HOME

TheInfoList



OR:

{{Short description, Statutory Auditor Coderal Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit, commonly abbreviated as SAS 99, is an auditing statement issued by the
Auditing Standards Board In the United States, the Auditing Standards Board (ASB) is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attestation, and quality control statements, standards and g ...
of the American Institute of Certified Public Accountants (AICPA) in October 2002. The original exposure draft was distributed in February 2002. Please see PCAOB AS 2401. SAS 99, which supersedes SAS 82, was issued partly in response to contemporary
accounting scandals Accounting, also known as accountancy, is the measurement, processing, and communication of financial and non financial information about economic entities such as businesses and corporations. Accounting, which has been called the "languag ...
at Enron, WorldCom, Adelphia, and Tyco. The standard incorporates recommendations from various contributors including th
International Auditing & Assurance Standards Board
SAS 99 became effective for audits of financial statements for periods beginning on or after December 15, 2002.


Key Components of SAS 99


Describes Fraud and its characteristics.

SAS 99 defines fraud as an intentional act that results in a material misstatement in financial statements. There are two
types of fraud In law, fraud is an intentional deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. Fraud can violate civil law or criminal law, or it may cause no loss of money, property, or legal right but still be an element o ...
considered: misstatements arising from fraudulent financial reporting (e.g. falsification of accounting records) and misstatements arising from misappropriation of assets (e.g. theft of assets or fraudulent expenditures). The standard describes the fraud triangle. Generally, the three 'fraud triangle' conditions are present when fraud occurs. First, there is an incentive or pressure that provides a reason to commit fraud. Second, there is an opportunity for fraud to be perpetrated (e.g. absence of controls, ineffective controls, or the ability of management to override controls.) Third, the individuals committing the fraud possess an attitude that enables them to rationalize the fraud.


Requires 'brainstorming' sessions to discuss how and where the entity's financial statements might be susceptible to material misstatement due to fraud.

This requirement is a new concept in audit standards and it has two primary objectives. The first objective is so the engagement team will have an opportunity for the seasoned team members to share their experiences with the client and how a fraud might be perpetrated and concealed. The second objective is to set the proper "
tone at the top "Tone at the top" is a term that originated in the field of accounting and is used to describe an organization's general ethical climate, as established by its board of directors, audit committee, and senior management. Having good tone at the top ...
" for conducting the engagement. The brainstorming session is to be conducted in a manner that models the proper degree of professional skepticism and sets the culture for the entire audit.


Requires the auditor to gather information necessary to identify risks of material misstatement due to fraud by the following

*Making inquiries of management and others within the entity *Considering the results of analytical procedures performed in planning the audit. *Considering fraud risk factors. *Considering certain other information SAS 99 requires auditors to ask management questions about their awareness and understanding of fraud. Auditors will then make a decision as to whether they need to 'educate' management about fraud and the types of controls that will deter and detect fraud. The standard also requires auditors to make inquiries of the audit committee, internal audit personnel and others within the entity.


Requires the auditor to use the information gathered to identify risks that may result in a material misstatement.

This section provides guidance and support on how to identify and assess risks. It challenges auditors to change the way they think about assessing fraud risks. Auditors should identify risks and synthesize how those risks could lead to a material misstatement. This section specifically requires that improper revenue recognition and management override of controls be considered.


Requires the auditor to evaluate the entity's programs and controls that address the identified risks of material misstatement.

SAS 99 provides specific examples of programs and controls for both large and small businesses. The auditor should consider which controls mitigate the identified fraud risks.


Requires the auditor to assess the risks of material misstatement due to fraud throughout the audit and to evaluate at the completion of the audit whether the accumulated results of auditing procedures and other observations affect the assessment.

The standard provides examples of conditions that may be identified during the audit that might indicate fraud. One example is management denying the auditors access to key IT operations staff including security, operations, and systems development personnel. The auditors must determine whether the results of their tests affect their assessment.


Provides guidance regarding the auditor's communications about fraud to management, the audit committee, and others.

The standard requires that any evidence that fraud may exist must be communicated to management and others. The level of severity is insignificant.


Describes documentation requirements.

SAS 99 significantly extends the documentation requirements of the previous standard. Auditors must document: (1) how and when the brainstorming session occurred and who participated, (2) procedures performed to obtain information to identify and assess fraud risk, (3) specific risks of material misstatement due to fraud (must specifically include discussion of revenue recognition) and the auditor's response to those risks, (4) results of the procedures performed to address the risk of management override of controls, (5) conditions and analytical relationships that led to additional
audit procedures An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditing ...
or other responses, and (6) nature of communications about fraud made to management and others.


Criticisms of SAS 99

The primary criticism of the standard is that many procedures are suggested rather than required. For example, it is suggested that auditors consider surprise procedures like showing up unannounced for an inventory count. In actual practice auditors often tell clients which inventory locations they are going to 'observe.' Telling clients which locations are going to be audited makes it easier to commit inventory fraud. A similar criticism is that SAS 99 doesn't close expectation gaps. The guidelines and suggestions provided in the standard increase expectations on the profession. As a result, auditors must consider the requirements of SAS 99 as the minimum level of work required to detect fraud. They must be prepared to defend any decision not to pursue one of the recommended procedures listed in SAS 99.


Related Regulations

* Gramm-Leach-Bliley Act * Sarbanes-Oxley Act *
Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...
(HIPAA) *
California Senate Bill 1386 (2002) California S.B. 1386 was a bill passed by the California legislature that amended the California law regulating the privacy of personal information: civil codes 1798.29, 1798.82 and 1798.84. This was an early example of many future U.S. and intern ...
*
FISMA The Federal Information Security Management Act of 2002 (FISMA, , ''et seq.'') is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (, ). The act recognized the importance of information security to the eco ...


See also

Information Technology Audit An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the inform ...


External links


SAS No. 99 Implementation GuideSAS 99 Friend or Foe?AU Section 316 Consideration of Fraud in a Financial Statement Audit (Full Statement)
Fraud in the United States Information technology audit Corporate crime 2002 in the United States