LOGIN MAIL

• PRESS ROOMRESOURCES
• STUDENTSCANDIDATES
• CONTACT USNEED A CPA?
• HELPADVERTISE/
  PLACE AD
  
• SEARCH

• January / February
• March / April
• May / June
  • Maryland legislators OK mandatory peer review, 'authority to practice'
  • SAS 99: Lessons learned from a year focusing on fraud
  • Succession planning: Internal and external
  • Voices carry
  • Valuing an e-business
  • Section 199 production activities deduction: What does it mean for your organization?
  • Protecting life insurance from estate taxes
• July / August
• September / October
• November / December

SAS 99: Lessons learned from a year focusing on fraud

Editor's note: The following article is reprinted with permission from the Pennsylvania CPA Journal, a publication of the Pennsylvania Institute of Certified Public Accountants.

By John M. Fleming, CPA,
and Richard E. Wortmann, CPA

In 2004, practitioners for the first time conducted audits under SAS 99. There has been, to say the least, some difficulty. This article reviews some of the SAS 99 implementation issues identified by practitioners over the past year.

SAS 99, "Consideration of Fraud in a Financial Statement Audit," became effective for financial statement periods beginning on or after Dec. 15, 2002. The basic theme of SAS 99 is that most fraud is not complete fraud, so by performing unpredictable procedures, conducting improved analytical procedures, timely interviewing of non-financial and non-management personnel, and considering issues associated with management override, auditors will improve their ability to detect fraudulent activity.

Additionally, SAS 99 emphasizes that auditors should not rely on client evidence or client explanations in areas of identified fraud risk. While this limits auditors to third-party or auditor-generated evidence, it forces auditors to plan and develop audit procedures that will generate sufficient and competent evidence independent from that generated by the client.

The SAS 99 audit approach

The audit approach in SAS 99 consists of audit planning activities, assessment of identified fraud risks, audit responses to those fraud risks, evaluation of the audit evidence, communication of possible fraud to management, and documentation of all fraud considerations.

Audit planning activities should include some key steps. Schedule and conduct a brainstorming session among the engagement team to identify how and where a client's financial statements may be susceptible to material misstatement due to fraud. Then interview management and other non-financial and non-management personnel to obtain their views of the risks of fraud and any potential areas where fraud may have taken place. Perform preliminary analytical procedures to determine if any unusual or unexpected relationships exist that could indicate the existence of material misstatements due to fraud. Finally, identify any fraud risk factors that could indicate incentives or pressures to commit fraud, opportunity to carry out fraud, or attitudes and rationalizations trying to justify fraudulent actions.

An assessment of the identified fraud risks will help determine in what areas material misstatements due to fraud may have occurred, the types and timing of fraud most likely to have occurred, and how any fraudulent activity could be concealed. Improper revenue recognition and management override of controls are presumed to be fraud risks on all engagements.

Auditors then have to develop audit responses to any resulting fraud risks. Audit responses should address the following:

• the overall effect on how the audit is conducted;
• identified fraud risks involving the nature, timing and extent of specific auditing procedures to be performed, using third-party and auditor generated-sources of evidence; and
• fraudulent activity related to management override of controls.

The audit response should also include these steps:

• unpredictable audit procedures, as well as procedures at locations on a surprise or unannounced basis;
• interviews of customers, suppliers and lenders;
• an inquiry of client personnel who do not have any incentive to commit fraud or lie about possible fraudulent activity; and
• disaggregated (non-financial) substantive analytical procedure.

In addition, the audit approach under SAS 99 needs to evaluate the audit evidence gathered, communicate possible fraud to management and others, and document the auditor's consideration of fraud.

The hard road

SAS 99 does not require forensic audits to be performed, but it does require certain forensic procedures to be applied if fraud risks are identified, such as the interviews of non-financial and non-management personnel, the use of disaggregated and non-financial analytical procedures, the use of unpredictable tests, and others identified above.

This approach, however, creates a number of issues that complicate the traditional audit model. What follows are some of the implementation issues and their complications.

• Increased time spent during audit planning: SAS 99 requires a risk assessment approach to auditing. Risk-based auditing, however, includes an annual assessment of the risk of error at both the financial-statement level and at the cycle or account-balance levels. Risk-assessment auditing can be effective only if sufficient time is spent early, planning the engagement and developing tailored audit procedures to respond to the identified risks.
  
  During 2004, many auditors did not increase their engagement planning time prior to year-end and found it increasingly difficult to comply with SAS 99's requirements in an efficient manner. It is difficult to plan after year-end and during busy season. Engagement time has necessarily increased. Realization on many engagements decreased because they were not planned in a timely manner.
• Auditing revenue recognition: In the past, audit approaches for non-public companies were generally substantive in nature, where auditors detail-tested the balance sheet accounts and analytically reviewed the income statement accounts. SAS 99 requires revenue to be presumed a fraud risk, requiring a different response than client-generated analytical procedures. Using third-party data and auditor-generated data to audit revenue for the year has been challenging and time-consuming.
  
  Sales are a cumulative account, not a year-end balance. In the past, when auditors detail-tested year-end balance sheet accounts, gathering evidence from third parties was efficient and effective because third parties had the information readily available such as an unpaid invoice file, year-end receivable balance, year-end accruals, and so on. Since sales are a cumulative account representing activity throughout the year, this third-party data is not as readily available — just ask any auditor that has tried to confirm annual sales from a customer.
  
  In the future, sales will likely be audited using data extraction software applied throughout the year on all sales activity. This will permit auditors to track sales transactions as they took place and enable auditors to perform a 100-percent test of sales activity. This will encourage more "auditing by exception," rather than auditing specific account balance activity.
• Internal control testing is limited in fraud risk areas: Client records, specifically with regard to internal control, cannot be relied upon in areas where there are identified fraud risks. This limits the evidence auditors can develop to third-party information or auditor-generated information, which is more time-consuming and expensive to acquire. Auditors have found that their evidence-gathering alternatives were limited in these fraud risk areas, and this raised engagement cost beyond some expectations.
• Use of disaggregated / non-financial analytical procedures: The need to perform disaggregated and non-financial analytical procedures to help identify fraud risks, as well as their use in auditor-generated evidence procedures, has challenged many auditors over the past year. SAS 99 stresses that the more disaggregated and non-financial the analytical relationship is, the more effective the analytical result.
  
  For example, sales by month, by customer, by location and by product line are more effective than net income to sales on an annual basis. Also, sales per employee, or sales per square foot by location, is more effective than current-year sales compared to past year's sales.
  
  Identifying which analytics to perform, validating the sources of the non-financial relationships, creating prior expectations before performing the analytics, and appropriately evaluating the results all proved to be time-consuming, frequently with inconsistent application. Auditors should consider the direction provided in the AICPA's audit guide, Analytical Procedures, issued in 2001. This resource illustrates the application of analytical procedures, includes case studies, and discusses the importance of creating prior expectations.
• Problems with auditing electronic journal entries: Examining journal entries is recommended in SAS 99 as a means of identifying any potential management override of internal controls. In some cases, though, this meant examining thousands of journal entries made electronically throughout the year. Auditors have commented that this process is inefficient, and in some cases it was difficult to determine if an intact population existed.
  
  One of the critical skills necessary to implement SAS 99 effectively is the ability to scan transaction data to determine if any transactions are unusual or unexpected. Unfortunately, manual scanning a large volume of transactions is not efficient. Some auditors found that by using data extraction techniques, such as those found in ACL or IDEA software, they could perform electronic scanning in a more efficient and effective manner. In the future, auditors will likely need to improve their technology skills to efficiently and effectively audit electronic accounting information systems.
• Auditor competency issues: Auditors must determine if they are competent to identify fraud risks, develop appropriate audit responses to any identified fraud risks, perform a fraud investigation if necessary, and use the appropriate technology to identify potential fraudulent activity. Many auditors have questioned whether they have the necessary education and training to recognize fraudulent activity and perform fraud detection procedures. They also have wondered whether they are putting themselves at added risk with the additional requirements of SAS 99. As a result, some auditors are adding fraud-related training to their CPE, while others have stopped conducting audit engagements altogether.
• Need to improve interview skills: SAS 99 suggests that interviewing client personnel with knowledge of operations or information related to transaction data can be helpful in identifying fraud risk factors or identifying inconsistent or consistent expected relationships. These interviews can take place at any time during an engagement, but are most helpful during planning when fraud risk factors are being identified. Auditors have indicated mixed success with the interview process and believe they need to do a better job interviewing in the future. Some interview concerns include:
• planning the engagement early enough to be able to identify appropriate individuals to interview;
• obtaining permission from the client to speak to certain individuals, especially those that may be unionized employees;
• scheduling interviews at times convenient to both the interviewee and the auditor;
• preparing the interview questions prior to the interview;
• making the interviewee comfortable. The interviewee must understand that he or she did nothing wrong, and his or her selection is based on the firm's audit strategy, which changes from year to year. Successful interviews are conversational, not closed-end questions and answers;
• developing probing questions by the auditor once a response was provided by the interviewee. Interviewers must be experienced enough to recognize a response that must be probed for additional information. In 2004, many interviews were conducted with the goal of completing the interview, rather than gathering the appropriate information;
• documenting during the interview. This can make an interviewee very uncomfortable, limiting the useful information gathered. Documentation should take place after the interview; and
• implementing appropriate audit responses to interview results.
• Need for increased skepticism: As stated earlier in the article, the basic theme of SAS 99 is that most fraud is not complete fraud. This means that many perpetrators attempt to conceal fraudulent activity, but almost always neglect to conceal some aspect of the fraud. When concealing a fraud, these people will lie to the auditors, prepare false documentation, or do anything they believe necessary to mislead the auditors. In other words, some clients will lie.

The statement that auditors must be more skeptical and assume that clients will lie to prevent fraud detection is contrary to the relationship many auditors believe they have with their clients. This need for increased skepticism has changed the client-auditor relationship in many cases. It has gone from one of partnering to one that is more adversarial, designed to benefit the public interest, not necessarily the client's interest.

Keeping watch

With the growing public expectation that audits are conducted to detect fraudulent activity, auditors will need to improve their knowledge and understanding of fraudulent schemes and what motivates individuals to commit fraud. To help you stay vigilant, below are some of the creative fraudulent activities identified in the past few years:

• Recording sales returns as sales again, rather then a reduction in cost of sales
• Recording borrowings from third parties as sales, rather then as notes payable
• Making cash disbursements to related parties and not recording the transaction, resulting in an overstatement of cash
• Adding ghost employees to the payroll, and someone cashing the payroll checks
• Backdating future sales or contracts into a prior period
• Bribes and kickbacks to employees by vendors, resulting in an increase of product costs to the company
• Use of side agreements with right-of-return provisions, resulting in an overstatement of current period sales
• Establishing restructuring reserves in a merger, overstating payables, and then bringing those payables into income as needed to achieve earnings goals
• Understating estimates of sales returns, warranty liabilities, compensated absences, uncollectible receivables, and year-end accruals
• Shipping inventory to one of the company's own warehouses, and recognizing revenue based on the shipment
• Use of off-balance sheet entities to incur debt not recorded on a company's books, or to record fictitious sales to the off-balance sheet entity

These are but a few of the techniques used by fraudsters to misrepresent financial statement results and mislead auditors. The challenge in the future for auditors is to anticipate these types of fraudulent activity, and develop appropriate procedures to detect such activity.

Implementation of SAS 99 has not been an easy road. But as auditors become more experienced, and learn from past difficulties, the journey ahead should be smoother.

John M. Fleming, CPA, is director of accounting and auditing at Loscalzo Associates PA. He can be reached at jmpf@comcast.net. Richard E. Wortmann, CPA, is a director with Belfint, Lyons & Shuman PA. He can be reached at rwortmann@belfint.com. They are members of the Pennsylvania Institute of CPAs' Accounting & Auditing Procedures Committee and the Pennsylvania CPA Journal Editorial Board.