The ASB has decided it can no longer dance around fraud and the auditor's responsibility to detect it. Proposed new standards say the "' word loudly and clearly
The auditor's responsibility to plan an audit to uncover fraud has changed over the years. Those who entered the profession more than 20 years ago remember (and, apparently some have refused to forget) the guidance given by the committee on auditing procedures, which said "the issuance of an opinion respecting financial statements is not designed and cannot be relied upon to dis close defalcations and other similar irregularities, although their discovery frequently results." To drive the point home, many engagement letters contained that language. Those were the "good old days" when the auditor set his or her sights on catching unintentional errors only.
But the courts and the rest of the world didn't agree with this approach. The auditor's report made no mention about financial statements being free of only material unintentional errors. The world held the auditor to a higher standard. After the Equity Funding debacle, the SEC summoned leaders of the public accounting profession to Washington and demanded to know what they planned to do to ward off similar catastrophes in the future. Standard setters at the AICPA responded with SAS No. 16, The Independent Auditor's Responsibility for the Detection of Errors or Irregularities, which changed the standards to require the auditor to "plan the audit to search for errors or irregularities that would have a material effect on financial statements."
But problems continued to occur. Material fraud was being committed that misstated financial statements, and auditors in a number of well-publicized cases failed to detect frauds that audits in accordance with the standards should seemingly have detected.
The Auditing Standards Board (ASB) went back to the drawing board to see if standards needed to be changed to heighten the awareness and effectiveness of auditors in searching and detecting fraud. The result was SAS No. 53, The Auditor's Responsibility to Detect and Report Errors and Irregularities. SAS No. 53 requires auditors to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. The statement was one of a series of nine statements that, as a group, became known as the expectation-gap standards. The statement indicated that responsibility to detect material misstatements existed whether the misstatement was a result of errors or irregularities. But the "F" word, fraud, was still studiously avoided except for a brief mention that management fraud was one form of irregularity. It was the intention of the standard setters, however, that auditors understand and perform audits so as to provide reasonable assurance that financial statements were free of material misstatement regardless of the cause, whether that be inadvertent error, employee dishonesty and concealment, or management fraud.
But in the years following the issuance of SAS No. 53, incidences of material misstatements in financial statements, principally because of management fraud, continued to be made public. The saw ings-and-loan crisis, with stories of mismanagement and fraud resounding throughout the land, brought the whole issue of auditor performance once again to the front pages.
The AICPA held a conference in 1992 to review the effectiveness of all the expectation-gap standards. Had they achieved the objective of better communication to users and improved the effectiveness of auditors, especially in the detection of errors and irregularities? One of the papers presented at the conference raised the issue of the effectiveness of SAS 53.
In 1993, the Public Oversight Board of the AICPA-feeling the pressure and need to improve auditor performance-issued a publication, In the Public Interest, that gave more than 20 recommendations to various players in the financial reporting process to restore public confidence. While concluding that the guidance in SAS No. 53 was OK, the POB expressed concern that some practitioners were not living up to the standards. There was a performance gap. The POB recommended increased efforts by CPA firms to ensure the implementation of SAS No. 53. Soon thereafter the AICPA issued a response to the POB recommendations in the form of a white paper that restated the auditor's responsibility to detect material misstatement, including management fraud.
According to AICPA vice president Dan Guy, who heads the standards setting activities at the AICPA, shortly after the issuance of the POB report and the AICPA white paper, the AICPA began its own campaign to increase the knowledge of auditors about their responsibilities for fraud with material in The CPA Letter and coverage in the year-end Audit Risk Alerts including suggested wording for engagement letters. ltimately, because of all the dis cussions about fraud, the issue of the auditor's performance in detecting material fraud was put back on the ASB's agenda. The work was assigned to a fraud task force under the leadership of first, Randy Noonan, current ASB chair, and later Arthur Andersen partner David Landsittel. After several years of grappling with the issue, its work has resulted in the development of proposed changes to a number of auditing standards that were released in the form of an exposure draft in May 1996.
The proposed SAS is to be called Consideration of Fraud in a Financial Statement Audit, which will replace SAS 53, and there will be proposed amendments to sections of SAS No. 1, Due Professional Care in the Performance of Work and Responsibilities and Functions of the Independent Auditor, and SAS No. 47, Audit Risk and Materiality in Conduct ing an Audit
The CPA Journal spoke with David Landsittel, chair of the fraud task force Robert Fleming, a partner of Urbach Kahn & Werlin, a member of the task force and recent member of the ASB, and vice-president Dan Guy, to learn about the objectives of the proposed changes and how they are likely to affect practitioners, preparers of financial information, and users. The Journal also spoke with George Diacont, chief accountant of the enforcement division of the SEC, to learn about the SEC's perception of the pervasiveness of management fraud, auditor performance in detecting fraud, and whether the revised standard should improve auditor performance, Diacont's views are presented as a sidebar.
Do Auditors Need a
New Approach? When asked whether, as a partner in a regional firm, he saw deficiencies in audits under existing standards, Bob Fleming responded that it is clear that many auditors do not understand their responsibility for misstatement arising from an act of fraud. He sees this misunderstanding at his own firm's staff training and in peer reviews. But he does not think finding fraud is viewed by the local practitioner as a major practice issue.
As the task force began to focus on the issues, it concluded, however, that a very important aspect of fraud for the local and smaller practitioner is employee defalcations or misappropriations. Many owners of smaller businesses look upon their auditors as the watchdog against employee dishonesty. It is for that reason, according to Fleming, that the task force broadened the scope of the project to include misappropriation of assets.
Chair of the task force, David Landsittel, believes the ASB has a responsibility to continually try to strengthen and improve the audit process to address public expectations. His two areas of concern are fraud and early warning of financial distress-going concern issues. Clearly in Landsittel's mind there are many instances in which material financial statement fraud has occurred and gone undetected. In SAS No. 53, the profession clarified the responsibility to detect fraud. In this initiative, says Landsittel, "We don't want to increase responsibility but rather provide performance guidance to better fulfill the presently existing responsibility. We are trying to articulate in a way that the auditor understands how he or she should address that responsibility." Landsittel explained why it is not possible to increase that responsibility above what presently exists. He noted that the framework of fraud detection must consider the concept of materiality. The auditor is only responsible for detecting material mis statement due to fraud. And a proper audit approach must consider the longestablished concept of "reasonable assurance." Because of those very pervasive underlying principles, Landsittel believes the responsibility for detect ing fraud will not be increased by the proposal.
According to Dan Guy, as the task force began to focus on the issue it concluded that what was necessary was not greater responsibility, but rather a change in attitude that would drive performance so there would be no question as to what the auditor should be doing.
Guy went on to say that what we hear from investigations of alleged audit failures is a complacency or a willingness to accept what management represents. He says there is a need for healthy professional skepticism to kick in.
The Approach Taken
In the early discussions, according to Fleming, the task force concluded that if the task force did nothing but substitute the word fraud for irregularity, awareness and attitudes would no doubt change and the task force's objectives would be largely accomplished. As it spent more time with the subject, the task force decided to keep, but strengthen, the present risk-based approach to helping auditors discharge their responsibilities. It also decided that the sections of SAS No. 1 dealing with the auditors' responsibilities and due professional care should be amended to establish at the highest level of standards the auditors' responsibility for finding fraud and to exercise an appropriate level of professional skepticism.
The exposure draft, after defining what the two kinds of fraud are, directs the auditor to assess the extent to which there is a risk of material misstatement due to fraud. "It is an affirmative responsibility to assess this risk in every audit engagement," says Fleming. These risk factors are commonly called "red flags," but the proposed SAS avoids that more charged term. In making the required assessment, the auditor is directed to consider fraud risk factors related to defined categories. For example, the auditor would, under the category of management characteristics, assess the risk factor of management's attitude toward internal control and financial reporting. The auditor, in assessing the risk, might look toward the existence of a code of conduct or the timeliness or seriousness with which management deals with control deficiencies or findings of regulators.
Under the category of industry conditions, the risk factors suggested for consideration relate to the level of competition and market saturation with perhaps declining profit margins. Under the category of operating characteristics, the auditor might consider factors such as unrealistically aggressive sales or profit-based incentive programs.
The proposed statement also presents risk factors in three categories related to misappropriations of assets.
The statement proposes that the auditor be mindful of the various risks of fraud factors throughout the conduct of the audit, not just at the planning stages. The auditor is expected to continually evaluate audit findings as they might affect the assessment that fraud might be present.
Audit procedures, it is suggested, could be modified by changing the experience level of those performing the work or by changing the nature, timing, or extent of the procedures themselves. For example, if there were fraud risk factors in the area of inventory and sales cut-off, the auditor might decide to observe physical inventories at year-end, using very experienced staff, without informing management as to which specific locations were to be visited.
Guy indicated the statement will require documentation of the performance of the assessment of the risk of fraud that could materially misstate the financial statements and how the assessment affected the nature, timing, and extent of audit procedures. Any changes in that assessment as the audit is conducted will also require documentation. e was quick to point out that a decision to assess control risk at the maximum and to use a substantive audit approach would not automatically lead the auditor to do the work needed to satisfy the standard. The reason for this is that the risk of fraud is both an element of control risk (the risk the client's internal control system might not prevent or detect the fraud) and inherent risk (the risk fraud exists independent of any control system). The point is that if the consideration of risk factors identifies concerns, the primarily substantive approach to the audit typically done may have to be revised to adjust for the concems-either of management fraud or misappropriations of assets. "The one-sizefits-all substantive audit is not sufficient," says Dan Guy.
Fleming noted that giving proper consideration to the risk factors will take judgment. There is no formula that says if this one risk factor is present, you perform this step. And the factors will have to be considered individually and in combination. An auditor may find the presence to some degree of several factors that individually are not a concern, but that taken together lead to the conclusion the risk of fraud is present. Fleming stated that if proper ly considered, risk factors cannot be glossed over. Expansion of audit work may be necessary.
Landsittel clarified that the auditor does not seek to conclude whether the risk of fraud is low, medium, or high. What he or she does is conclude in a particular category of risk that a risk exists. The auditor responds by designing auditing procedures to directly deal with the risk of fraud as identified.
The proposed statement also advises auditors that the risk of fraud might be so high as to lead the auditor to resign from the engagement.
Have the Lawyers Looked at It? SAS No. 16 started out to be a strong statement on fraud detection. So did SAS No. 53. What prevented both from being as strong as originally intended was the reaction to the proposals by legal advisors to the profession. They advised that the stronger wording as originally drafted would increase the risk of litigation against accounting firms. Fleming and Guy were asked to comment whether there was a risk this could happen with this proposal or whether the lawyers' input had already been reflected in the standard. Guy indicated the lawyers have been kept informed about the way the standard was being drafted from "day one." In fact, Richard Miller, AICPA legal counsel, was a member of the task force. The attorneys have raised a number of questions, in particular, to an earlier approach to the standard that would have called for the auditor to conclude whether there was a heightened risk of fraud being present. That concept is no longer in the proposal. Guy went on to express his view that, because of their ongoing awareness, there should not be any new objections from the legal side once the proposal is issued. Also, the key people on the project have a strong sense of the public interest and are very interested in a standard that will have teeth and be effective.
In Landsittel's view, this is a performance standard, not a change in responsibility standard. As a result, it should reduce the liability risk to those who properly apply it. The new SAS will give the auditor more ammunition to deal with existing responsibilities. Landsittel feels if a standard will improve performance, the benefits exceed the risk that it could be used against the profession.
The Effect on Audit Time
It is clear the statement as proposed will lead to increased audit time. Companies for which fraud is not present will not want to pay for the increased time. Auditors whose fees are under pressure from competition and client fis cal restraints will not like this expansion of work, especially if fraud has never been a problem.
"The effect of the proposals on audit time will vary," says Dan Guy. "Some organizations have very strong internal control, management that is concerned about fraud and its effects on the entity, and policies and procedures that are designed to prevent and detect fraud." For those organizations Guy thinks the impact on fees will not be significant. For organizations with fraud risks that are not effectively addressed by management, the costs will be greater. "But the bottom line," Guy continues, "will be that the public interest benefits-value added to the audit-will outweigh the additional costs."
Landsittel similarly feels that if management carefully considers the risk of fraud and establishes sound deterrent and detection controls addressing that risk, the ongoing increase in required audit effort should not be significant. Fleming, in agreeing there is the potential for increased time, pointed out that the task force has attempted to make the risk factor analysis as discriminating as possible so that consideration of the factors will lead only to more or different work when justified. The idea is that, in entities where the risk of fraud is low, there will be no substantial increase in audit effort. It will be necessary, however, to document the consideration of the risk factors. Conceivably, an analysis of the factors might even lead to a better understanding of the client and the risk of error and therefore to less work. Fleming says the ASB and the task force will be interested in hearing from practitioners during the comment period as to how discriminating the factors seem to them. Fleming said, "If 90% of a firm's audit clients come up with concerns about the risk of material misstatement due to fraud, either it has the wrong practice or the proposed standard is wrong." Dan Guy added that when risk factors are employed, you would like to know if they are, in fact, predictive or at least a ranking of which are more predictive than others. "We don't have that now." said Guy. "That is well beyond any research that we have today."
Possible Field Testing
The question was raised as to the possibility of field testing the risk factors to see the extent to which they are in fact discriminating. Guy remarked that this is something that is usually not done, at least on a formal basis. Landsittel thought it would be a major benefit if firms did this on an abbreviated basis during the exposure period. In any case, it was concluded that it would be completely appropriate to revisit the standard after it has been in effect for a period of time. According to Guy, we can't wait for a field test to have a new fraud standard. The idea of revisiting the standard at a later date fits into Landsittel's notion of the whole standard setting process.
Fleming explained the process the task force used in developing risk factors. "An initial risk factor we listed was aggressive management. Well, some commented that describes all my clients. We must be more discriminating. Finally we settled on `an excessive interest in maintaining or increasing the entity's stock price."'
Big Firm/Small Firm
Some small firms may view the proposed standard as a potential penalty to them for the problems of big firms. In their roles as bookkeeper and financial statement preparer, they may feel there is no way management fraud could take place that would materially misstate the financial statements. Fleming felt that that point of view would be risky. He would advise CPA firms to be careful about assuming they are immune to management fraud in their practices. Landsittel feels that there is no split on this issue by size of firm. "We feel all fiis have struggled with the actulal extent of their responsibility, which we are attempting to clarify."Standards overload is a concern of all firms. But, he pointed out, increasing the effectiveness of detecting fraud at clients, large and small, cannot be viewed as adding to standards overload.
The proposed standard has a documentation requirement. It will join the ranks of the selected few standards that require specific documentation. The task force, according to Landsittel, wanted to make the documentation requirement explicit to add to the understandability of the requirements embodied in the standard and the likelihood the auditor would substantively respond to the standard.
An Effective Pronouncement
It is well known that one of the common deficiencies in audits where management fraud has been revealed is the hesitancy of audit partners who become aware of conditions that might indicate a risk of fraud to drill deeper-to realty start auditing aggressively. This is contrary to "goodclient service" and conflicts with selling additional services. Guy agreed that it will take a change in attitude. "We have got to have it."
A User Friendly Pronouncement If past history is any guide, practitioners are sometimes reluctant, hesitant, or slow in implementing changes. There is some question as to the extent auditors have fully understood the notion of a risk-based approach to auditing.
According to Guy, to speed up implementation and consistent with new AICPA president Barry Melancon's wishes, the final statement will be rolled out using a user-friendly approach. The AICPA is not going to launch the statement from its silos and then hope it will catch on with practitioners. Guy tells of the formation of a fraud team at the AICPA to produce a wrap-around bundle of materials to assist in implementationvideos,, self-study material, CPE instruction courses, press briefings, road shows, checklists including engagement letter language, and questions and answers. He also says the document is being written in a way to make it easier to apply. "We plan to do a better job than we have ever done before," said Guy. Landsittel pointed out the very premise of the new fraud standard should make it more user friendly. It is a one-note statement, talking about fraud, and not mixing fraud with unintentional errors that might have been made. Plus the definition of fraud is very straightforward.
Auditing Standards Are Now a Matter of Law
Title III of the recently passed Securities Liability Reform Legislation now explicitly gives the authority to the SEC to establish selected auditing standards and requires auditors of public companies to follow AICPA audit requirements in the areas of related parties, going concern evaluation, andillegalacts. Fleming and Guy were asked to consider whether the legislation would change the consequences of faulty or deficient auditing in these areas for public companies, since such deficiencies would now become a matter of law and not simply substandard performance under GAAS. It was generally concluded that the legislation, in and of itself, would not change the playing field for auditor performance. It was agreed, however, that when the legislation talks about illegal acts, it is clearly focusing on the auditor's responsibility to blow the whistle on fraudulent behavior and practices. Practitioners will want to focus on this, and the proposed guidance in the fraud SAS will have to be given a prominent place in the audits of public companies.
Landsittel felt it disconcerting that it was necessary to legislate auditing standards. However, the end result-the reform legislation-is very consistent with the task force's thoughts of what is important in the audit of public companies. Comments on the Exposure Draft David landsittel, as chair of the task force, will be looking forward to thoughtful cornments on the proposal. He and his task force will not be looking for a "yea or nay" vote. They will be looking for explicit comments on specific aspects of the proposal.
Douglas Carm**aei Phl, PhD, CPA, and James L Craig, Jr., CPA, are editors of The CPA Journal…