Auditor's Report Contents PageCONSIDERATION OF FRAUD IN A FINANCIAL STATEMENT AUDIT: A NEW AICPA AUDITING STANDARD
This report, adapted from Dave’s address at the Auditing Section’s Midyear Meeting, discusses the development of the new auditing standard "Consideration of Fraud in a Financial Statement Audit," (SAS 82). The final standard was approved by the Auditing Standards Board in November 1996, and will become effective for calendar year-end 1997 audits. The report is organized around the following questions. First, what was the problem with existing guidance that needed to be addressed? Second, what was the Task Force’s strategy for addressing the problem? Third, what is the content of the new SAS on fraud? Fourth, what issues were raised from feedback by the profession during the exposure period? Fifth, what lies ahead in the fraud detection arena?
What was the problem with existing guidance?
Under U.S. auditing standards, the auditor has had a defined responsibility to detect material misstatements due to fraud (AU Section 316.05). However, anecdotal evidence indicates that some auditors may not understand the present responsibility. Also, auditors have been subjected to criticism for not meeting public expectations in the area of fraud detection. Further, current standards provide little guidance on how to meet the present responsibility. Thus, the AICPA Auditing Standards Board’s (ASB) Fraud Task Force began work on a possible new standard a couple of years ago. The Task Force was made up of a group of individuals who brought together different views from different backgrounds and experiences, but all with an important public interest perspective.
What was the problem with existing guidance?
The strategy developed by the ASB and the Fraud Task Force to improve auditing standards was to clarify, but not to increase, the auditor’s responsibility in this area. In addition to clarification, the Task Force hoped to provide added ground rules and guidance to assist the auditor in meeting the responsibility for fraud detection. In so doing, improved detection of frauds hopefully will result, which in turn will improve the public’s perception of the profession’s activities in this area and the value of audit services in the marketplace. Thus, the expectation gap should be reduced. The accompanying figure summarizes the strategy of the Task Force and the intended impact of its initiatives.
What is the content of the new SAS on fraud?
The auditor’s responsibility for fraud had been set forth in AU Section 316.05: "The Auditor should assess the risk that errors and irregularities may cause the financial statements to contain a material misstatement. Based on that assessment, the auditor should design the audit to provide reasonable assurance of detecting errors and irregularities that are material to the financial statements."
The new description clarifies the auditor’s responsibility as follows: "The auditor has a responsibility to plan and perform that audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute assurance that misstatements, whether caused by errors or fraud, that are not material to the financial statements, are detected."
The two descriptions of the auditor’s responsibilities are broadly consistent, in that both are framed by the limitations of materiality and reasonable assurance. However, the new standard accomplishes clarification of responsibilities in several areas. First, it uses the word "fraud." Second, it tracks the language the auditor uses in the standard auditor’s report to represent the auditor’s responsibilities. Finally, it appears in a stand-alone Statement of Auditing Standards (SAS No. 82) that is devoted solely to the auditor’s consideration of misstatements due to fraud.
Consistent with the strategy to provide added ground rules and guidance, the new SAS sets forth performance standards — that is, what it takes to effectively meet the fraud responsibility outlined above. Importantly, the new standard requires that a specific assessment of risk of material misstatement due to fraud be made. This assessment also requires an inquiry of client management, to obtain their assessment of the likelihood of fraud in the organization.
The new standard provides guidance on how to assess fraud risk, including a discussion of specific risk factors that may affect the likelihood of fraud in a particular client. The specific risk factors noted in the standard are examples of the kinds of conditions that may be associated with the occurrence of fraud, and are not intended to be an exhaustive list. A reassessment of the risk of material misstatement due to fraud at the end of the audit is also required, in light of all evidence gathered from the tests performed. The standard emphasizes the cumulative and ongoing nature of fraud risk assessment.
The standard emphasizes that the auditor must respond appropriately to the fraud risk assessment. Overall considerations in developing this response include the use of professional skepticism, the assignment of personnel, consideration of accounting principles and controls in place (e.g., "aggressive" financial reporting), and the impact of the assessment on the audit plan, including nature, extent and timing of audit procedures. Particular examples of possible audit response are included in the standard, encompassing both fraudulent financial reporting ("cooking the books") and misappropriation (theft of assets).
An evaluation of audit test results and effective documentation of the results of the auditor’s efforts are important parts of the standard. When information is found that may be indicative of a material misstatement due to fraud, it should be pursued even if it seems minor in isolation. One indicator of fraud may be "the tip of the iceberg" that subsequent investigation will uncover. The standard also requires specific workpaper documentation. Evidence of the performance of the fraud risk assessment is needed, as is documentation of specific risk factors and the auditor’s response to those factors. Documentation requirements in the new fraud standard are more explicit than is normally contained in auditing standards, the motive being to add further assurance that the standard will drive change in audit practice.
Regarding reporting and communication, the standard reiterates requirements and guidance already contained in other auditing standards. Communication should be made to an appropriate level of management and, in certain circumstances, the board of directors, when there is evidence that fraud may exist. Also, significant control issues related to risk factors (i.e., reportable conditions) should be communicated.
What issues were raised during public exposure of the proposed standard?
Letters received by the Task Force during the public exposure period were generally very supportive. However, several issues were raised that the Task Force considered important. One was that inclusion in the standard of specific risk factors might result in a checklist mentality, or imply that these risk factors are more than examples and must always be addressed on each audit. The Task Force debated on this issue at length, and decided that the need for explicit guidance outweighed this concern. While citing examples of specific factors that the auditor may look for, the standard emphasizes the importance of professional judgment in this area.
Another issue was raised concerning the standard’s applicability in smaller, owner-managed environments. The Task Force incorporated a number of changes in the fraud standard to ensure that it could be meaningfully applied in those environments — for example, recognizing the risk of income understatement because of income tax motivation in addition to the risk of income overstatement for public companies because of stock price motives.
Some other respondents commented that the content of the standard was more appropriate for an Audit Guide. However, the Task Force felt that the importance of fraud detection to the auditing profession merited a SAS on the subject. Additionally, the Task Force considered that SASs are more likely than Audit Guides to be included in college auditing courses. Thus, the standard will have maximum impact on future generations of auditors if it appears in the form of a SAS.
What lies ahead?
Now that the final version of the new standard on fraud has been issued, the profession faces additional challenges. Of primary importance is assuring its effective implementation. In this regard, the AICPA has been very proactive in developing a plan for "road show" presentations on the new standard, and in making available relevant training materials. Also, there is a need for additional "upstream" focus on the part of audit clients, in developing and implementing better prevention and deterrence techniques as an effective means to reduce the incidence of fraud. Finally, additional research on fraud is also needed. For instance, which of the risk factors cited in the standard are most important? Are there others that are more indicative of fraud? While the Task Force reviewed some studies in this area, there is a need for further research in all aspects of fraud prevention and detection.
Prevention and detection of fraud is a big challenge. In order to reduce its incidence, company management, boards of directors, regulators and auditors all must share responsibility. SAS No. 82 is far from the last word. We need to continue to learn and pursue further initiatives in the spirit of continuous improvement.
Auditor's Report Contents Page