Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit, commonly abbreviated as SAS 99, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issued in October 2002. The original exposure draft was distributed in February 2002. SAS 99, which supersedes SAS 82, was issued partly in response to recent accounting scandals at Enron, WorldCom, Adelphia, and Tyco. The standard incorporates recommendations from various contributors including the International Auditing & Assurance Standards Board SAS 99 became effective for audits of financial statements for periods beginning on or after December 15 2002.
Key Components of SAS 99
Describes fraud and its characteristics.
SAS 99 defines fraud as an intentional act that results in a material misstatement in financial statements. There are two types of fraud considered: misstatements arising from fraudulent financial reporting (eg. falsification of accounting records) and misstatements arising from misappropriation of assets (eg. theft of assets or fraudulent expenditures). The standard describes the fraud triangle as pictured below. Generally, the three ‘fraud triangle’ conditions are present when fraud occurs. First, there is an incentive or pressure that provides a reason to commit fraud. Second, there is an opportunity for fraud to be perpetrated (eg. absence of controls, ineffective controls, or the ability of management to override controls.) Third, the individuals committing the fraud possess an attitude that enables them to rationalize the fraud.
Requires ‘brainstorming’ sessions to discuss how and where the entity’s financial statements might be susceptible to material misstatement due to fraud.
This requirement is a new concept in audit standards and it has two primary objectives. The first objective is so the engagement team will have an opportunity for the seasoned team members to share their experiences with the client and how a fraud might be perpetrated and concealed. The second objective is to set the proper “tone at the top” for conducting the engagement. The brainstorming session is to be conducted in a manner that models the proper degree of professional skepticism and sets the culture for the entire engagement.
Requires the auditor to gather information necessary to identify risks of material misstatement due to fraud by the following:
- Making inquiries of management and others within the entity
- Considering the results of analytical procedures performed in planning the audit.
- Considering fraud risk factors.
- Considering certain other information
SAS 99 requires auditors to ask management questions about their awareness and understanding of fraud. Auditors will then make a decision as to whether they need to ‘educate’ management about fraud and the types of controls that will deter and detect fraud. The standard also requires auditors to make inquiries of the audit committee, internal audit personnel and others within the entity.
Requires the auditor to use the information gathered to identify risks that may result in a material misstatement.
This section provides guidance and support on how to identify and assess risks. It challenges auditors to change the way they think about assessing fraud risks. Auditors should identify risks and synthesize how those risks could lead to a material misstatement. This section specifically requires that improper revenue recognition and management override of controls be considered.
Requires the auditor to evaluate the entity’s programs and controls that address the identified risks of material misstatement.
SAS 99 provides specific examples of programs and controls for both large and small businesses. The auditor should consider which controls mitigate the identified fraud risks.
Requires the auditor to assess the risks of material misstatement due to fraud throughout the audit and to evaluate at the completion of the audit whether the accumulated results of auditing procedures and other observations affect the assessment.
The standard provides examples of conditions that may be identified during the audit that might indicate fraud. One example is management denying the auditors access to key IT operations staff including security, operations, and systems development personnel. The auditors must determine whether the results of their tests affect their assessment.
Provides guidance regarding the auditor’s communications about fraud to management, the audit committee, and others.
The standard requires that any evidence that fraud may exist must be communicated to management and others. The level of severity is insignificant.
Describes documentation requirements.
SAS 99 significantly extends the documentation requirements of the previous standard. Auditors must document: (1) how and when the brainstorming session occurred and who participated, (2) procedures performed to obtain information to identify and assess fraud risk, (3) specific risks of material misstatement due to fraud (must specifically include discussion of revenue recognition) and the auditor’s response to those risks, (4) results of the procedures performed to address the risk of management override of controls, (5) conditions and analytical relationships that led to additional audit procedures
or other responses, and (6) nature of communications about fraud made to management and others.
Criticisms of SAS 99
The primary criticism of the standard is that many procedures are suggested rather than required. For example, it is suggested that auditors consider surprise procedures like showing up unannounced for an inventory count. In actual practice auditors often tell clients which inventory locations they are going to ‘observe.’ Telling clients which locations are going to be audited makes it easy to commit inventory fraud.
A similar criticism is that SAS 99 doesn’t close expectation gaps. The guidelines and suggestions provided in the standard increase expectations on the profession. As a result, auditors must consider the requirements of SAS 99 as the minimum level of work required to detect fraud. They must be prepared to defend any decision not to pursue one of the recommended procedures listed in SAS 99.
Information Technology Audit