2019

29. Responses to Risks of Management Override
Management uniquely positioned to perpetrate fraud
Management can direct or solicit employee help to manipulate
Management override can occur in unpredictable ways, even when controls appear effective
Auditors REQUIRED to perform substantive tests for override risks:
Standard and non-standard J.E.’s*
Review estimates for possible bias
Evaluate business rationale of unusual transactions
1/1/2019

30. How Can F.S.’s be Misstated Through Improper J.E.’s?
Inappropriate or unauthorized J.E.’s during or near period end
Adjustments to F.S.’s not reflected in formal J.E.’s, e.g. “topside adjustments”
Consolidating adjustments
Report combinations
Reclassifications
Entries to unrelated, unusual, or seldom used accounts
1/1/2019

31. Common Characteristics of Improper Journal Entries
Often made by persons who do not typically prepare J.E.’s
Often occur at period end
Often contain round numbers or consistent ending numbers
Often involve accounts:
Complex or unusual in nature
Significant estimates
Prone to errors in the past
Containing unreconciled differences
for intercompany transactions
1/1/2019

32. What Must Auditor Do?
Obtain understanding of IC’s over J.E.’s and other adjustments:
What are the type, number, and usual monetary amounts of J.E.’s?
Who can initiate?
What approvals are required?
How recorded?
Determine whether J.E. controls suitably designed and placed in operation
Select J.E.’s and other adjustments for testing
1/1/2019

33. Considerations in Nature, Timing, and Extent of J.E. Testing
Identified fraud risks can suggest which J.E.’s to test
Inspect general ledger to identify J.E.’s for testing and examination of support
CAATS may be needed to identify J.E.’s for testing
Realize that non-standard J.E.’s might not be subject to entity IC’s:
Business combination entries
Asset impairment entries
Consolidating, report combinations, reclassifications
1/1/2019

34. Considerations in Timing of J.E. Testing
Usually concentrate J.E. testing at end of year
That’s when fraudulent J.E.’s typically occur!
However, consider testing J.E.’s throughout audit year
COSO: Many frauds initiated in Forms 10-Q in small amounts which increase over several years!
1/1/2019

35. Management Override Risk: Reviewing Estimates for Bias
F.S. fraud often arises when mgmt manipulates estimates!
Consider whether audit determinations and estimates suggest possible bias, even if individually reasonable
If so, consider such estimates in the aggregate
Perform retrospective review of prior estimates for indication of bias in current estimates
However, such not intended to question prior professional judgments
1/1/2019

36. Evaluating Business Rationale for Unusual Transactions
Might indicate transactions consummated for fraudulent purposes
Are transactions overly complex?
Has mgmt place more emphasis on accounting treatment need rather than underlying economics?
Are unconsolidated related parties or SPE’s involved?
Is board or audit comm. aware?
Are transactions with parties lacking substance or financial ability to support transactions without entity help?
1/1/2019

37. Evaluating Audit Evidence
Auditor assessment of fraud risks an on-going process during audit
Conditions identified (see examples in Au ) might change or support initial fraud risk assessment
Auditor must perform analytical procedures relating to revenue recognition through end of reporting period
1/1/2019

38. Evaluating Audit Evidence (con.)
In performing analytics, the auditor should be particularly wary of:
Uncharacteristically large amounts of income reported toward the end of the reporting period
Income inconsistent with trends and cash flow from operations
1/1/2019

39. Evaluating Audit Evidence (con.)
Fraudulent activities might cause unexpected analytical relationships (perpetrators often unable to manipulate related variables), e.g.:
Net income inconsistent with cash flows from operations, as management unable to manipulate cash flows
Profitability or bad debt write-offs not comparable to industry data
Management reported sales volume inconsistent with production statistics maintained by operating personnel
1/1/2019

40. Evaluating Audit Evidence (con.)
At end of fieldwork, auditor must qualitatively evaluate if accumulated evidence and observations affect earlier fraud risk assessment
Insights might suggest need to perform additional or different audit tests
1/1/2019

41. Responding to Identified Misstatements Possibly Caused by Fraud
Audit tests might reveal misstatements that may have resulted from fraud [You heard the gunshot]
Effects, if due to fraud, might be:
Immaterial
Material
1/1/2019

42. If Effects Likely Would Be Immaterial, and C/H/B Committed by:
Non-management employees:
Simply refer to next higher level of management
No need for auditor investigation
Would not ordinarily be significant in assessing fraud risk
Higher level management:
Re-evaluate initial fraud risk assessment
Raises pervasive questions about management integrity*
Auditor must assess impact of such on nature, timing, and extent of testing
Does this effect control risk assessment , where CR assessed less than maximum?
1/1/2019

43. If Effects Likely Would Be Material, or Unable to Evaluate Materiality
Must investigate whether material fraud has occurred, or may have occurred
Discuss investigative approach with senior management and audit committee
If senior management C/H/B involved, address directly with audit committee
Auditor withdrawal possible if:
Management integrity implications
Poor client diligence and cooperation in taking meaningful action
1/1/2019

44. Where Investigation Reveals Evidence of Fraud [You See Someone Holding the Smoking Gun!]
Bring to attention of appropriate management levels, even for minor embezzlements
Reach understanding with audit committee concerning communication of lower-level employee misappropriations
Report directly to audit committee:
Fraud causing material misstatement of financial statements
Any fraud involving senior management
1/1/2019

45. Disclosure of Material Fraud to Outsiders
Auditor ordinarily precluded ethically from disclosing confidentially obtained information
Confidentiality requirement waived:
SEC Form 8-K requirements
Compliance with Private Securities Litigation Reform Act of 1995
Communications between predecessor and successor auditors (Au 315)
Responding to validly issued subpoena
Funding or other agency requirements
1/1/2019

46. What is Auditor Required to Document?
Audit team planning discussions:
Who participated
Matters discussed
How and when discussions occurred
Procedures performed to identify and assess fraud risks
Fraud risks identified, and description of auditor’s response
Justification, if revenue recognition fraud risks were not considered significant
1/1/2019

47. What is Auditor Required to Document?
Results of procedures performed to address risk of management override of controls
Conditions or analytics causing auditor to believe additional procedures or responses were required, and appropriate responses
Nature of communications concerning fraud made to management or audit committee
1/1/2019

48. Examples of Fraud Risk Factors
A compendium of fraud warning signs or red flags: Au
Arranged by the three conditions generally present when fraud occurs
1/1/2019

49. “Fraud is a big lie, wrapped in the skin of truth.”
Barry Minkow
1/1/2019