SAS 99, A Major Impact on Public and Private Company Audits

By James M. Boak, CPA

In October 2002, the Auditing Standards Board of the AICPA released Statement on Auditing Standards ("SAS") 99, Consideration of Fraud in a Financial Statement Audit. SAS 99 totally supercedes SAS 82, of the same name, that was issued in 1997. SAS 99 appears to be a response in part to the numerous major corporate and audit failures that shocked the country in 2002 and which gave rise to the Sarbanes-Oxley Act of 2002.

Auditors, and entities being audited, need to understand that SAS 99 (1) substantially increases the amount of work to be done on audits, (2) SAS 99 applies to all audits, public, private and non-profit entities alike, and (3) SAS 99 is effective for periods under audit that began on or after December 15, 2002. Some have estimated that SAS 99 could increase costs of performing audits at least 5% to 10% or more because of the additional fraud risk procedures that must be performed and documented. Furthermore, SAS 99 must be applied to 2003 calendar year financial statements. To say that SAS 99 will have a major impact on audits in the 2004 busy season is an understatement. This article will only touch on certain highlights of SAS 99 and readers are encouraged to carefully examine SAS 99 on their own.

SAS 99 describes the three conditions that are generally present when fraud occurs. These conditions have often been referred to as the "fraud triangle". These conditions are (1) incentive or pressures to commit fraud, (2) opportunity to commit fraud, often encouraged by weak internal controls and (3) rationalization for fraud, or personal attitudes and values allowing the perpetration of fraud. In determining if fraud risk factors exist, these conditions must be taken into account. SAS 99 includes an appendix that lists numerous examples of the risk factors relating to these three fraud conditions.

At the initiation of all audits, the auditor must perform and document numerous procedures to gain a thorough understanding of the potential for fraud, both material and immaterial. In the audit planning stage, the audit firm must engage in a "brainstorming" session amongst the key audit team members to discuss and understand how and where the entity's financial statements might be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated. Then the auditor must interview management, plus "others" in the entity, to further ascertain the potential risk for fraud. In selecting others to be interviewed, the auditor must consider individuals from lower level accounting positions, operations, internal auditors and internal legal staff. Then the auditor must review and document all information regarding fraud learned to date and specifically identify and enumerate fraud risks that might occur and which might result in material financial misstatement.

Once the fraud risk identification and documentation process is complete, the auditor must review the planned audit strategy and procedures to determine if the scope of the strategy and procedures are adequate to search for potential fraud. SAS 99 seems to presume that the audit procedures and scope will be expanded in response to any threat of identified fraud risks, especially for those accounts bearing a higher risk of misstatement. In addition to any fraud risks and procedures that the auditor may have already dealt with, the auditor must specifically address fraud risks in the areas of revenue recognition and management override of internal controls. In regards to the latter, the auditor must develop an understanding of the adjusting journal entry process employed by the entity and then actually test selected journal entries for economic substance, accuracy and compliance with generally accepted accounting principles.

During or at the conclusion of fieldwork, the auditor must evaluate the audit evidence collected for existence of fraud, material or immaterial, and communicate any fraud findings to audit committees and appropriate levels of management. Evaluation and communication must be documented.

Various firms and audit manual services have prepared checklists for use in applying SAS 99. Due to the breadth of SAS 99, these practice aids are lengthy and an auditor may find some questions to be unclear. Careful reading of SAS 99 may be necessary to fully understand how to comply with the extensive documentation requirements.

Various organizations including the Colorado Society of CPAs are planning courses to specifically deal with SAS 99. Additional information on SAS 99 is also available in the article, Auditors' Responsibility for Fraud Detection, published in the January 2003 Journal of Accountancy. Additional information can be found on the internet at the AICPA's website at www.aicpa.org . The article can be accessed electronically at www.aicpa.org/pubs/jofa/jan2003/index.htm.