Key Components of SAS 99
Describes Fraud and its characteristics.
SAS 99 defines fraud as an intentional act that results in a material misstatement in financial statements. There are twoRequires 'brainstorming' sessions to discuss how and where the entity's financial statements might be susceptible to material misstatement due to fraud.
This requirement is a new concept in audit standards and it has two primary objectives. The first objective is so the engagement team will have an opportunity for the seasoned team members to share their experiences with the client and how a fraud might be perpetrated and concealed. The second objective is to set the proper "Requires the auditor to gather information necessary to identify risks of material misstatement due to fraud by the following
*Making inquiries of management and others within the entity *Considering the results of analytical procedures performed in planning the audit. *Considering fraud risk factors. *Considering certain other information SAS 99 requires auditors to ask management questions about their awareness and understanding of fraud. Auditors will then make a decision as to whether they need to 'educate' management about fraud and the types of controls that will deter and detect fraud. The standard also requires auditors to make inquiries of the audit committee, internal audit personnel and others within the entity.Requires the auditor to use the information gathered to identify risks that may result in a material misstatement.
This section provides guidance and support on how to identify and assess risks. It challenges auditors to change the way they think about assessing fraud risks. Auditors should identify risks and synthesize how those risks could lead to a material misstatement. This section specifically requires that improper revenue recognition and management override of controls be considered.Requires the auditor to evaluate the entity's programs and controls that address the identified risks of material misstatement.
SAS 99 provides specific examples of programs and controls for both large and small businesses. The auditor should consider which controls mitigate the identified fraud risks.Requires the auditor to assess the risks of material misstatement due to fraud throughout the audit and to evaluate at the completion of the audit whether the accumulated results of auditing procedures and other observations affect the assessment.
The standard provides examples of conditions that may be identified during the audit that might indicate fraud. One example is management denying the auditors access to key IT operations staff including security, operations, and systems development personnel. The auditors must determine whether the results of their tests affect their assessment.Provides guidance regarding the auditor's communications about fraud to management, the audit committee, and others.
The standard requires that any evidence that fraud may exist must be communicated to management and others. The level of severity is insignificant.Describes documentation requirements.
SAS 99 significantly extends the documentation requirements of the previous standard. Auditors must document: (1) how and when the brainstorming session occurred and who participated, (2) procedures performed to obtain information to identify and assess fraud risk, (3) specific risks of material misstatement due to fraud (must specifically include discussion of revenue recognition) and the auditor's response to those risks, (4) results of the procedures performed to address the risk of management override of controls, (5) conditions and analytical relationships that led to additionalCriticisms of SAS 99
The primary criticism of the standard is that many procedures are suggested rather than required. For example, it is suggested that auditors consider surprise procedures like showing up unannounced for an inventory count. In actual practice auditors often tell clients which inventory locations they are going to 'observe.' Telling clients which locations are going to be audited makes it easier to commit inventory fraud. A similar criticism is that SAS 99 doesn't close expectation gaps. The guidelines and suggestions provided in the standard increase expectations on the profession. As a result, auditors must consider the requirements of SAS 99 as the minimum level of work required to detect fraud. They must be prepared to defend any decision not to pursue one of the recommended procedures listed in SAS 99.Related Regulations
* Gramm-Leach-Bliley Act * Sarbanes-Oxley Act *See also
External links