Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit, commonly abbreviated as SAS 99, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in October 2002. The original exposure draft was distributed in February 2002. Please see PCAOB AS 2401.
SAS 99, which supersedes SAS 82, was issued partly in response to contemporary accounting scandals at Enron, WorldCom, Adelphia, and Tyco. The standard incorporates recommendations from various contributors including the International Auditing & Assurance Standards Board. SAS 99 became effective for audits of financial statements for periods beginning on or after December 15, 2002.
SAS 99 defines fraud as an intentional act that results in a material misstatement in financial statements. There are two types of fraud considered: misstatements arising from fraudulent financial reporting (e.g. falsification of accounting records) and misstatements arising from misappropriation of assets (e.g. theft of assets or fraudulent expenditures). The standard describes the fraud triangle. Generally, the three 'fraud triangle' conditions are present when fraud occurs. First, there is an incentive or pressure that provides a reason to commit fraud. Second, there is an opportunity for fraud to be perpetrated (e.g. absence of controls, ineffective controls, or the ability of management to override controls.) Third, the individuals committing the fraud possess an attitude that enables them to rationalize the fraud.
This requirement is a new concept in audit standards and it has two primary objectives. The first objective is so the engagement team will have an opportunity for the seasoned team members to share their experiences with the client and how a fraud might be perpetrated and concealed. The second objective is to set the proper "tone at the top" for conducting the engagement. The brainstorming session is to be conducted in a manner that models the proper degree of professional skepticism and sets the culture for the entire audit.
SAS 99 requires auditors to ask management questions about their awareness and understanding of fraud. Auditors will then make a decision as to whether they need to 'educate' management about fraud and the types of controls that will deter and detect fraud. The standard also requires auditors to make inquiries of the audit committee, internal audit personnel and others within the entity.
This section provides guidance and support on how to identify and assess risks. It challenges auditors to change the way they think about assessing fraud risks. Auditors should identify risks and synthesize how those risks could lead to a material misstatement. This section specifically requires that improper revenue recognition and management override of controls be considered.
SAS 99 provides specific examples of programs and controls for both large and small businesses. The auditor should consider which controls mitigate the identified fraud risks.
The standard provides examples of conditions that may be identified during the audit that might indicate fraud. One example is management denying the auditors access to key IT operations staff including security, operations, and systems development personnel. The auditors must determine whether the results of their tests affect their assessment.
The standard requires that any evidence that fraud may exist must be communicated to management and others. The level of severity is insignificant.
SAS 99 significantly extends the documentation requirements of the previous standard. Auditors must document: (1) how and when the brainstorming session occurred and who participated, (2) procedures performed to obtain information to identify and assess fraud risk, (3) specific risks of material misstatement due to fraud (must specifically include discussion of revenue recognition) and the auditor's response to those risks, (4) results of the procedures performed to address the risk of management override of controls, (5) conditions and analytical relationships that led to additional audit procedures or other responses, and (6) nature of communications about fraud made to management and others.
The primary criticism of the standard is that many procedures are suggested rather than required. For example, it is suggested that auditors consider surprise procedures like showing up unannounced for an inventory count. In actual practice auditors often tell clients which inventory locations they are going to 'observe.' Telling clients which locations are going to be audited makes it easier to commit inventory fraud.A similar criticism is that SAS 99 doesn't close expectation gaps. The guidelines and suggestions provided in the standard increase expectations on the profession. As a result, auditors must consider the requirements of SAS 99 as the minimum level of work required to detect fraud. They must be prepared to defend any decision not to pursue one of the recommended procedures listed in SAS 99.