SURVIVING SAS 99 Fraud Control Statement Creates Potential Liability

 

Statement on Auditing Standards No. 99 articulated new guidelines for use doing an audit, to identify fraud that could affect the accuracy of financial statements. While SAS 99 was intended to provide guidance, it has served, instead, to create a new basis for accounting malpractice claims. Since its enactment, auditors and lawyers have attempted to determine exactly what procedures an auditor must follow to meet the standard of care suggested by the Standards.  Unfortunately, five years after the Standard was created, the Standard’s requirements remain unclear.

 

SAS 99 was developed in advance of, but released at the time of, the scandals at public companies such as WorldCom, Tyco, Enron, and Adelphia. The statement identifies fraud that should be discovered and disclosed in an audit as intentional acts that result in “material misstatements” in financial statements. Two distinct categories of suspicious behavior exist: misleading financial reporting (distortion of records); and misstatements to hide the theft of assets (misappropriation of company assets or improper expenditures).

SAS 99 describes a “fraud triangle” of factors that allow fraud to occur: incentive, opportunity, and attitude. “Incentive” focuses on the pressures that might push an employee or fiduciary to commit fraud. “Opportunity” examines the openings for fraud to occur, such as lack of effective management oversight. Finally, “attitude” looks at the likelihood that the employees and fiduciaries will have any proclivity to justify their theft from the company.

 

 

The Standard offers guidance and support as to how to assess potential risks, as well. Specific examples of systems controls that large and small companies can use to prevent the risk of fraud, embezzlement, or material misstatement are included. The Standard also warns of conditions that the auditor may encounter that indicate fraud is likely to be present. For example, if management restricts the auditors from speaking with key staff members (such as IT, operations, security, and bookkeeping personnel), the auditors must evaluate whether they have been able to conduct an appropriate investigation, and the resulting audit report should identify any areas of concern.

 

SAS 99 requires auditors to take a more proactive role in evaluating potential fraud than in the past. Auditors must identify potential dangers, evaluate how those vulnerabilities could result in a material misstatement, and alert management (or anyone reviewing the audit report) of potential weaknesses in the company’s management controls. The audit report must identify any evidence of fraud that the auditor discovers, or that the auditor believes may exist, and the auditor must communicate these risks to senior management. Even insignificant risks must be identified, included in the audit report, and raised to senior management.

 

SAS 99 imposes greater documentation requirements upon the auditors than required by the previous standard (SAS 82). Auditors must now retain evidence of: (1) the details of the brainstorming session, including who took part and when and where it occurred, (2) the processes and procedures that the auditors followed to identify information relating to potential risk of fraud, (3) evaluation of the risk of material misstatement due to fraud, including risks specifically relating to the recognition of revenue, and the auditor’s strategy for addressing such risks, (4) the efficacy of the company’s management controls and the risk of override, (5) the basis for the audit procedures and other considerations factoring into the audit report, and (6) communications about the potential for fraud with management and other relevant parties.

 

The Standard is largely aspirational, and is not reasonably practical in audits of small to medium-sized companies. The fact that many of the procedures are recommended, but not required, only adds to this criticism and causes uncertainty as to what procedures are actually necessary. For example, SAS 99 recommends that auditors use surprise tactics such as making unannounced visits to audit inventory. In practice, auditors typically advise clients when they intend to visit inventory locations as a courtesy to avoid unnecessarily inconveniencing their clients. This advance notice invariably limits the auditors’ efficacy at uncovering inventory fraud; however, many auditors suggest that they can enact adequate safeguards without unreasonably imposing on their clients.