By Craig L. Greene, CPA/CFF, CFE, MCJ

Introduction

For many years there has been "expectation gaps" between what the public believes financial statement auditors do and what the auditors themselves think their responsibilities are. Generally, the public believes a financial statement audit should, and in fact does, detect fraud. Financial statement auditors, however, believe that the purpose of an audit is to determine whether financial statements are presented fairly in all material respects.

SAS No. 53, The Auditor’s Responsibility to Detect and Report Errors and Irregularities, was issued as a part of a series of standards addressing this expectation gap. Despite the new standards, lawsuits continued to be routinely filed against auditors for negligence when financial frauds were discovered. In March 1993 the Public Oversight Board of the AICPA Division for CPA Firms SEC Practice Section made a number of recommendations about fraud, including issuing a call for auditors to exercise the professional skepticism demanded in SAS 53. The AICPA board of directors supported the Oversight Board’s recommendations and other initiatives to prevent and detect fraud. The Auditing Standards Board of the AICPA formed a task force to take a hard look at SAS 53 and concluded that it was crucial to develop a SAS that focused solely on financial statement fraud. An exposure draft of the new SAS was issued in May 1996.

Auditor Responsibilities

Studies have shown that the auditor misunderstands his responsibility in detecting fraud and this is one of the reasons that he has not detected material fraud in financial statements. Auditors have always had the responsibility to detect material misstatement caused by fraud. SAS 82 clarifies the responsibility the Independent Auditor has to detect fraud. "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud."

Description and Characteristics of Fraud

Fraud is generally understood to consist of one or more intentional acts designed to deceive other persons and cause them financial loss. The elements of fraud are a (1) material false statement, (2) intentionally made, (3) relied upon by a victim and (4) damages suffered. Thus, financial statement fraud may be defined as "A deliberate fraud committed by management that injures investors and creditors through materially misleading financial statements. The class of perpetrators is management; the class of victims is investors and creditors; and the instrument of perpetration is financial statements." The auditor’s interest specifically relates to financial statement fraud.

SAS 82 states that "The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement in the financial statements is intentional or unintentional." The two types of misstatement that are relevant to the auditor are (1) misstatements arising from fraudulent financial reporting and (2) misstatements arising from misappropriation of assets.

Misstatements arising from fraudulent financial reporting are intentional misstatements or omissions of amounts or disclosures in the financial statements to deceive the statements' users.
These include such acts as:

Manipulation, falsification, or alteration of accounting records or supporting documents from which financial statements are prepared. For example, the former president and CEO and the former vice president of Saxon Industries, Inc. ("Saxon") pled guilty to conspiracy and securities and mail fraud charges in connection with the falsification of Saxon’s financial statements. These executives, and others, spent 14 years systematically defrauding shareholders and creditors of Saxon by adding in excess of $53 million in non-existent inventory to the books of various Saxon subsidiaries and divisions. This created an illusion of increased profits and assets. The SEC, in its complaint, alleged that the "red flags", including the denial of access to the general ledger and other corporate records, as enough to put the independent auditors on notice that an intensified audit was required.

Misrepresentation in, or intentional omission from, the financial statements of events, transactions, or other significant information. For example, the Charter Company ("Charter"), a marketer of crude oils, gasoline, and related products, allegedly made material misstatements of fact in its 1983 Annual Report, dated March 24, 1984. Management’s discussion and analysis omitted: (1) Charter’s loss of trade credit; (2) a demand made by Charter’s banks for new loan covenants as a condition for renewal of its $130 million credit line, which was scheduled to expire on April 30, 1984; (3) discussions with Charter’s banks involving proposals which, if implemented, could have generated approximately $130 million in cash, but necessitated the sale of certain assets, the suspension of cash dividends, and the close of crude oil refining operations in Houston, Texas. Charter failed to disclose the effects of these developments on Charter’s operations, liquidity and capital reserves.

Intentional misapplication of accounting principles relating to amounts, classifications, manner of presentation or disclosure. For example, George Risk Industries, Inc. ("GRI") designed, manufactured and marketed computer keyboards, push button switches and alarm systems. GRI raised capital for its research and development projects by having investors sign contracts or "pledges." These contracts called for capital to be contributed as follows: 25% cash and a promissory note for the balance. The promissory note did not provide for the payment of interest until such time as the principal became due. In 1988, the SEC filed a civil action against GRI alleging that the Company improperly used the percentage of completion method of accounting for its research and development project which caused an overstatement of revenues in the years 1983 through 1985. Additionally, the SEC alleged that GRI overstated working capital for the same three years. The complaint alleged that GRI lacked the ability to make reasonably dependable estimates of the stage of the project’s completion and it could not be reasonably expected that the investors would fulfill their obligations on the long-term notes. The material overstatement of working capital was a result of GRI classifying accrued interest receivable on the promissory notes form the investors as a current asset. No payments of interest were made on these notes during the years that this accrued interest was reported as a current asset.

Misstatements arising from misappropriation of assets involve the theft of an entity’s assets where the effect of the theft causes the financial statements not to be presented in accordance with generally accepted accounting principles. Examples of misappropriation include embezzlement of cash receipts, theft of entity assets, or having the entity pay for goods or services not received. Often the fraud is "covered up" through fictitious or misleading records and/or documents produced by management, employees or third parties.

The SAS points out that fraud frequently involves (1) a pressure or incentive to commit fraud and (2) a perceived opportunity to do so. For both fraudulent financial reporting and misappropriation of assets these conditions are usually present. Management may be operating under unrealistic earnings goals that provide an unbearable pressure to commit fraud. Whereas, asset misappropriation may occur when an individual is living beyond his means. Although not mentioned in the Statement, most fraud experts agree that a third factor, rationalization, is also present. These three factors are typically referred to as the fraud triangle.

The Association of Certified Fraud Examiners postulates the axiom, that fraud by its very nature is hidden. It may be hidden through falsified documents, including forgery, or collusion among management, employees and third parties. It cannot be expected that the auditor can authenticate documents or discover collusion between management and third parties. Therefore, an auditor can never obtain absolute assurance that material misstatements in the financial statements will be detected. Although, fraud is concealed, the auditor should be alert for the presence of risk factors or other conditions. These factors can include missing documents, a general ledger that does not balance or an analytical relationship that does not make sense.

Assessment of the Risk of Material Misstatement Due to Fraud

The Statement requires the auditor to specifically assess the risk of material misstatement of the financial statements due to fraud. The auditor must consider that assessment in designing the audit procedures to be performed. In making this assessment, the auditor should consider the factors that relate to both misstatements arising from fraudulent financial activities and misstatements arising from asset misappropriations.

As a part of the auditor’s risk assessment, inquiries of management should be made to obtain their understanding regarding the risk of fraud in the entity and to determine if they have knowledge of fraud that has been perpetrated within the entity.

Risk Factors Relating to Misstatements Arising
from Fraudulent Financial Reporting.

The Statement identifies three categories of risk factors arising from fraudulent financial reporting:

Management’s characteristic and influence over the control environment.
These pertain to management’s abilities, pressures, style, and attitude relating to internal control and the financial reporting process.

1. Motivations for management to engage in fraudulent financial reporting include:

• A significant portion of their compensation is represented by bonuses, stock options
  or other incentives, the value of which is contingent upon the entity’s achieving unduly
  aggressive targets for operating targets for operating results, financial position or cash flow.
• An excessive interest by management in maintaining or increasing the entity’s stock
  price or earnings trend through the use of unusually aggressive accounting practices.
• A practice by management of committing to analysts, creditors, and other third parties
  to achieve what appear to be unduly aggressive or clearly unrealistic forecasts.
• An interest by management in pursuing inappropriate means to minimize reported
  earnings for tax-motivated reasons.

2. A failure by management to display and communicate an appropriate attitude regarding
    internal control and the financial reporting process. Specific indicators might include:

• An ineffective means of communicating and supporting the entity’s values
  or ethics, or communication of inappropriate values or ethics.
• Domination of management by a single person or small group without compensating
  controls such as effective oversight by the board of directors or audit committee.
• Inadequate monitoring of significant controls.
• Management failing to correct known reportable conditions on a timely basis.
• Management setting unduly aggressive financial targets and expectations for operating personnel.
• Management displaying a significant disregard for regulatory authorities.
• Management continuing to employ an ineffective accounting, information technology,
  or internal auditing staff.

3. Nonfinancial management’s excessive participation in, or preoccupation with,
    the selection of accounting principles or the determination of significant estimates.

4. High turnover of senior management, counsel, or board members.

5. Strained relationships between management and the current or predecessor auditor.
    Specific indicators might include-

• Frequent disputes with the current or predecessor auditor on accounting,
  auditing, or reporting matters.
• Unreasonable demands on the auditor including unreasonable time constraints
  regarding the completion of the audit or the issuance of the auditor’s report.
• Formal or informal restrictions on the auditor that inappropriately limit his or her
  access to people or information or his or her ability to communicate effectively
  with the board of directors or audit committee.
• Domineering management behavior in dealing with the auditor, especially
  involving attempts to influence the scope of the auditor’s work.

6. Known history of securities law violations or claims against the entity
    or its senior management alleging fraud.

Industry Conditions.
These involve the economic and regulatory environment in which the entity operates.
Specific indicators might include:

1. New accounting, statutory, or regulatory requirements that could
   impair the financial stability or profitability of the entity.
2. High degree of competition or market saturation, accompanied by
   declining margins.
3. Declining industry with increasing business failures and significant
   declines in customer demand.
4. Rapid changes in industry, such as high vulnerability to rapidly changing
   technology or rapid product obsolescence.

Operating Characteristics and Financial Stability.
These pertain to the nature and complexity of the entity and its transactions, the entity’s
financial condition, and its profitability. Specific indicators might include:

1. Inability to generate cash flows from operations while reporting
   earnings and earnings growth.
2. Significant pressure to obtain additional capital necessary to stay competitive considering the financial position of the entity-including need for funds to finance major research and development or capital expenditures.
3. Assets, liabilities, revenues, or expenses based on significant estimates that involve unusually subjective judgments or uncertainties, or that are subject to potential significant change in the near term in a manner that may have a financially disruptive effect on the entity-such as ultimate collectibility of receivables, timing of revenue recognition, realizability of financial instruments based on the highly subjective valuation of collateral or difficult-to-assess repayment sources, or significant deferral of costs.
4. Significant related-party transactions not in the ordinary course of business or with related entities not audited or audited by another firm.
5. Significant, unusual, or highly complex transactions, especially those close to year end, that pose difficult "substance over form" questions.
6. Significant bank accounts or subsidiary or branch operations in tax-haven jurisdictions for which there appears to be no clear business justification.
7. Overly complex organizational structure involving numerous or unusual legal entities, managerial lines of authority, or contractual arrangements without apparent business purpose.
8. Difficulty in determining the organization or individual(s) that control(s) the entity.
9. Unusually rapid growth or profitability, especially compared with that of other companies in the same industry.
10. Especially high vulnerability to changes in interest rates.
11. Unusually high dependence on debt or marginal ability to meet debt repayment requirements; debt covenants that are difficult to maintain.
12. Unrealistically aggressive sales or profitability incentive programs.
13. Threat of imminent bankruptcy or foreclosure, or hostile takeovers.
14. Adverse consequences on significant pending transactions, such as a business combination or contract award, if poor financial results are reported.
15. Poor or deteriorating financial position when management has personally guaranteed significant debts of the entity.

Risk Factors Relating to Misstatements Arising
from Misappropriation of Assets.

The Statement identifies two categories of risk factors arising from
misappropriation of assets:

Susceptibility of assets to misappropriation.
These pertain to the nature of an entity’s assets and the degree to which
they are subject to theft.

Specific indicators might include:

1. Large amounts of cash on hand or processed.
2. Inventory characteristics, such as small size, high value, or high demand.
3. Easily convertible assets, such as bearer bonds, diamonds, or computer chips.
4. Fixed asset characteristics, such as small size, marketability, or lack of ownership identification.

Controls.
These involve the lack of controls designed to prevent or detect misappropriations of assets.

Specific indicators might include:

1. Lack of appropriate management oversight (for example, inadequate
   supervision or monitoring of remote locations)
2. Lack of job applicant screening procedures relating to employees with
   access to assets susceptible to misappropriation.
3. Inadequate recordkeeping with respect to assets susceptible to misappropriation.
4. Lack of appropriate segregation of duties or independent checks.
5. Lack of appropriate system of authorization and approval of transactions
   (for example, in purchasing)
6. Poor physical safeguards over cash, investments, inventory, or fixed assets.
7. Lack of timely and appropriate documentation for transactions
   (for example, credits for merchandise returns).
8. Lack of mandatory vacations for employees performing key control functions.

In planning the audit, it is not necessary for the auditor to discover information that is indicative of financial stress of employees or adverse relationships between the entity and its employees. However, such information may be made known to the auditor, for example (1) anticipated future employees layoffs known to the work force, (2) employees with access to assets susceptible to misappropriation who are known to be dissatisfied, (3) known unusual changes in behavior or lifestyle of employees with access to assets susceptible to misappropriation, and (4) known personal financial pressures affecting employees with access to assets susceptible to misappropriation. If the auditor becomes aware of this information, he or she should consider it in assessing risk of material misstatements arising from misappropriation.

Consideration of Risk Factors in Assessing the Risk
of Material Misstatement Due to Fraud.

Risk factors in assessing fraud can not be ranked in order of importance or be used to design a predictive model. The significance of these factors can vary widely. Entities where specific conditions do not present a risk of material misstatement may have risk factors present. The auditor must use his/her professional judgment to assess the risk factors individually or in combination and determine whether there are specific controls that may mitigate these factors.

In considering the relevant risk factors, the auditor will look at the size, complexity and ownership characteristics of the entity. In assessing risk in a large entity, the auditor would look at factors that generally constrain improper conduct by senior management. Some of these factors would include the effectiveness of the board of directors, the audit committee and the internal audit function. Further, the auditor would consider what steps had been taken to enforce a formal code of conduct and the effectiveness of the budgeting or reporting system. In a smaller entity the auditor may not make these same considerations as these factors may not be present. However, the auditor may find the smaller entity has developed a culture of integrity and ethical behavior through management example and oral communications.

In planning the audit, the auditor is required to obtain a sufficient understanding of the entity’s control over financial reporting. This knowledge should be used by the auditor to identify potential types of misstatements, consider the risk of material misstatement and design suitable substantive tests. This understanding will often affect the auditor’s consideration of the significance of fraud risk factors.

If the entity has established a program that includes steps to prevent, deter, and detect fraud, the auditor should consider it. Further, the auditor should inquire of those that oversee the program of any fraud risk factors they have identified.

The assessment of the risk of material misstatement due to fraud is a cumulative process which includes the consideration of risk factors individually. Fraud risk factors may be discovered while performing engagement acceptance and continuance procedures, obtaining an understanding of internal control or during the conduct of fieldwork. Other conditions may be identified during fieldwork that change or support a judgment regarding the risk assessment, such as:

1. Discrepancies in the accounting records:

a. Transactions not recorded in a complete or timely manner or improperly
    recorded as to amount, accounting period, classification or entity policy.

b. Unsupported or unauthorized balances or transactions.

c. Last minute adjustments by the entity that significantly affect financial results.

2. Conflicting or missing evidential matter, including:

a. Missing documents

b. Unavailability of other photocopied documents when documents
    in original form are expected to exist.

c. Significant unexplained items on reconciliations.

d. Inconsistent, vague, or implausible responses from management
    or employees arising from inquiries or analytical procedures.

e. Unusual discrepancies between the entity’s records and confirmation replies.

f. Missing inventory or physical assets of significant magnitude.

3. Problematic or unusual relationships between the auditor and the client, including:

a. Denied access to records, facilities, certain employees, customers,
    or others whom audit evidence is sought.

b. Undue time pressures imposed by management to resolve
    complex or contentious issues

c. Unusual delays by the entity in providing requested information.

d. Tips or complaints to the auditor about fraud.

 

The Auditor’s Response to the Results of the Assessment

To some degree, a risk of material misstatement due to fraud is present in all audits. The auditor’s response to his/her assessment of the risk factors discussed above is influenced both by their nature and significance. In some cases, even though fraud risk factors have been identified as being present, the auditor’s judgment may be that audit procedures otherwise planned are sufficient to respond to the risk factors. In other cases, the auditor may conclude that the conditions require the procedures be modified.

Overall Considerations

Judgments about the risk of material misstatement due to fraud may affect the audit in the following ways:

1. Professional skepticism. The auditor should have an attitude that includes a questioning mind and critical assessment of audit evidence. For example:

• Increased sensitivity in the selection of the nature and extent of documentation
  to be examined in the support of material transactions.
• Increased recognition of the need to corroborate management explanations
  or representations concerning material matters.

2. Assignment of personnel. The knowledge, skill, and ability of the personnel assigned significant engagement responsibilities should be commensurate with the auditor’s assessment of the level of risk of the engagement. In addition, the extent of supervision should recognize the risk of material misstatement due to fraud and the qualifications of persons performing the work.

3. Accounting principles and policies. The auditor may wish to further consider management’s selection and application of significant accounting policies, particularly those related to revenue recognition, asset valuation, or capitalizing versus expensing. He/she should have greater concern about whether the accounting principles selected and policies adopted are being applied in an inappropriate manner to create a material misstatement of the financial statements.

4. Controls. When a risk of material misstatement due to fraud relates to risk factors that have control implications, the auditor’s ability to assess control risk below the maximum may be reduced. This does not, however, eliminate the need for the auditor to obtain an understanding of the components of the entity’s internal control components to plan the audit. In fact, such an understanding may be of particular importance in further understanding and considering any controls (or lack thereof) the entity has in place to address the identified fraud risk factors. However, this consideration also would need to include an added sensitivity to management’s ability to override such controls.

• The nature, timing and extent of procedures may need to be
  modified in the following ways:
• The nature of audit procedures performed may need to be changed to obtain evidence
  that is more reliable or to obtain additional corroborative information.
• The timing of substantive tests may need to b altered to be closer to or at year end.
• The extent of the procedures applied should reflect the assessment of the risk
  of material misstatement due to fraud.

Considerations at the Account Balance,
Class of Transactions and Assertion Level

Specific responses to the auditor’s assessment of the risk of material misstatements due to fraud will vary depending upon the types or combinations of fraud risk factors or conditions identified and the account balances, classes of transactions, and assertions they may affect. The following are specific responses contained in the Statement:

• Visit locations or perform certain tests on surprise or unannounced basis.
• Request that inventories be counted at a date closer to year end
• Alter the audit approach in the current year - for example, contacting major customers and suppliers orally in addition to written confirmation, sending confirmation requests to a specific party within an organization, or seeking more and different information.
• Perform a detailed review of the entity’s quarter-end or year-end adjusting journal entries and investigate any that appear unusual as to nature or amount.
• For significant and unusual transactions, particularly those occurring at or near year end, investigate (a) the possibility of related parties and (b) the source of financial resources supporting the transactions.
• Perform substantive analytical procedures at a detailed level.
• Conduct interviews of personnel involved in areas in which a concern about the risk of material misstatements due to fraud is present, to obtain their insights about the risk and whether or how controls address risk.
• When other independent auditors are auditing the financial statements of one or more subsidiaries, divisions, or branches, consider discussing with them the extent of work necessary to be performed to ensure that the risk of material misstatement due to fraud resulting from transactions and activities among these components is adequately addressed.

Specific Responses - Misstatements Arising
from Fraudulent Financial Reporting

Some examples of responses to the auditor’s assessment of the risk of material misstatement arising from fraudulent financial reporting are -

• Revenue Recognition If there is a risk of material misstatement due to fraud that may involve or result in improper revenue recognition, it may be appropriate to confirm with customers certain relevant contract terms and the absence of side agreements - inasmuch as the appropriate accounting is often influenced by such terms or agreements.
• Inventory Quantities If a risk of material misstatement due to fraud exists in inventory quantities, reviewing the entity’s inventory records may help to identify locations, areas, or items for specific attention during or after the physical inventory count. In addition, where the auditor has a concern about the risk of material misstatement due to fraud in the inventory area, it may be particularly important that the entity counts are conducted at all locations on the same date.

Specific Responses - Misstatements Arising
from Misappropriation of Assets

The auditor may have identified a risk of material misstatement due to fraud relating to misappropriation of assets. Usually the audit response to a risk of material misstatement due to fraud relating to misappropriation of assets will be directed toward certain account balances and classes of transactions.

Evaluation of Audit Test Results

At the completion of the audit, the auditor should consider whether the accumulated results of audit procedures and other observations affect the assessment of the risk of material misstatement due to fraud he or she made when planning the audit. This accumulation is primarily a qualitative matter based on the auditor’s judgment.

When audit test results identify misstatements in the financial statements, the auditor should consider whether such misstatements may be indicative of fraud. If the auditor has determined that misstatements are or may be the result of fraud, but the effect of the misstatements is not material to the financial statements, the auditor nevertheless should evaluate the implications, especially those dealing with the organizational position of the person(s) involved.

If the auditor has determined that the misstatement is, or may be, the result of fraud, and either has determined that the effect could be material to the financial statements or has been unable to evaluate whether the effect is material, the auditor should -

• Consider the implications for other aspects of the audit
• Discuss the matter and the approach to further investigation with an appropriate level of management that is at least one level above those involved and with senior management.
• Attempt to obtain additional evidential matter to determine whether material fraud
  has occurred or is likely to have occurred, and, if so, its effect on the financial statements
  and the auditor’s report thereon.
• If appropriate, suggest that the client consult with legal counsel.

The auditor’s consideration of the risk of material misstatement due to fraud and the results of audit tests may indicate such a significant risk of fraud that the auditor should consider withdrawing from the engagement and communicating the reasons for withdrawal to the audit committee or others with equivalent authority and responsibility.

Documentation of the Auditor’s Risk Assessment and Response

In planning the audit, the auditor should document in the working papers evidence of the performance of the assessment of the risk of material misstatement due to fraud. Where risk factors are identified as being present, the documentation should include (1) those risk factors identified and (2) the auditor’s response to those risk factors, individually or in combination.

Communications About Fraud to Management,
the Audit Committee, and Others

Whenever the auditor has determined that there is evidence that fraud may exist, that matter should be brought to the attention of appropriate management. When the auditor, as a result of the assessment of the risk of material misstatements due to fraud, has identified risk factors that have continuing control implications, the auditor should consider whether these risk factors represent reportable conditions relating to the entity’s internal control that should be communicated to senior management and the audit committee.

The disclosure of possible fraud to parties other than the client’s senior management and its audit committee ordinarily is not part of the auditor’s responsibility and ordinarily would be precluded by the auditor’s ethical or legal obligations of confidentially unless the matter is reflected in the auditor’s report. The auditor should recognize, however, that in the following circumstances a duty to disclose outside the entity may exist:

• To comply with certain legal and regulatory requirements
• To a successor auditor when the successor makes inquires in accordance
  with SAS No. 7, Communications Between Predecessor and Successor Auditors.
• In response to a subpoena
• To a funding agency or other specified agency in accordance with requirements
  for the audits of entities that receive governmental financial assistance.

Effective Date

SAS No. 82 is effective for audits of financial statements for periods ending
on or after December 15, 1997.