The most highly publicized statement on auditing standards in years rolled off the presses in early February. SAS no. 82, Consideration of Fraud in a Financial Statement Audit , provides expanded operational guidance on the auditors consideration of material fraud in conducting a financial statement audit. The new SAS, which supersedes SAS no. 53, The Auditors Responsibility to Detect and Report Errors and Irregularities , is effective for audits of financial statements for periods ending on or after December 15, 1997. This article explains why the American Institute of CPAs issued the new standard and how it will change what auditors do. After substantial deliberation, the ASB issued an exposure draft of a proposed SAS, Consideration of Fraud in a Financial Statement Audit , in May 1996. Although some mistakenly viewed the ED as a response to the Private Securities Litigation Reform Act of 1995, the boards consideration of fraud had started long before that legislation was signed in December 1995. After considering the issues raised in comment letters and revising the proposed SAS, in November 1996 the ASB voted to issue the final standard. Is the auditor responsible for detecting any kind of fraud that may have occurred? Absolutely not. The auditors responsibility relates to the detection of material misstatements caused by fraud and is not directed to the detection of fraudulent activity per se. Thus, the auditor of financial statements must obtain reasonable assurance that the statements are free of material misstatements, whether caused by error or fraud.
Some practitioners questioned the auditors responsibility to detect certain significant defalcations, such as at a retailing company where thefts are reflected in cost of goods sold after inventories are adjusted to actual quantities on hand. While the answer depends on the actual facts and circumstances involved, many believe the auditor should have a feel for when inventory shrinkage is not in line with other entities in the industry. Although some argue the amount attributed to a defalcation should be shown on a line labeled "theft expense," there is no such requirement under GAAP.
SAS no. 82 requires the auditor to specifically assess the risk of material misstatement of the financial statements due to fraud in every audit. The auditor is not expected to assess the risk of fraud as high, medium or low, as might be the case in assessing control risk. Rather, SAS no. 82 asks the auditor to consider risk factors relating to fraudulent financial reporting and misappropriation of assets in each of the categories shown in paragraphs 16 and 18 of the statement. The auditor then needs to consider that risk assessment in designing the audit procedures he or she will perform. In the context of this statement, risk assessment is a process rather than a rating or a score. Does an auditor have to use the risk factors identified in the SAS? The specific risk factors can be customized as long as the auditor considers factors in each of the categories itemized in paragraphs 16 and 18. For instance, the auditor may wish to consider risk factors relevant only to a specific industry, such as banking. Under other circumstances, the auditor may wish to choose only those risk factors applicable to the small business under audit. Alternatively, an auditor may believe there are additional risk factors—not identified in the SAS—that require serious consideration. Auditors should be aware, however, that the risk factors in the SAS are discriminating and have been found to be present frequently in actual instances of fraud. What procedures should the auditor perform to ascertain that risk factors are present? Typically auditors will identify the presence of risk factors in planning the audit, in their consideration of internal control and inherent risk, from their past knowledge of the client (for ongoing clients) and in making certain inquiries of management required by SAS no. 82. Those inquiries include asking management about the risk of fraud in the entity and whether any frauds have been perpetrated on or within the entity. If the client has a program to prevent, deter or detect fraud, the auditor should ask whether it has identified any fraud risk factors. Ongoing risk assessment. Auditors should be aware of the risk factors throughout an audit, not just at the planning stage. The new SAS provides additional items, called "other conditions," that auditors need to consider in making the assessment. Examples include missing documents, unusual discrepancies between the entitys records and confirmation replies and unusual delays by the entity in providing requested information. When additional risk factors or other conditions come to their attention, auditors need to consider the impact, if any, on the risk assessment. What should the auditor do when he or she finds a misstatement due to fraud? Guidance in SASs nos. 82 and 53 on the auditors response to a detected fraud is very similar. If the misstatement resulting from fraud is not material to the financial statements, the auditor should refer the matter to an appropriate level of management at least one level above those involved and be sure the audit implications have been adequately considered. For fraud resulting in a material effect on the financial statements, or if the auditor is unable to determine the size of the misstatement, the auditor should take the actions identified above. In addition, the auditor should attempt to determine whether material fraud exists and, if so, its effect and, when appropriate, suggest that the client consult with legal counsel. Under certain circumstances, the auditor may have a responsibility to communicate outside the entity. For example, in audits of SEC registrants, the Securities and Exchange Commission requires auditors to report certain illegal acts pursuant to the Private Securities Litigation Reform Act of 1995 (codified in section 10A(b)1 of the Securities Exchange Act of 1934). When the auditor identifies fraud risk factors with control implications, he or she must consider whether they represent reportable conditions that should be reported to management and the audit committee.
|