By Bruce H. Nearon

The Auditing Standards Board recently issued SAS 99, “Consideration of Fraud in a Financial Statement Audit,” which supercedes SAS 82, the previous auditing standard for fraud. The effective date is for financial statements that begin on or after Dec. 15, 2002. The new SAS is more comprehensive and includes greater detail for specific fraud detection auditing procedures than the previous guidance. Auditors and those who provide technology assurance services should consider the new SAS in light of how fraud may be perpetrated, detected and/or prevented.

The new SAS requires a change in how auditors consider the possibility of fraud in financial statements, along with changes to the audit process and to the auditor’s overall mindset, information gathering, identification, and fraud risk assessment. The evaluation process now forces the auditor to have greater professional skepticism and to discount past relationships and experiences with the client’s management.
The rule mandates audit teams, including information technology auditors, to hold a brainstorming session in which the team is asked to consider how fraud might be perpetrated and who might be involved.

From an IT perspective, auditors should consider how IT could be used to perpetrate fraud. It is important for auditors to consider not only IT employees and management, but also accounting, finance and other employees. Computer literacy is now widespread; employees in these departments typically have knowledge of, access to and the ability to change without suspicion underlying accounting data.

In considering fraud, it is important to recall how IT affects a financial statement audit. Management may intentionally misstate financial statements in order to influence user decisions, or employees may misappropriate entity assets; in a weak control environment, IT makes both of these frauds easier to perpetrate and conceal.

For example, small-, medium- and even large-sized companies often use spreadsheets to prepare financial statements. How difficult is it to change a number in a spreadsheet without an audit trail? Perhaps the perpetrator knows that during the financial statement process someone checks the underlying electronic detail. Many control environments allow users to make changes to journal entries posted in closed periods, as well as to the underlying supporting detail. Many accounting packages allow changes to the underlying accounting records without an audit trail and without identifying the user who made the change. The perpetrator could conceivably change the entire audit trail of digital evidence, from initiation of a transaction to inclusion in the financial statements, and hide evidence of the change and who did it.

With respect to the misappropriation of assets, some IT environments do not safeguard the original operating system and application program CDs, making them susceptible to theft. These assets could conceivably cost a company substantial sums. Other assets, such as customer and price lists, are not always safeguarded either. In many IT environments, it would be easy for an employee to e-mail the customer and price lists to a competitor. Many companies would not detect the theft of their operating system and application program CDs until they were needed, or realize the loss of their customer and price lists until they began to lose sales to competitors that have gained access to customer and pricing structure data.

During the mandatory brainstorming session, the audit team should consider these risks and their potential for fraud, and discuss audit tests to detect control weaknesses and potential evidence of fraud that might warrant further investigation.

SAS 99 asks the auditor to consider fraud within the triad framework of incentive, opportunity and attitude.

Incentive to commit fraud could include management pressure to meet certain financial goals. Pressure to achieve sales, income or ratio levels could exist for a variety of reasons. Pressure to misappropriate assets could be as simple as an employee who needs money due to personal problems such as debt, gambling, drugs or other vices. Auditors should maintain a high level of awareness for the presence of these incentives when on the client’s premises and while interacting with management and employees.

Opportunity equals poor internal control. A strong internal control environment reduces the opportunity for fraud. A weak one has the opposite effect. In the past, many auditors gained an understanding of and tested internal controls. Today, many auditors of small- and medium-sized companies assume maximum risk and perform limited internal control procedures. Many auditors do not gain an in-depth understanding of internal control because they perform “balance sheet audits” and rely on substantive tests. However, SAS 99’s requirement to understand the “opportunity” to commit fraud requires auditors to increase their understanding of internal control.

Attitude to commit fraud means the perpetrator justifies or rationalizes the falsification of the financial statements or misappropriation of assets. Misstating the financial statements could be an intentional effort to affect a creditor’s decision, whether it be a bank or a vendor. Programmers could justify stealing internally developed computer codes because they believe they developed it, and are not appreciated or well compensated by management.

SAS 99 requires auditors to gather information from management and others about the risk of fraud. For small non- public entities, the auditor should make direct inquiries as to the existence of fraud and/or if employees with access to company assets appear to be living beyond their means. For larger entities, the auditor should inquire of accounting staff and programmers if they have been asked to make unusual entries or changes to posted entries, or if they are pressured to report certain income or sales levels, or to capitalize transactions that should be expensed.

The design of audit tests also should be changed to make the tests unpredictable. Areas typically considered low risk should be considered for testing, and changes considered in the nature and extent of tests, and accounts and locations tested. Auditors should document management’s ability to override controls, and perform tests to determine if overrides occurred during the period under audit. Overrides may allow fraudulent transactions to be posted, and exclude or disguise these transactions from reports used for monitoring.

SAS 99 does not change the auditor’s responsibility to detect fraud; however, it does provide the auditor with more specific guidance on how to assess the risk of fraud and implement new audit tests. While the auditor’s responsibility to detect fraud will not change, fraud detection procedures will change significantly. Audit firms will need to commence the education of audit and IT personnel prior to the effective date of the SAS.