Return
to the Table of ContentsCONSIDERATION OF FRAUD IN A FINANCIAL STATEMENT AUDIT: A NEW AICPA AUDITING STANDARD
This report, adapted from Dave's address at the Auditing Section's Midyear Meeting, outlines development of the new SAS on fraud. It is organized around the following questions. First, what was the problem with existing guidance that needed to be addressed? Second, what was the Task Force's strategy for addressing the problem? Third, what is the content of the new SAS on fraud? Fourth, what issues were raised from feedback by the profession? Fifth, what lies ahead in standard setting in the area of fraud detection?
What was the problem with existing guidance?
Under U.S. auditing standards, the auditor has had a defined responsibility to detect material misstatements due to fraud. However, anecdotal evidence indicates that some auditors may not understand the present responsibility. Also, auditors have been subjected to criticism for not meeting public expectations in the area of fraud detection. Further, current standards provide little guidance on how to meet the present responsibility. Thus, the AICPA Auditing standards Board Task Force began work on a possible new standard a couple of years ago. The Task Force was made up of an outstanding group of individuals, who brought together different views from different backgrounds and experiences, but all with an important public perspective. The final standard was approved by the Auditing Standards Board in November 1996, and will become effective for calendar year end 1997 audits.
What was the Task Force's strategy to address the problem?
Our strategy to improve auditing standards regarding fraud detection was to clarify, but not to increase, the auditor's responsibility in this area. In addition to clarification, we hoped to provide added ground rules and guidance to assist the auditor in meeting the responsibility for fraud detection. In so doing, improved detection of frauds may result, which will improve the public's perception of the profession's activities in this area and the value of audit services in the marketplace. Thus, the expectations gap should be reduced. The accompanying figure below summarizes our strategy and the intended impact of our initiatives.
What is the content of the new SAS on fraud?
Currently, the auditor's responsibility for fraud is contained in AU Section 316.05: "The Auditor should assess the risk that errors and irregularities may cause the financial statements to contain a material misstatement. Based on that assessment, the auditor should design the audit to provide reasonable assurance of detecting errors and irregularities that are material to the financial statements."
The new description clarifies the auditor's responsibility is as follows: "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute assurance that material misstatements are detected. The auditor has no responsibility to plan and perform the audit to obtain reasonable assurance that misstatements, whether cause by errors or fraud, that are not material to the financial statements are detected."
While the two descriptions of our audit responsibilities are broadly consistent, the new standard accomplishes clarification of responsibilities in several areas. First, it uses the word "fraud." Second, it tracks the language the auditor sees to represent the responsibilities in our standard auditor's report. Finally, it appears in a stand-alone Statement of Auditing Standard (SAS No. 82) that is devoted solely to the auditor's consideration of misstatements due to fraud.
Consistent with our strategy to provide added ground rules and guidance, the SAS sets forth performance standards; that is, what it takes to effectively meet the responsibility outlines above. Importantly, the new standard requires that a specific assessment of the risk of fraud be made. This assessment requires an inquiry of client management, to obtain their assessment of the likelihood of fraud in the organization. The new standard provides guidance on how to assess fraud risk, including a discussion of specific risk factors that may affect the likelihood of fraud in a particular client. The specific risk factors noted in the standard are examples of the kinds of conditions that may be associated with the occurrence of fraud, and are not intended to be an exhaustive list. A reassessment of risk of fraud at the end of the audit is also required, in light of all evidence gathered from tests performed. The standard emphasizes the cumulative and ongoing nature of fraud risk assessment.
The standard emphasizes that the auditor must respond appropriately to the fraud risk assessment. Overall considerations include the use of professional skepticism, the assignment of personnel, consideration of accounting principles and controls in place (e.g., "aggressive" financial reporting), and the impact of the assessment on the audit plan, including nature, timing and extent of audit procedures. Particular examples are included in the standard, encompassing both fraudulent financial reporting ("cooking the books") and misappropriation (theft of assets).
An evaluation of audit test results and effective documentation of the results of the auditor's efforts are important parts of the standard. When information is found that may be indicative of fraud, it should be pursued even if it seems minor in isolation. One indicator of fraud may be "the tip of the iceberg" that subsequent investigation will uncover. The standard also requires specific workpaper documentation. Evidence of the performance of the fraud risk assessment is needed, as is identification of specific risk factors found and the auditor's response to those factors. Documentation requirements in the new fraud standard are more explicit than are normally contained in SAS. Our motive was to be explicit in setting out documentation requirements, in order to add further assurance that the standard would drive change in audit practice.
Fourth, regarding reporting and communication, the standard reiterates guidance already contained in other auditing standards. Communication must be made to senior management and the board of directors regarding the existence of fraud if found. Also, significant control issues related to risk factors (i.e., reportable conditions) should be communicated.
What issues were raised during public exposure of the proposed standard?
Letters received by the Task Force during the public comment period were generally very supportive. However, several issues were raised that the Task Force considered important. One was that inclusion in the standard of specific risk factors might result in a checklist mentality, in that auditors might consider it sufficient if they documented attention to the mentioned factors. The Task Force debated this issue at length, and decided that the need for explicit guidance outweighed this concern. While citing specific factors that the auditor may look for, the standard emphasizes the importance of professional judgment in this area.
Another issue was raised concerning the standard's applicability in smaller, owner-managed environments. We incorporated a number of changes in the fraud standard to ensure that it could be meaningfully applied in these environments; for example, recognizing the risk of income understatement because of tax motivation, in addition to the income overstatement risk of public companies because of stock price motives.
Some other respondents commented that the content of the standard was more appropriate for an Audit Guide. However, the Task Force felt that the importance of fraud to the auditing profession and the public's perception were sufficiently important to merit a SAS on the subject. Additionally, the Task Force was influenced by the views of its academic member, Steve Albrecht of Brigham Young University, who indicated that the contents of Audit Guides are rarely taught in college auditing courses. Thus, the standard will have maximum impact on future generations of auditors if it appears in the form of a SAS.
What lies ahead?
Now that the final version of the new standard on fraud has been issued, the profession faces additional challenges. Of primary importance is assuring its effective implementation. In this regard, the AICPA has been very proactive in developing a plan for "road show" presentations on the new standard, and in making available relevant training materials. Also, there is a need for an "upstream" focus on prevention and deterrence of fraud as an effective means to reduce the incidence of fraud in the economy. Finally, additional research on fraud is also needed. For instance, which of the risk factors cited in the standard are most important? Are there others that are more indicative of likelihood of fraud? While the Task Force reviewed some studies in this area, there is a need for further research on all aspects of fraud prevention and detection.
Fraud is a big challenge, and it comes with a responsibility not only for auditors, but also for company managements, boards of directors, regulators and others as well. This standard is far from the last word. We need to continue to learn and pursue further initiatives in the spirit of continuous improvement.
Return
to the Table of Contents