New auditors’ responsibilities for detecting fraud

SAS No. 99: new auditors’ responsibilities for detecting fraud

Alan Reinstein

So it took SAS 99 to make auditors do what we thought they were doing all along? And does the responsibility to report problems to “at least one layer up” ensure a fix–or could it ensure more time for higher-level fraudsters to cover their tracks? Bottom line: SAS 99 is a good ruling, but bankers must still know their customers.

In October 2002, the AICIPA’s Auditing Standards Board issued Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit. Effective in 2003, SAS 99 provides auditors with expanded guidance for detecting material fraud in financial statements. Asking auditors to use more of an “engagement team” approach to fraud-risk identification, SAS 99 reminds them to use increased professional skepticism in all audits and nor to assume automatically that management is honest. Given the many recent audit failures due to fraud, such as at Enron, Adelphia, Qwest, and WorldCom, bankers should be interested in its provisions as they relate to their clients. Under SAS 99, auditors must now:

* Place increased emphasis on professional skepticism.

* Conduct more thorough inquiries of management.

* Use “stronger” and more focused audit tests.

* Consider management’s ability to override internal controls.

* Consider the likelihood of fraud in evaluating the audit findings.

* Report such fraud to key parties.

Increased emphasis on professional skepticism. Rather than presume management’s integrity and honesty, the audit team must brainstorm at the start of each audit on how frauds could occur. This process should identify potential fraud risks, considering the three elements of most frauds–management incentives! pressures, opportunities, and attitudes/rationalizations to commit fraud. The engagement team must also consider potential fraud throughout the audit and alter their audit tests accordingly.

Conduct more thorough discussions with management. The engagement team must now inquire of management and key employees about the risk of fraud and whether they are aware of any frauds that have been perpetrated on or within the entity. The auditors should give these employees and key outside personnel (e.g., suppliers) an opportunity to inform on such fraud.

Use stronger and more focused audit tests. Considering the results from the inquiry just mentioned, the auditors should adapt their procedures to test areas, locations, and accounts that could uncover such fraud. For example, in a potential inventory fraud, the auditors should make surprise visits to sites that could have high inventory irregularities.

Consider management’s ability to override internal controls. Auditors should now always test for management’s possible override of internal audit controls. Examples of such tests include:

* Considering the potential for management to forge key documents.

* Reviewing significant and unusual management journal entries and other adjustments.

* Carefully analyzing management’s prior judgments and accounting estimates.

* Querying management about its views on the risks of fraud and its knowledge of any known or suspected fraud.

* Assessing management’s programs and controls to address and effectively mitigate risks.

Consider the likelihood of fraud in evaluating the audit findings. Auditors should assess the risks of material misstatement due to fraud and evaluate at the completion of the audit whether the accumulated results of auditing procedures and other observations affect this assessment. The audit team should consider whether identified misstatements could indicate fraud and, if so, evaluate such implications, focusing on areas of potential fraud that they identified at the start of the audit.

Report such fraud to key parties. Auditors uncovering fraud must first bring it to the attention of the appropriate level of management, i.e., at least one level above where the fraud occurred. Auditors also should inform the audit committee of material fraud that involves senior management and discuss other identified risks of fraud with them.

Key Differences

Under the prior rules of SAS 821, auditors had no duty to test for potential fraud unless “information came to their attention that fraud was likely to occur. Now, the entire audit team must consider the likelihood of fraud arising at the planning, performance, evaluation, and reporting stages of the audit, including assessing if management overrode some internal controls or even if collusion or forged documents could have existed.

Both SAS 82 and 99 make CPAs responsible “to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.” However, SAS 82 allowed too many frauds to occur, since auditors often did not have the proper “mindset” to search for, detect, and report on many frauds, and they often failed to follow through on many tips of fraud.

The provisions of SAS 99 make CPAs more responsible for controlling for financial fraud. Bankers should now use this new standard’s key provisions to work with their clients and their CPAs to help derive more credible financial statements. However, as always, bankers should maintain their own “professional skepticism” and use all appropriate means to know their customers.


(1.) An application of SAS 82 appears in “The New Auditing Standard on Fraud Can Help Financial Institutions,” by Alan Reinstein and Mohamed E. Bayou, The Journal of Lending & Credit Risk Management, April 1998, pp. 58-63.

[c] 2003 by RMA. A/an Reinstein, CPA, DBA, is George R. Husband Professor of Accounting at the School of Business, Wayne State University, Detroit, Michigan.

Contact Reinstein e-mail at

COPYRIGHT 2003 The Risk Management Association

COPYRIGHT 2005 Gale Group