AN APPRAISAL ON FRAUD DETECTION AND ITS CONTROL
PROFESSIONAL SKEPTICISM
SAS no. 99 reminds auditors they need to overcome some natural tendencies—such as overreliance on client representations—and biases and approach the audit with a skeptical attitude and questioning mind. Also essential: The auditor must set aside past relationships and not assume that all clients are honest. The new standard provides suggestions on how auditors can learn how to adopt a more critical, skeptical mind-set on their engagements, particularly during audit planning and the evaluation of audit evidence
NEW REQUIREMENT: DISCUSSION AMONG ENGAGEMENT PERSONNEL
SAS no. 99 requires the audit team to discuss the potential for a material misstatement in the financial statements due to fraud before and during the information-gathering process. This required “brainstorming” is a new concept in auditing literature, and early in the adoption process firms will need to decide how best to implement this requirement in practice. Keep in mind that brainstorming is a required procedure and should be applied with the same degree of due care as any other audit procedure.
There are two primary objectives of the brainstorming session. The first is strategic in nature, so the engagement team will have a good understanding of information that seasoned team members have about their experiences with the client and how a fraud might be perpetrated and concealed.
The second objective of the session is to set the proper “tone at the top” for conducting the engagement. The requirement that brainstorming be conducted with an attitude that “includes a questioning mind” is an attempt to model the proper degree of professional skepticism and “set” the culture for the engagement. The belief is that such an audit engagement culture will infuse the entire engagement, making all audit procedures that much more effective.
The mere fact the engagement team has a serious discussion about the entity’s susceptibility to fraud also serves to remind auditors that the possibility does exist in every engagement—in spite of any history or preconceived biases about management’s honesty and integrity.
You should note that SAS no. 99 does not restrict brainstorming to the planning phase of the audit process. Brainstorming can be used in conjunction with any part of the information-gathering process. Auditors gather data continuously throughout the engagement, so look for opportunities to brainstorm all the way through. Some auditors may choose to meet for discussions again near the conclusion of the audit to consider the findings and experiences of all team members and whether the team’s assessment about and response to the risk of material misstatement due to fraud were appropriate.
The new fraud standard, Statement on Auditing Standards no. 99, Consideration of Fraud in a Financial Statement Audit, is the cornerstone of the AICPA’s comprehensive antifraud and corporate responsibility program. The goal of the program is to rebuild the confidence of investors in our capital markets and reestablish audited financial statements as a clear picture window into corporate America. From providing CPAs with clarified and focused auditing guidance to establishing a new institute for fraud studies, the AICPA is determined to help reduce the incidence of financial fraud.
This article is adapted from chapter 2 of Fraud Detection in a GAAS Audit—SAS No. 99 Implementation Guide by Michael Ramos, which was published by the AICPA concurrent with the issuance of the new fraud standard. This nonauthoritative practice aid provides an in-depth, section-by-section explanation as well as implementation guidance and practice tips for the standard. To order the book (product no. 006613) by telephone, call the AICPA at 888-777-7077; to order online go to www.CPA2biz.com .
In addition to brainstorming, SAS no. 99 requires audit team members to communicate with each other throughout the engagement about the risks of material misstatement due to fraud. In fact, the standard requires the auditor with final responsibility for the audit to determine whether there has been appropriate communication among team members throughout the engagement.
STRUCTURING AN EFFECTIVE BRAINSTORMING SESSION
Split it into two parts. The main objective of brainstorming is to generate ideas about how fraud might be committed and concealed at the entity. That is all that SAS no. 99 requires. As a practical matter, some engagement teams may choose to discuss how they might respond to the identified risks.
Determine a reasonable time limit. Consultants and business owners who participate regularly in business brainstorming sessions suggest that a good session lasts about an hour. After that, the energy begins to fade and the law of diminishing returns sets in.
Consider assigning “homework.” The session will be much more productive if all members have a similar level of understanding about the client, the nature of its business and its current financial performance. For auditors brainstorming about fraud matters, it may be beneficial to perform analytical, fact-based research before the session. In structuring your session, it will help to consider the characteristics of the fraud triangle. For example, you might discuss the incentives/pressures that may exist at the entity or the opportunities management or employees have to commit fraud. You also might discuss observations about attitude/rationalization that may indicate the presence of risk at the company.
Describe the objective of the session in language people can relate to. To help generate creative, practical ideas, pose questions people can more easily understand, such as the following:
If you were the bookkeeper for the entity, how could you embezzle funds and not get caught?
If you worked on the loading dock, how could you steal inventory?
If you owned this company, how might you manipulate the financial statements to impress bankers?
SOME BRAINSTORMING RULES
You might consider setting ground rules to help you achieve your objective. Here are some examples.
No ideas or questions are dumb. Prejudging questions by labeling them “dumb” is one sure way to stifle the contribution of ideas.
No one “owns” ideas. When individuals become personally invested in an idea, they tend to “fight” for it as long as possible. There may be a time and a place for battling over the validity of an idea, but a brainstorming session is not one of them.
There is no hierarchy. The world of ideas does not recognize rank, experience or compensation level. Create an environment in which senior team members share information without dominating the discussion and junior members feel “safe” contributing their own ideas.
Excessive note-taking is not allowed. A brainstorming session is an intuitive, spontaneous process. Excessive note taking is a barrier to this process.
OBTAIN INFORMATION TO IDENTIFY THE RISKS OF FRAUD
SAS no. 99 significantly expands the number of information sources for identifying risks of fraud. It provides guidance on obtaining information from
Management and others within the organization.
Analytical procedures.
Consideration of fraud risk factors.
Other sources.
Management. The new standard lists several items you should ask about that relate to management’s awareness and understanding of fraud, fraud risks and the steps taken to mitigate risks. Several of these inquiries were not required under previous standards. Some inquiries are relatively straightforward, but others may require you to “educate” management about the characteristics of fraud, the nature of fraud risks and the types of programs and controls that will deter and detect fraud. The guidance contained in SAS no. 99 provides you with the background necessary to discuss these matters.
Others. The SAS requires you to make inquiries of the audit committee (even if it is not active), internal audit personnel (if applicable) and others about the existence or suspicion of fraud and to inquire as to each individual’s views about the risks of fraud. “Others” can include those employees who are outside the financial reporting process.
For the most part, auditors tend to restrict their client inquiries to personnel directly involved in the financial-reporting process. This approach is appropriate for matters of which accounting personnel have direct knowledge—for example, how transactions are processed or controlled. However, it is less effective to ask accounting personnel about matters of which they do not have first-hand knowledge (for example, the procedures used to examine, count and receive items into inventory). Critics of the audit process frequently cite the auditor’s reluctance to make inquiries outside of the accounting department as a reason for the lack of the in-depth understanding necessary to plan and perform an effective and efficient audit. SAS no. 99 is the first standard that requires auditors to make inquiries of “others within the entity,” such as
Operating personnel not directly involved in the financial-reporting process.
People with knowledge of complex or unusual transactions.
In-house legal counsel.
Further, you should not restrict your inquiries to senior management. The standard suggests making inquiries of personnel at various levels within the organization. These are two primary objectives in making such inquiries.
To obtain first-hand knowledge of fraud. Fraud can happen in any department and at any level within the organization. Someone in the entity may have observed a person committing or concealing a fraud. Often, those with knowledge of a fraud have stated, after the fact, that they would have told someone, “but nobody asked.” SAS no. 99 increases the likelihood that the auditor will now be that “someone” who asks.
To corroborate or lend perspective to representations of others. Operating personnel can corroborate representations made by others or provide a different perspective on how things “really work.” For example, accounting department personnel may be able to provide you with the recommended control procedures relating to the safeguarding of inventory, but operational personnel can tell you how the control procedures are applied in practice and when, if ever, those controls are overridden or circumvented.
The standard allows you to use considerable judgment in determining to which employees within the organization you should direct your inquiries and what questions you should ask.
