by Glenn Cheney
As Statement of Auditing Standards 99, Consideration of Fraud in a Financial Statement Audit, goes into effect, audit firms are realizing that its stiff new requirements can help a firm do a better job -- or doom a firm to litigation.
In either case, SAS 99 is most likely going to raise the cost of audits for nonpublic companies, including not-for-profits.
The Auditing Standards Board made an ineffectual attempt to deal with fraud in SAS 82, which went into effect in 1997. It didn’t do much more than simply require auditors to make a reasonable effort to find fraud.
The new standard pushes SAS 82 a lot farther, requiring of auditors a more strenuous effort to look for, if not actually find, misrepresentation in financial statements. Auditors are now required to presume malfeasance in management, to brainstorm the methods by which a client might commit fraud, to vary the pattern of the audit with surprise visits and procedures, and to document every anti-fraud effort that has been suggested or made.
Grace B. Ghezzi, a CPA and certified fraud examiner with Grimaldi & Associates CPAs PLLC, of Syracuse, N.Y., has been performing audits for fraud for over 12 years and, lately, has been traveling the nation to lecture on the new demands of SAS 99. She has found more curiosity than resistance.
“Clients are recognizing that we are taking on more responsibilities and that our profession is finally addressing fraud,” Ghezzi said.
After the devastating corporate financial scandals of 2001, the ASB wrote the more demanding SAS 99. It gives auditors specific guidance and procedures for looking for fraud, and, thus, to some extent defines the reasonable effort that auditors must make. It requires that the hunt for fraud continue throughout the audit process.
SAS 99 stresses the importance of revenue recognition, which is the most common type of financial statement fraud. It identifies inventory as the asset that is more materially misappropriated, and it calls for special assessment of management estimates because they are so subject to bias.
Audit firms can be held liable for neglecting to take all the appropriate steps that are specified in the statement. Gary D. Zeune, CPA, a frequent lecturer on the dangers, detection and prevention of fraud, said that SAS 99 can be friend or foe, depending on how well the audit firm has met its requirements.
“SAS 99 holds auditors to a higher standard of care,” Zeune said. “If they don’t meet the reasonable assurance requirement, the standard gives a plaintiff’s lawyers a roadmap of how to sue an accounting firm.”
On the other hand, Zeune said, the standard tells auditors how to do the job right. SAS 99 says: “Stop making it easy for the client to pull the wool over your eyes,” Zeune explained. “If you look at the procedures that SAS 99 says you should do, that’s the message between the lines. Do the procedures on a surprise basis. Don’t do the same damn thing every time. Don’t automatically trust your client because you’ve never had a problem in 27 years. Every year’s audit has to stand on its own.”
Ghezzi said that communication is of crucial importance in the search for fraud, and SAS 99 requires, for the first time, that auditors talk to each other and to management. The audit team must discuss ways in which a client may be susceptible to fraud, and they must document their discussion. They must talk with management to assess internal controls, look for ways that controls can be overridden, and then test those risks. They must also talk to personnel, including people who have nothing to do with accounting, bookkeeping or finance.
She told the story of a visit to a client whose inventory had been disappearing. She asked to speak with a variety of workers, including a maintenance man. The managers said, “You don’t need to talk to that old guy. He don’t know nothin’.” She insisted, however, and asked the man if he knew anything about the thefts. He asked her if she’d like to see his photo album.
It turned out that he had pictures of the in-house thieves in the act of their evil deed.
Why hadn’t he reported the thefts? Because management didn’t respect him. He told Ghezzi, “They think I don’t know nothin’.”
Ghezzi said that, in general, auditors know about SAS 99 and what is expected of them. Not all, however, have enough training in interviewing and identifying the warning signs of fraud. A big sale at the end of the year, for example, followed by high levels of returns early in the next year can indicate a manager who is desperately juggling figures to meet revenue expectations.
Toby J.F. Bishop, president and chief executive officer of the Association of Certified Fraud Examiners, said that SAS 99 does too little to detect fraud and barely begins to prevent it.
“I haven’t heard anyone say that this is a silver bullet that will finally allow them to detect all fraud,” Bishop said. “It is impossible for auditors to detect 100 percent of fraud at any degree of cost and practicality, so a strategy aimed at fraud detection alone is a losing strategy. Our profession needs to focus at least as much, if not more, on fraud prevention.”
Bishop said that SAS 99 gives only off-hand mention of auditing the internal controls that could prevent a lot of fraud. The standard does not provide procedures or require an opinion on the adequacy of internal controls.
While the standard may fall short of effective prevention, Ghezzi said that the communication process opens opportunities for auditors to help management and the audit committee institute internal controls and an anti-fraud policy.
Andy Holman, a partner with Ritz, Holman, Butala, Fine LLP in Milwaukee, said that his firm, which has about 140 audit clients, has been implementing SAS 99 with considerable success, albeit with some concern on the part of the clients, many of which are not-for-profit organizations that don’t have a lot of money for detailed audits.
“I find the new process to be very interesting, because we are now doing some thinking ahead of time that we used to do on-site,” Holman said.
Holman does not see his firm’s fees rising by the 15 percent to 30 percent that some fear. The increase will be minimal, perhaps as low as 5 percent, because the firm had already been practicing many of the new requirements, including assessments of the revenue stream. Holman’s firm sent letters to all clients, informing them of the new rules, especially the one regarding presumption of fraud.
“One of our concerns is that employees at an organization will think that, all of a sudden, they are under investigation for fraud because of the nature of what we will have to do,” Holman said.
The firm has received a few calls, Holman said, not about the nature of the intensified audit but about the increase in cost, and whether the organization might be priced out of the market. Many not-for-profits need audits to qualify for federal funding.
Zeune thinks that it might be a little difficult to get clients to see the value in beefed-up efforts to detect fraud.
“Clients don’t care if you do a better audit for fraud,” Zeune said. “The clients don’t see any value in the additional work when the opinion says the same thing.”
