The auditor can no longer assume that no fraud exists unless it smacks them between the eyes.Statement on Auditing Standards 99, issued in 2002, requires auditors to exercise professional skepticism about the possibility of a material misstatement in the financial representations of management due to fraud. Now that SAS 99 is four years old, it is time to investigate this standard that shifted auditors from no fraud detection responsibility to the higher degree of professional care.
Based on current research, it appears that many firms are still struggling with how to properly implement the far-reaching recommendations and requirements found in SAS 99. Therefore, this article presents how some CPA firms are implementing SAS 99, specifically "the application of professional skepticism in gathering and evaluating audit evidence."
There are many ways of exercising this professional skepticism, which are detailed in SAS 99. They include:
* Planning the engagement with fraud in mind;
* Understanding the fraud triangle of incentive or pressure to commit fraud, circumstances existing that can allow fraudulent behavior, and the ability to rationalize committing fraud;
* Inquiries of management;
* Communication with the audit committee; and,
* Analytical procedures during the audit with the objective of identifying fraud.
A key focus of this article is how firms are effectively using technology in performing analytical procedures to detect fraud. This is one area where technology can help, and almost be a requirement. Gone are the days of electronic data-processing auditing and the application to only the largest companies. Data-mining techniques via data analysis software are now the mandated norm in most audits. Auditors are exposing themselves to liability if fraud occurred in a client where they didn't apply DAS.
Jeff Brown, director of quality control for Moss Adams, said that the Seattle-based firm has a big push to get data electronically, where it's much easier to test applicable management assertions effectively and efficiently.
So, what is DAS?
DAS is an application that can quickly retrieve data from one or more applications and perform analytical procedures on this data. Examples of DAS-specific applications include Idea from CaseWare, ACL, and Monarch from DataWatch.
Power users may already have a DAS system in their office. This includes Microsoft Excel and Microsoft Access. However, there are limitations to applications not specifically written for data extraction and analysis, including data limitation, ease of access to outside data repositories, and speed in performance when dealing with large sets of data. Therefore, most firms are properly choosing DAS-specific applications.
What is your first step?
Performing analytical procedures on the data is required by SAS 99. If you are auditing and do not include such analyses, you are omitting a required step. For each engagement, it is up to the audit partner to set the tone and require the use of DAS. This means selecting your application, selecting super-users of this application in your firm, and mandating its use.
Once this occurs, it is important to have your computer-assisted auditing team attend vendor-supplied training. After training, it is essential to put them to work immediately on an engagement where they can apply their new skills. Without the opportunity to use their new skills, the key elements of how and why will be lost and unable to be used properly.
Audit evaluation
Many firms are addressing the requirement for analytical procedures and the application of exercising professional skepticism by using advanced computer techniques to gather and evaluate audit evidence. This is essential, especially within the framework of fraud detection as demanded by SAS 99.
SAS 99 provides direction in the areas most vulnerable to fraud, and recommends that auditors begin in these areas:
* Revenue recognition;
* Inventory quantities;
* Management estimates;
* Misappropriation of assets; and,
* Management override of controls.
Further, SAS 99 states, "Computer-assisted audit techniques may be useful in identifying unusual or unexpected revenue relationships or transactions."
Steve Schenbeck, a principal at Ehrhardt, Keefe, Steiner & Hottman PC, in Denver, said that the firm views the electronic audit function as a separate group within the firm. This is the group responsible for acquiring a client's data and bridging it into DAS.
The firm recently underwent an inspection by the Public Company Accounting Oversight Board. Schenbeck noted that the PCAOB review team quickly reviewed the DAS audits, but tended to spend more time on audits where DAS techniques were not used.
EKSH examines management overrides, which, according to Schenbeck, apply to virtually every client. The firm also downloads all journal entries, cash disbursements and revenue data into its DAS application. With the cash disbursements, they organize the list by payee and review the collected information with the chief financial officer/controller. In one case they found a vendor/employee kickback scheme. It was immaterial to the audit, but certainly won praise for the audit team from the client.
With manufacturing and distribution clients (which are approximately one third of their audit base), they dissect the inventory data looking at age, time/date of sales, and fluctuations at the end or beginning of a period.
Perhaps the biggest challenge is getting the data from clients. Betsy Conti of EKSH noted, "Our clients need to provide the information to us. We don't want to log into their system and get the data from a risk control aspect."
Jay Smith of Saginaw Assurance, The Rehmann Group, in Saginaw, Mich., has successfully culled client data by explaining that the new auditing standards require the client to provide their data.
One of Smith's tests is to review the day of the week that a transaction occurs. He had a bank client that made all of its entries on Monday and Friday. After listing the entries by entry person and day of the week, the analysis showed a large number of transactions occurring on Sundays. This revelation by itself might not be fraudulent, and in this case there was no fraud. But it did raise the interest of the auditor for further investigation, which revealed that the entries were made by an accountant who had been sick and came to the bank on Sunday to catch up on work. The bank did recognize a weakness in its internal control in allowing this activity, and now has a policy that employees are not allowed inside the bank after closing hours.
For Saginaw Assurance, computer-assisted audit techniques come in handy when there is any amount of data to review.
One test that Smith likes to perform is the number of entries by entry person. Sometimes he'll find many entries from just a group of people, but one person might only have a handful of entries.
Transactions and account balances that show material amounts also come under scrutiny. Saginaw also takes all of the general ledger transactions, and if manual entries in an account total less than 2 percent of the total and the manual entries are six or less, they examine each one.
Scott Levy, partner-in-charge of the assurance practice for Grant Thornton, says that their normal audit procedure requires a complete download of GL transactions to ensure the completeness of the audit transactions provided by the client. Once this file is obtained, they sort entries by date, dollar amounts and category. With this structured data list, they search for unusual activity.
Grant Thornton accesses subsidiary ledger activity to search for unusual items. Among its techniques are:
* Assessing inventory detail where items have zero quantities but show dollar balances;
* Comparing current prices to prior-year prices;
* Reviewing the age of inventory; and,
* Performing an analysis of general inventory trends.
Other tests include examining transactions from the fixed asset ledger, looking at the amount, the vendor name, the type of work or equipment that is capitalized or expensed, and the general ledger code.
Wayne Harding, CPA, CITP, is a noted consultant and has spent the last 17 years developing and marketing technology to professional accountants.
